IPv6 is the next generation of IP--the protocol by which most of our computers, phones, and other related devices talk to each other and to the Internet. Today, everything generally talks using IPv4, which has a 32-bit address space, or roughly 4 billion possible addresses. Both because of the sheer number of devices and the number of "reserved" addresses within the IPv4 space, the number of globally available IP addresses is running out.

To put it in perspective, as I write this, there is still a few /8 addresses unallocated by the IANA, which are distributed to regional registries, which are then responsible for distributing the IPs to ISPs, whom in turn distribute them to you. A /8, in IPv4, is 16,777,216 IP addresses. That seems like a lot of addresses, until you realize that, depending on how those IPs are allocated, the number of usable IPs ends up being a bit less.

Even so, once IANA runs out of /8s, the individual registries and ISPs still likely have caches of IPv4 addresses. The problem of address space exhaustion probably won't show any acute symptoms immediately, but the lack of IPv4 addresses (and the lack of wide deployment of IPv6) will start causing problems soon, creating pockets of servers that can only be accessed by one protocol or another.

We've actually been working around the problem of address exhaustion in the IPv4 space for some time now using network address translation. That router you get from your local consumer electronics store has been masquerading all of your computers behind a single, public IP address, providing you both a level of protection and connectivity.

Enterprises do much the same thing, except their boxes are significantly larger and they also might provide services accessible on the Internet, which means: they need more than one public IP. Also, some enterprises have so many connected systems that they have, quite literally, run out of available private IP addresses (some IPs in the IPv4 space are set aside explicitly for private, non-Internet connected use).

In any case, the pressure is mounting to switch to IPv6. Given that some of my customers are asking about IPv6, I figured I'd get myself educated. I happen to have access to one of the people who helped define the IPv6 standards in the IETF (he works at Check Point), but there's really no better way to learn about it than to just get it set up.

Of course, part of the problem right now is that my ISPs at home (Comcast, CenturyLink) are still serving me IPv4 addresses. Fortunately, there are ways of tunneling over IPv4 to the IPv6 networks. One such service is TunnelBroker, run by the folks at Hurricane Electric. They tunnel IPv6 packets inside of IPv4 packets (more specifically using IP Protocol 41, designed for this purpose).

I had it working on an old Linksys router I had flashed with TomatoUSB and hacked a bit. I had IPv6 flowing through my network and was able to reach a few sites over IPv6. Then I had the realization that I was no longer protected by my router. I was now directly reachable--without a firewall! While I could fix that, I think that's enough experimentation for now.

I guess the point is: I can make it work today. However, few people are going to want to do what I had to go through to make it work. Every hop in the network has to be IPv6 friendly and IPv6 enabled. For the home user, it's going to have to be as simple as plugging in a router. We'll get there, but it's going to be a bumpy ride for the next few years.

Anyone who's following the Check Point TwitterFacebook page, or has been peeking around in User Center has probably seen the release of R75--Check Point's next major release. DLP, Mobile Access, Identity Awareness, and Application Control are all now available as Software Blades--modules that can be enabled as needed.

Over the past several months, as part of my normal duties at Check Point, I have talked with a number of the people involved in this release. I've learned about some of the technologies that went into this release, and I have to say, it's quite amazing how it all comes together!

Take R75 out for a test drive. Even if you don't immediately use the new features, there are some usability enhancements in the SmartConsole applications, an improved IPS engine, and, of course, AppWiki, which is a great resource to find out about applications--even if you're not using our Application Control Software Blade!

From Using Firesheep is illegal in the US, UK, and most of the world:

One thing that many sites have glossed over is the inherent illegality of using Firesheep. "Go on! Try it! It's cool!" -- yes, it is shockingly cool, but if you use it on a public network you are breaking the law.

In general, the interception of any communication -- digital or otherwise -- is prohibited by law. Government agencies are the only exception and even then a warrant is usually required. Firesheep, by intercepting digital communication and re-routing it to your Web browser is a wiretap. Unless you're trying to crack the local organized crime racket and you have a warrant in your pocket, you are breaking the law.

Making something illegal doesn't mean people--especially criminals--won't do it. Besides, one could argue that this communication is being broadcast unencrypted and can easily be sniffed passively, thus one should not have had a reasonable expectation of privacy.

The goal of this program isn't to let people hijack each other's web sessions anyway, it's to clearly demonstrate the threat of using unencrypted WiFi using unencrypted protocols, which has existed since WiFi was first conceived. Unfortunately, easy-to-use programs like this are what's needed to apply the appropriate pressure to change our protocols and practices.

From Why Firesheep’s Time Has Come | Steve (GRC) Gibson's Blog:

In case you’ve been somewhere off the grid, and have somehow missed the news, Firesheep is an incredibly easy to use add-on for the Firefox web browser that, when invoked while connected to any open and unencrypted WiFi hotspot, lists every active web session being conducted by anyone sharing the hotspot, and allows a snooping user to hijack any other user’s online web session logon with a simple double-click of the mouse. The snooper, then logged on and impersonating the victim, can do anything the original logged on user/victim might do.

I've experimented with Firesheep on my own system. Normally, I use Google Chrome, but I installed a fresh copy of Firefox just for the occasion to try Firesheep.

Within a few moments, I was able to pick up web sessions happening from my Google Chrome browser. I was able to use both my Facebook and Twitter from Firefox without having to log into them! It did pick up my Google login, but before I hit Gmail, I had to provide authentication. Remember, this was a fresh installation of Firefox on a machine that did not previously have Firefox installed at all!

This is scary stuff. As Steve Gibson says, though, this has always been possible with unencrypted WiFi by anyone with enough 1337 5killz to pull it off. Now, it's as simple as installing a web browser plugin.

From an article on Cnet announcing a mobile security product:

The [product] runs on all mobile operating systems and devices. It includes antivirus, personal firewall, antispam, and remote monitoring and control services. It remotely backs up and restores data and can locate devices that are lost and stolen, as well as wipe data from stolen devices. It also can send an alert when a SIM card has been removed or replaced. For enterprise users, it protects devices accessing networks with SSL-based virtual private network.

And it makes great toast, too!

Reality check. The functionality of the above mentioned product is highly dependent on the mobile platform we're talking about. A quick trip to the vendor's website shows you what options are available on which platform, and it's clearly not the same.

Mobile operating systems are designed more secure from the get-go. That doesn't completely reduce the need for security, but it does reduce or eliminate certain classes of threats. Also, each mobile OS has their own unique restrictions on the kinds of apps that can be written. Each mobile OS has different security services that can be utilized in different ways.

In short, what you can do on iPhone and what you can do on Android are very different. Even if a vendor provides the same application on multiple platforms, it is not going to provide the same level of functionality. It simply cannot.

The author of the above-linked piece did not even attempt to articulate this critical point. If you're looking at a mobile security solution for your enterprise, you simply have to be aware of this reality so as you don't expect something that cannot be delivered.

Disclaimer: My employer offers a competing product: Mobile Access Software Blade. However, the above thoughts are my own.