Ensure IPv6 Network Security Appliances Are Used
Use network security devices that support IPv6 to protect networks using IPv6 or both IPv6 and IPv4.
Plain language
This control is about ensuring you have the right firewalls and other security tools in place that can work with IPv6, the latest version of internet addresses. This matters because if your devices can't handle IPv6, you might leave parts of your network unprotected, making it easier for hackers to slip in undetected.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for networkingSection
Network design and configurationOfficial control statement
IPv6 capable network security appliances are used on IPv6 and dual-stack networks.
Why it matters
Without IPv6-capable security appliances, IPv6/dual-stack traffic may bypass inspection, leaving IPv6 attacks undetected and unblocked.
Operational notes
Verify firewalls/IDS/IPS and proxies fully inspect and log IPv6 on dual-stack links; keep IPv6 rule sets aligned with IPv4 and retest after updates.
Implementation tips
- System administrators should evaluate the current network security devices to check if they support IPv6. This involves reviewing the technical specifications from the device manufacturers or consulting with the vendor to ensure IPv6 is listed as a feature.
- IT managers should budget for the purchase of security appliances that support IPv6 if the existing ones do not. This involves gathering cost estimates from suppliers and planning a timeline that fits into the next financial cycle without disrupting current operations.
- Procurement teams must update supplier agreements to include IPv6 support as a requirement when purchasing new network appliances. They can do this by adding specific clauses in the contracts and consulting with IT to understand which devices are critical.
- Network engineers should configure new IPv6-capable devices as per the organisation’s security policy. This could mean installing the devices on a test network first, setting them up according to best practices received from the Australian Cyber Security Centre (ACSC), and then deploying them on the live network.
- The IT security team should set up regular reviews to ensure IPv6-enabled devices are functioning correctly and updating as required. They should document the review process, noting the checks performed and any issues found, and keep this documentation readily available for audits or evaluations.
Audit / evidence tips
- AskA list of all network security appliances currently in use GoodIs a complete list showing model numbers with labels indicating they support both IPv4 and IPv6
- GoodContract will explicitly mention IPv6 compliance alongside other technical specifications
- GoodIncludes clear budgetary provisions for IPv6 hardware with a timeline for implementation
- AskNetwork appliance configuration records that demonstrate IPv6 settings have been applied
- GoodIncludes well-detailed reports with actions taken or planned based on any issues highlighted
Cross-framework mappings
How ISM-1186 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.21 | ISM-1186 requires IPv6 capable network security appliances to be used on IPv6 and dual-stack networks to maintain protective security con... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.