Does Cloud Access Security Agent support IPv6?

Enterprises will use IPv6 for many of their Internet connections, which means that CASB should also support the protocol in order to implement policies for all customer traffic. The following is how the main CASB stacks.

Cloud Access Security Broker (CASB) inserts security between enterprises and their cloud services by providing visibility and access control, but IPv6 may cause dangerous blind spots.

This is because CASB may not support IPv6, and even in enterprises that choose IPv4 as the preferred protocol, it may be widely used in enterprises.

For example, end users working remotely have far greater opportunities to connect via IPv6 than when they are in the office. Mobile providers collectively have a high percentage of IPv6 connected users, and broadband residential Internet users usually have IPv6 connections without realizing it. Internet service providers and software-as-a-service (SaaS) vendors support IPv6 extensively, so mobile workers who access DropBox through Verizon 4G wireless service can connect via IPv6.

In addition, companies may sign contracts with SaaS providers and Internet-based application services that use IPv4 and IPv6 Internet connections. IPv6 is now supported by major cloud providers, allowing companies to support Internet-facing web applications more easily than ever.

Some CASBs may not see IPv6 traffic

Companies may use IPv6 for many Internet connections for common business functions. If an enterprise chooses CASB (pronounced caz-bee) to only inspect and control IPv4 traffic, then these direct IPv6 connections may bypass corporate policies that CASB should enforce. If the CASB your organization chooses only looks at IPv4 connections, there may be a danger of lurking in blind spots.

Companies are not the only ones that may ignore this danger. Gartner outlined four functional pillars that CASB should have for enterprise deployments:

1. CASB must provide visibility of end user behavior and cloud services used.

2. CASB should recognize data classification, data labeling and confidentiality.

3. CASB should help organizations prevent Internet/cloud threats and malicious behavior.

4. CASB shall provide governance for the use of cloud services in accordance with company policy.

These are good goals, but they should be expanded to explicitly include IPv6:

1. CASB must provide visibility of connections that may occur using IPv4, IPv6, or a combination of both.

2. Regardless of the client IP address series, CASB should recognize data classification, marking and confidentiality.

3. CASB should prevent Internet-based threats that can be transmitted via IPv4 or IPv6, and warn against malicious acts that occur via either protocol.

4. CASB should provide control and governance based on corporate policies determined by the physical location of the end user or cloud service, and should also understand geographic location information based on IPv4 or IPv6 addresses.

Enterprises may not be able to immediately enable IPv6 features in their products or services. However, by purchasing products and services that already support IPv6, they can choose to enable IPv6 according to their plan.

The procurement guidelines of some organizations, including the US federal government, give priority to products and services that support IPv6. Some organizations choose to purchase IT products only from vendors that have performed the simple act of enabling their websites with IPv6.

How does CASB support IPv6?

To help alleviate these problems, some CASB vendors now support IPv4 and IPv6 and have dual-protocol websites. The following list describes which CASB can inspect and control IPv6 traffic and connections, and pay attention to companies that fail to recognize the importance of IPv6.

The BitGlass team "confirmed that IPv6 is not the focus of its products, and it is very likely that IPv6 endpoints will be connected to IPv6 cloud applications on the public Internet." There is no mention of IPv6 on its IPv6-supported website.

CensorNet is a CASB that supports IPv6 and has two working modes. When CensorNet operates in API mode (out-of-band), it receives IPv4 or IPv6 information from the cloud provider. When it runs in Inline mode, it uses a forward proxy, which is compatible with IPv6 connections between end users and cloud services, assuming that the routers involved are configured for IPv6 routing. The CensorNet CASB DLP scanner can also search for IPv6 style addresses in content uploaded to cloud storage applications. However, there is no mention of its IPv6 functionality on its IPv4-only website.

Check Point’s CloudGuard SaaS CASB does not provide information on IPv6 features in security services on its IPv6-enabled website. In the known limitations of Check Point’s R80.20 CloudGuard controller, it states that “IPv6 information will not be imported for data center objects in public clouds. CloudGuard gateways in public clouds do not support IPv6.” We contacted CheckPoint but could not confirm IPv6 stand by. If the company clarifies its IPv6 support, this article will be updated.

CipherCloud has no IPv6 reference on its pure IPv4 website. We contacted them but received no response. If they confirm IPv6 support, we will update this article.

