IPv6 Security - Why You Should Care About It

IPv6 security solutions help you proactively identify, assess, and fix IPv6 security threats. Even organizations that still use IPv4 can be significantly and unknowingly impacted by IPv6 security, as many devices are enabled by default for IPv6. If not properly tested, these devices can actually represent a significant risk and an attack path for hackers. IPv6 security solutions have been specifically designed to help organizations identify, manage and fix IPv6 security threats.

Some interesting facts. There is actually more people living on the entire planet, than there are currently IPv4 addresses. What is an IPv4 address? The analogy I like to use is, think of your phone book, and we've run out of phone numbers. IPv6 is basically a new area code or a new phone number that we are starting to hand out. An IPv6 is the parallel world in IP addresses, in numbers that you need to run websites. Most people actually don't care about IPv6. It's interesting that they don't, because quite frankly, they should. Let me tell you why.

There is some early adopters in the industry, such as Telco companies, higher education, and federal agencies. The reason why these are early adopters is because, in the case of Telcos, they really are the backbone of our next generation Internet, media, and telecommunication exchange. Higher education is provisioning their students, and Federal agencies are actually mandated by law, in some industries and some sectors of Federal starting deploying IPv6. Many other industries haven't yet. They don't feel like it applies to them. They don't think IPv6 is relevant for them. What's interesting actually is that they probably should, because even if they are not running IPv6 networks, there are many, many devices on our IPv4 environments and networks that are, by default, configured to run both on IPv4 and IPv6.

They ship from the factories with both enabled. If you don't know that, you might not even know that you have these devices on your network. Why is that important? Because, that could open up a potential door for an attacker actually to take advantage of this information, to come in through IPv6 into our environments, and do some damage and breach your environment.

What's challenging about IPv6 security overall? Fundamentally, there are three main things. As we just discussed, they are very difficult to detect. Very often, we don't even look for them. If you don't look for them, you are not going to find them. Secondly, it's very difficult to actually run IPv4 and IPv6 in parallel. This is quite complex. It requires a lot of technical skills. Many organizations just haven't started looking at that yet, so it's very complex. Thirdly, because there's a lot of uncertainty and misinformation around IPv6, it's actually an ideal threat factor for attackers to come in and leverage this misinformation, to take advantage and breach your environments. Those are the three challenges with security.

Now, what recommendations can we provide to you? Number one, get educated. Get smart about IPv6. There are a number of white papers out there. There's a number of webcasts out there that can help you to better understand what to do about IPv6, and how to handle that from a security perspective, as well as overall how you can deploy it in your networks. Secondly, find out if you have IPv6 environments, even if you are not running an IPv6 environment. You can use solutions such as vulnerability scanners or discover tools that will help you to understand if you have IPv6 enabled devices on your network. If the answer is, "Yes, I have them," make sure that you turn off these devices, because that will help you prevent potential attacks from happening. The analogy I would use, it's like you have your house. You have your front door which is locked, but all of a sudden, you have a back door that you are not even looking at, that has an open door. Make sure you lock that back door as well, to protect your environment.

Connect Your DVR to Your LAN

we will assign your surveillance DVR an IP address.  Make sure that your DVR is connected to your network by attaching an ethernet cable to the back of your DVR and attaching the other end to your router.

1. Login to your DVR by pressing the menu button on the DVR or on the wireless remote control.

2.  When you are prompt to enter a password, just press the OK button on the DVR or remote.  The default admin password for the DVR is blank.  If you have already setup an admin password for your DVR, then enter this, then press OK.

3.   From your DVRs System menu, select External Device.

4.   On the External Device menu, select TCP/IP Setup.

5.   On the TCP/IP Setup screen, select DHCP setup and press enter.

6.  On the DHCP setup screen, confirm that the DHCP mode is set to automatic.  If it is not, adjust it so that it is by pressing the OK button. 

7. Select Detect IP and press enter.  The screen should refresh and populate values below.  Note the IP address.  This is the internal IP address that your router has assigned to your DVR.  This is the IP address that you will setup port forwarding for.

8.   After you have noted this IP address, select DHCP Mode and press OK.  The mode will be changed Manual.  This will ensure that your DVR will always be assigned the same IP address from your router. THIS IS IMPORTANT because if you loose power to your router, your router may assign your DVR a difference IP address and you will no longer be able to access the DVR remotely.

9.   Press the menu button once to return to the TCP/IP setup screen.

10. On the TCP/IP setup screen, select IP config setup and press enter.  On the IP config setup screen, confirm the port number of your DVR as seen below.  The default port is 8000.  If your DVR is not set to port 8000, please edit this value to set to 8000.  NOTE: please ignore that the below screen shot shows port 50000.  Port 50000 was used for the last version of the JPEG DVR.

Since most businesses and many households have local area networks (LANs), you will find the task of connecting a security DVR to a LAN is a common procedure. While it is a relatively simple thing for most security equipment installers, it is complex enough to confuse many users, especially users who have never worked with IP numbers before or have never worked with LAN topology.

