Federal migration toward IPv6 could become a "wildcard catalyst" driving US government security improvements, analysts predicted today.

"Many agencies will be operating in dual-mode during the transition and will need to configure and support their IPv4 and IPv6 networks at the same time," said Shawn McCarthy, director of government vendor programmes at IDC subsidiary Government Insights.

"If firewalls or intrusion detection systems are not properly configured to recognise IPv6 traffic, IP packet switching networks can be exploited to deliver malware.

"Such configuration should be supervised at an enterprise level, but many agencies are not set up for this at the moment."

The Government Insights report predicts that, as Federal agencies take a risk management approach to security vulnerabilities, they will increasingly be forced to deploy enterprise-wide configuration management tools.

The study recommends that agencies make security automation software part of their IPv6 network transition plan, and use this software to set and monitor configuration settings.

"By standardising and enforcing security configurations, and managing access controls across multiple systems, government agencies will address the IPv6 issue, and simultaneously address multiple network security shortcomings," added McCarthy.

"These include patch management, software programming, interface requirements and monitoring configuration settings for accidental or malicious changes.

"On the other hand, if the security issues of dual-mode are ignored, the government's IPv6 transition will become an even larger enterprise-wide security headache."

• Government Insights report: US Government Security Budgets by Agency: Spending is Brisk, But Important Management Elements are Missing