Cisco's Cloudlock CASB supports IPv6. Cloudlock can be integrated with Cisco Web Security Appliances (WSA) running AsyncOS 11.7, which supports IPv6 and can share W3C logs with the Cloudlock portal. Any integration of Cloudlock with Umbrella can take advantage of the fact that it supports IPv6, and now uses IPv6 addresses 2620:119:35::35 and 2620:119:53::53 for services. Although there is no explicit mention of the IPv6 Cloudlock function on its website supporting IPv6.

ForcepointCASB does not support IPv6. Forcepoint confirmed that when its product works in proxy mode, it does not support IPv6. Forcepoint Web Security Cloud seems to have some IPv6 features, but this statement in its site "Allow traffic to IPv6 destinations (default setting)" is not filtered or recorded, "It sounds like there is no security applied to IPv6 connections. But , They said they are measuring customer input and request interest in IPv6 features. There is no mention of IPv6 features on the IPv4-only website. 

McAfeeMVISION cloud security CASB does support IPv6. The company said, "McAfee MVISION Cloud is suitable for scenarios where IPv6 users access cloud services that support IPv6." McAfee stated that "...MVISION Cloud provides visibility to all cloud services used in the organization... Use IPv6 or IPv4 on users or CSPs." Nothing on its IPv4-only website Mention IPv6 features.

Microsoft Cloud App Security CASB supports IPv6 and the documentation on the use of IP ranges and tags "supports both IPv4 and IPv6." Past versions of Microsoft's Microsoft Cloud App Security have archived some IPv6 features. The release notes mention that "IPv6 support is now available for all devices." Starting with version 90. It also pointed out that in version 88, "CloudDiscovery now supports IPv6."

NetSkope does support dual-stack connections in its Netskope for Web (cloud native secure Web gateway), Netskope for Cloud Infrastructure (for IaaS) and its Netskope for Cloud Applications (SaaS) solution. Its traffic diversion technology can be used with IPv6 connections. Provide dual-stack support through the IPv6 conversion gateway. The IPv6 gateway acts as an IPv4 at the CSP to terminate the IPv6 connection. Netskope's IPv4 dedicated website does not mention IPv6.

ManagedMethods pointed out that when using the API with cloud service providers, the API can convey the IP address (IPv4 or IPv6) of the client or cloud service in its report. ManagedMethods does not mention IPv6 features on its IPv4-only website or its product data sheets.

The Oracle CASB does not seem to support IPv6, but we cannot confirm this. We consulted Oracle about IPv6 features, but did not receive any response. There is no mention of IPv6 functionality on their website. If they respond, we will update this article.

Palo AltoNetworks Aperture for SaaS application is its CASB service, which supports IPv6 and IPv6 client session recording. In the Aperture document "Introduction to Aperture, Access to Aperture Services", it once said that "IPv6 addresses are not supported", but recently the document has been edited and the sentence has been deleted. 

Palo Alto Networks CASB, as an inline implementation of PANOS firewall, has a rich history of IPv6 support and powerful IPv6 security functions. Palo Alto has a website that supports IPv6, but searches for IPv6 did not mention Aperture. The "Aperture Administrator's Guide" does not contain any information about IPv6. In Palo AltoNetworks TechDocs for "All Aperture Documents", a search for IPv6 showed no results.

The ProofpointCloud App security agent (ProofpointCASB) does not seem to have any publicly documented IPv6 features. Searching for "IPv6" on its IPv6-enabled website will produce "0 found results." We contacted the company but did not receive any response. If they confirm IPv6 support, we will update this article.

SAVIYNT stated that their CASB does not support IPv6, and there is no mention of IPv6 functionality on their IPv4 dedicated website.

Symantec CloudSOC cloud access security agent is its CASB that supports IPv6. Symantec confirmed that CloudSOC supports IPv6 addresses for ShadowIT discovery, API-based, approved cloud application monitoring and inline CASB gateways. CloudSOC uses traffic to access CSP services via IPv6. CloudSOC automatically adapts to IPv6, so no additional user operations are required to use it. There does not seem to be any mention of IPv6 related to CloudSOC CASB on its website supporting IPv6.

Companies should acknowledge that their remote workers are using IPv6 on their mobile devices, employees’ homes, and on the road. Having a cloud-based security solution that supports IPv4 and IPv6 will provide them with maximum visibility and control. CASB customers should regard IPv6 support as a necessary feature and be wary of CASB’s development strategies, which require the use of IPv4-only addresses, as this will limit the lifespan of their products.

The above is the news sharing from the PASSHOT. I hope it can be inspired you. If you think today' s content is not too bad, you are welcome to share it with other friends. There are more latest Linux dumps, CCNA 200-301 dumps, CCNP Written dumps and CCIE Written dumps waiting for you.