Profile Applicability:

  • Level 1

Description:

IPv6 is the latest version of the Internet Protocol (IP) designed to replace IPv4. However, if IPv6 is not in use within your organization, it should be disabled to reduce the potential attack surface and mitigate security risks associated with unused or unnecessary network configurations. Disabling IPv6 also helps streamline network management and avoid potential issues with configurations that are not needed.

Rationale:

Disabling IPv6 when not in use ensures that:

  • Unnecessary network protocols are not active, reducing the potential attack surface.

  • Security and configuration management are simplified by limiting the scope to IPv4.

  • Unused services and network configurations that could introduce vulnerabilities are disabled, improving overall security posture.

Default Value:

By default, IPv6 may be enabled on many systems, even if not used. Organizations may need to manually disable IPv6 if it is not required.

Impact:

  • Pros:

    • Improved security by reducing the number of active protocols and network configurations.

    • Simplified network management by focusing on IPv4.

    • Prevention of potential IPv6-related security vulnerabilities.

  • Cons:

    • Requires network administrators to review and ensure that IPv6 is not required before disabling it.

    • If needed later, IPv6 must be manually re-enabled.

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to the AWS Console at AWS Console.

  2. Navigate to EC2 under Compute.

  3. Select the Instances section and choose the instance you want to modify.

  4. In the Networking tab, check if IPv6 is enabled for the instance.

  5. If IPv6 is enabled, go to the Security Groups section.

  6. Edit the security group and remove any IPv6-related inbound or outbound rules.

  7. Modify the Instance Settings to ensure IPv6 is disabled for that instance.

  8. Verify the change and confirm that IPv6 is no longer active.

Using AWS CLI:

  1. Run the following command to check if IPv6 is enabled on your instance:

    aws ec2 describe-instances --instance-ids <instance-id>

  2. If IPv6 is enabled, run the following command to disable IPv6 for the instance:

    aws ec2 modify-instance-attribute --instance-id <instance-id> --no-source-dest-check

  3. Review the security group settings to ensure there are no IPv6 inbound or outbound rules:

    aws ec2 describe-security-groups --group-ids <security-group-id>

Implementation Plan:

Using AWS Console:

  1. Log in to the AWS Console at AWS Console.

  2. Navigate to EC2 and go to Instances.

  3. Review the Networking tab for the instance.

  4. Ensure that IPv6 is disabled by editing the Security Groups and removing any IPv6 rules.

  5. Disable IPv6 in the Instance Settings if needed, and save the configuration.

Using AWS CLI:

  1. Use the following command to disable IPv6 for the instance:

    aws ec2 modify-instance-attribute --instance-id <instance-id> --no-source-dest-check

  2. Ensure IPv6 is not active in the Security Groups by modifying or removing IPv6-related rules:

    aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 3389 --cidr ::/0

Backout Plan:

Using AWS Console:

  1. If IPv6 is needed later, log in to the AWS Console.

  2. Navigate to EC2 and go to Instances.

  3. Edit the instance’s Security Groups to allow IPv6 again if necessary.

  4. Modify the Instance Settings to re-enable IPv6 for the instance.

Using AWS CLI:

  1. To re-enable IPv6 for the instance, run the following command:

    aws ec2 modify-instance-attribute --instance-id <instance-id> --source-dest-check


References:

CIS Controls

Version

Control ID

Control Description

v8

3.4

Ensure that IPv6 networking is disabled if not in use within your organization to reduce the attack surface and improve network security.

v7

14.2

Disable unused network protocols, such as IPv6, to improve security and simplify network management.