Let's begin by identifying your LAN topology. To do this, locate your

1) security DVR,

2) the router attached to your security DVR and

3) a computer/workstation that is attached to the same router. It can also help if you locate

4) the modem  (or router AND modem)  that connects to the internet outside your home or facility - it is usually the first piece of hardware attached to the internet cable the comes through the wall. If you don't have #3 (computer attached to the same router shared by your security DVR), create one now and verify that the PC/workstation has a working connection. If you can't find or locate #4 (modem that provides connection to the internet) don't worry about it at this point since locating it may not be necessary.

Some typical network topologies are shown below. Figure #1 represents a simple network topology you might find in small business, while figure #2 represents a very simple network you would find in many homes. (Figure #2 actually represents the bare minimum hardware & connections you need for remote DVR monitoring/programming.).

Make sure (verify) your network connection is active and your PC can connect to the internet without any problems. Start at your PC and do the following:

1. Go to the COMMAND PROMPT. Different Windows versions have different ways of getting a COMMAND PROMPT. Most Windows versions let you reach a command prompt by going to START, then RUN, then type CMD into the window and hit ENTER. If successful you'll see a screen similar to Figure 3.

2.  Figure 3 shows a computer screen with the command prompt, and the PROGRAM FILES folder is open. That location should be fine. Type IPCONFIG/ALL and hit ENTER.  You should see a display screen similar to Figure 4.

( If you DON'T see Figure 4, they you are probably getting an error message. You'll need to find the person who installed your OS and find out why it doesn't have essential DOS files - you won't be able to continue this procedure without them.)

IPCONFIG is a standard Microsoft DOS command. You can read all about it at the official Microsoft website (http://technet.microsoft.com/en-us/library/bb490921.aspx), if you want. When you use this command as described here, it will report the computer's IP numbers so you can record them for your records. It does NOT change any settings or perform any kind of configuration process.

3. Write down the IP numbers shown under

IP ADDRESS (192.168.1.100),

SUBNET MASK (255.255.255.0),

GATEWAY (192.168.1.1) and

DNS SERVERS (206.222.98.82, 216.199.46.11, 206.222.98.82 - this particular computer has 3 DNS SERVER connections) and label them.

NOTE: Some versions of MS Windows will display IPv4 ADDRESS and an IPv6 ADDRESS - you want to use the IPv4 ADDRESS numbers.

4. Now get the IP Address of the security DVR. Got to the VRR andaccesssthe programing menu and get to the NETWORK settings area. Find the option that says DHCP (Dynamic Host Configuration Protocol) and ENABLE it..

5. Still at the DVR, write down the IP addresses it shows in the DHCP screen. Now turn OFF DHCP (or DISABLE it). If the IP addresses shown did not change, go to the next step. IF THEY DID CHANGE, re-enter them in the fields shown (DO NOT enable, or turn on, DHCP again).). If the IP addresses shown did not change, go to the next step. IF THEY DID CHANGE, re-enter them in the fields shown (DO NOT enable, or turn on, DHCP again).

6. Note the PORT NUMBERS shown in the DVR NETWORK screen. Write them down.

7. Test your configuration. Do the following at the PC/workstation that shares the same router as your DVR:

·   Get to the COMMAND PROMPT.

·   Type PING [IP Address], hit ENTER. (In our example the IP address is 192.168.1.100)

·   If you get a REPLY message, it communicated. If not, and you got a TIME OUT message of any kind then check your settings.

8. Your DVR has CLIENT SOFTWARE or REMOTE VIEWING SOFTWARE that was included in the box. Locate it and install it on the PC/workstation.

·   If your DVR has a webserver you can use IE Browser to communicate with the DVR - just type in the DVR IP Address in the URL bar of the browser.

Port Forwarding & Accessing Your DVR from Outside Your Network

To set up external (remote) viewing of your DVR and attached cameras, you will need to access your router. Refer to the router's User Manual to learn how to set port forwarding. If you can't find it, look here http://www.portforward.com/english/routers/port_forwarding/routerindex.htm. All routers have a different method of setting up port forwarding so it's impossible to instruct you here.

Program the router so that when it gets an internet request for the IP ADDRESS of the DVR it will refer (or activate) to the PORT NUMBER of the DVR (you wrote these numbers down earlier, right?). Normally most routers have a field for each physical connection and it will be obvious where to place the IP and PORT NUMBER information. If you can't find how to access your router, look at the router closely and make sure it is indeed a router and NOT a switcher. It should be ok if it's labeled ROUTER/SWITCHER but if it is an older piece of hardware and just says SWITCHER, discard it and get a true ROUTER.

Test the connection from an network external location. If the IP numbers and Port Forwarding numbers are set correctly you should be able to receive streaming video.

Using IE Browser VS Client/Remote Viewing Software

If the DVR has a webserver, then you can use IE Browser to connect to the DVR. Put the DVR IP address in the URL bar of the browser (like http://192.168.100.200, etc).

If the DVR does NOT have a webserver, then you will need to install the client/remote viewing software (that came with the DVR) on the PC/workstation you are using to view your security installation. The Client Software (or Remote Viewing Software) gives you additional features, such as ability to program motion detection, etc., that the IE Browser can not provide. Since each surveillance DVR has it's own client software, you'll have to refer to the software manual for help using their software.

Add caption