Does your cloud-access security broker support IPv6? It should.

Cloud access security brokers (CASB) insert security between enterprises and their cloud services by providing visibility and access control, but IPv6 could be causing a dangerous blind spot.

That’s because CASBs might not support IPv6, which could be in wide corporate use even in enterprises that choose IPv4 as their preferred protocol.

For example, end users working remotely have a far greater chance of connecting via IPv6 than when they are in the office.  Mobile providers collectively have a high percentage of IPv6-connected subscribers and broadband residential Internet customers often have IPv6 connectivity without realizing it.  Internet service providers and software-as-a-service (SaaS) vendors both widely support IPv6, so a mobile worker accessing, say, DropBox over a Verizon 4G wireless service might very well connect via IPv6.

Additionally, enterprises may contract with SaaS providers and Internet-based application services that use both IPv4 and IPv6 internet connectivity. IPv6 is now supported by major cloud providers, making it easier than ever for companies to IPv6-enable internet-facing web applications.

Certain CASBs might not see IPv6 traffic

So wittingly or not, enterprises may be employing IPv6 for many internet connections that are used for common business functions. If the corporate choice of CASB (pronounced caz-bee) inspects and controls only IPv4 traffic, then these direct IPv6 connections could bypass corporate policies the CASB is supposed to enforce. If the CASB your organization selects is only looking at IPv4 connections, there could be dangers lurking in the blind spots.

Enterprises aren’t the only ones that might overlook this danger. Gartner outlines four pillars of functionality that CASBs should possess to be suitable for enterprise deployment:

1. CASBs must provide visibility to end-user behavior and the cloud services used.
2. CASBs should be cognizant of data classification, data marking and confidentiality.
3. CASBs should help the organization protect against Internet/cloud threats and malicious behavior.
4. CASBs should provide governance of cloud service usage based on corporate policies.

These are good goals, but they should be expanded to explicitly include IPv6:

1. CASBs must provide visibility to connections that could be occurring using IPv4, IPv6 or a combination of both.
2. CASBs should be cognizant of data classification, marking and confidentiality regardless of client IP address family.
3. CASBs should protect against Internet-based threats that could be transported over either IPv4 or IPv6 and alert to malicious behavior occurring over either protocol.
4. CASBs should provide control and governance based on corporate policies dictated by physical location of either the end-user or the cloud service and should also be aware of geolocation information based on IPv4 or IPv6 address.

Enterprise may not immediately enable the IPv6 features in a product or service.  But, by purchasing products and services that already support IPv6, they have the option to enable IPv6 on their own schedule.

Some organizations, including the U.S. federal government, have procurement guidelines that give preference to IPv6-capable products and services.  Some organizations choose to procure IT products only from vendors who have performed the simple act of IPv6-enabling their websites.

How well do CASBs support IPv6?

To help alleviate these concerns, some CASB vendors now support both IPv4 and IPv6 and have dual-protocol websites.  The following list describes which CASBs are able to inspect and control IPv6 traffic and connections, and notes those companies that have failed to recognize the importance of IPv6. 

BitGlass teams “confirmed IPv6 is not a strong focus of their product, and that it is extremely rare to have IPv6 endpoints connecting to IPv6 cloud applications on the public internet.”  There is no mention of IPv6 on its IPv6-enabled website.

CensorNet, an IPv6-capable CASB, works in two modes. When CensorNet runs in API mode (out-of-band), it receives both IPv4 or IPv6 information from the cloud provider.  When it runs in Inline mode, it uses a forward proxy, which is compatible with IPv6 connections between the end user and the cloud service, assuming the routers involved are configured for IPv6 routing.  The CensorNet CASB DLP scanner can also search for IPv6 style addresses in content uploaded to cloud storage apps.  However, there is no mention of their IPv6 features on their IPv4-only website.

Check Point’s CloudGuard SaaS CASB provides no information on its IPv6-enabled web site about IPv6 features in security service.  In Check Point’s R80.20 CloudGuard Controller Known Limitations it states that “IPv6 information is not imported for Data Center Objects in Public Cloud. CloudGuard Gateways in Public Cloud do not support IPv6.”  We reaching out to Check Point but were unable to confirm IPv6 support. This article will be updated if the company clarifies its IPv6 support.

CipherCloud has no reference of IPv6 on their IPv4-only website. We reached out to them but received no response.  If they confirm IPv6 support, we will update this article.

Cisco’s Cloudlock CASB supports IPv6.  Cloudlock can be integrated with Cisco Web Security Appliances (WSA) running AsyncOS 11.7, which is IPv6-capable, and can share W3C logs with the Cloudlock portal.  Any integration that Cloudlock would have with Umbrella could leverage the fact that it supports IPv6 and now uses the IPv6 addresses 2620:119:35::35 and 2620:119:53::53 for their service.  Although there isn’t any explicit mention of IPv6 Cloudlock features on their IPv6-enabled website.

Forcepoint CASB does not support IPv6.  Forcepoint confirmed that when its product works in proxy-mode, it doesn’t support IPv6.  The Forcepoint Web Security Cloud seems to have some IPv6 features, but this statement on their site “Traffic to IPv6 destinations that is allowed (default setting) is not filtered or logged,” sounds like there is no security applied to IPv6 connections. However, they say are measuring interest in IPv6 features from customer input and requests. There is no mention of IPv6 features on their IPv4-only website.

McAfee MVISION cloud security CASB does support IPv6.  The company said, “McAfee MVISION Cloud works in a scenario where an IPv6 user accesses an IPv6-enabled cloud service”.  McAfee stated “… MVISION Cloud provides visibility to all cloud services being used in an organization … using either IPv6 or IPv4 at the user or CSP.”  There is no mention of IPv6 features on their IPv4-only website.

Microsoft Cloud App Security CASB supports IPv6 and documentation on the use of IP ranges and tags states “Both IPv4 and IPv6 are supported.”  Microsoft’s Past-release archive of Microsoft Cloud App Security documents some IPv6 capabilities. The release notes mention that “IPv6 support is now available for all appliances.” starting in release 90.  It also states that in release 88 “Cloud Discovery now supports IPv6.”

NetSkope does support dual-stack connections in their Netskope for Web (Cloud Native Secure Web Gateway), Netskope for Cloud Infrastructure (for IaaS), and its Netskope for Cloud Applications (SaaS) solution. Its traffic-steering technology can work with IPv6 connections.  Dual-stack support is provided through IPv6 translation gateways which terminate the IPv6 connection as IPv4 at the CSP side. Netskope’s IPv4-only web site makes no reference to IPv6.

ManagedMethods states that when using their APIs with cloud service providers, that the APIs could convey the IP address (IPv4 or IPv6) of the client or the cloud service in their reports.  ManagedMethods doesn’t have any mention of IPv6 functionality on their IPv4-only website or in their product data sheets.

The Oracle CASB doesn’t seem to support IPv6, but we were unable to confirm this.  We reached out to Oracle about IPv6 capabilities, but receive no response.  There is no mention of IPv6 functionality on their web site. If they respond, we will update this article.

Palo Alto Networks Aperture for SaaS applications is its CASB service that supports IPv6 and logging of IPv6 client sessions. In the Aperture documentation “Get Started with Aperture, Access the Aperture Service” it used to say “IPv6 addresses are not supported” but recently that document was edited and that statement is removed. The Palo Alto Networks CASB works as inline enforcement on PANOS firewalls, which have a rich history of IPv6 support and robust IPv6 security features.  Palo Alto has an IPv6-enabled website, but searches for IPv6 reveal no mentions of Aperture.  The Aperture Administrator’s Guide doesn’t have any information about IPv6.  In the Palo Alto Networks TechDocs for “All Aperture Documentation”, a search for IPv6 reveals no results.

Proofpoint Cloud App Security Broker (Proofpoint CASB) doesn’t appear to have any IPv6 features publicly documented.  Searching for “IPv6” on their IPv6-enabled website, yields “0 Results Found”.  We reached out to the company but received no response.  If they confirm IPv6 support, we will update this article.

SAVIYNT said that their CASB does not support IPv6, and it there was no mention of IPv6 functionality on their IPv4-only web site.

Symantec CloudSOC Cloud Access Security Broker is its CASB that supports IPv6.  Symantec confirmed that CloudSOC supports IPv6 in addresses for Shadow IT discovery, in API-based, sanctioned cloud-application monitoring and control, and with the in-line CASB Gateway.  CloudSOC works with traffic accessing CSP services over IPv6, and CloudSOC automatically adapts to IPv6 so using it doesn’t require any extra user action. There seems to be no mention of IPv6 related to the CloudSOC CASB on its IPv6-enabled website.

Enterprises should acknowledge that their remote workers are using IPv6 on their mobile devices, at their employee’s homes and when they are on-the-road. Having cloud-based security solutions that support both IPv4 and IPv6 will give them maximum visibility and control.

CASB customers should make IPv6 support a required feature and be wary of CASBs with development strategies that call for use of IPv4-only addresses because that will limit the longevity of their offerings.