Got an IPv6 Firewall?
Just like the call "Winter is Coming" in Game of Thrones, we keep hearing IPv6 is coming to our networks spreading doom and gloom to our most priced assets. But just like the clothing worn by some of the actors of the TV show isn't exactly suited for winter, the network security infrastructure deployed currently wouldn't give you a hint that IPv6 is around the corner.
On the other hand, here are some recent numbers:
- Over 25% of Comcast customers are "actively provisioned with native dual stack broadband" (see comcast6.net)
- 40% of the Verizon Wireless network is using IPv6 as of December 2013 (http://www.worldipv6launch.org/measurements/)
- Between July and December last year, Akamai saw IPv6 traffic go up by about a factor of 5 (http://www.akamai.com/ipv6)
When I made our new "Quickscan" router scanning tool available last week, I left it IPv6 enabled. So it is no surprise, that I am getting e-mails like the following:
The results were "interesting"
...
A few weeks ago I had installed an IPv6 capable modem and updated my router config to enable IPv6. The results were glorious in that IPv6 ran like a charm.
The sober facts arose when I ran the ISC router scan - it used my IPv6 address, which hooked directly to my desktop (behind my firewall) and pulled up my generally unused native Apache service.
I went over my router config with a fine-tooth comb and realized that my router has no support for IPv6 filtering.
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
IPv6 Security Training ( https://www.sans.org/sec546 )
Twitter
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
Comments
Red Hat Enterprise Linux v4, now unsupported but no doubt still in use lots of places, enabled IPv6 by default with absolutely no indication in the installer that it was doing do. RHEL v5 and later at least give you the option in the installer now. :-)
Anonymous
Jan 13th 2014
1 decade ago
And then a few years later they came out with Server 2008 with IPv6 enabled by default, Windows Advanced firewall supporting V6, and indicated that disabling IPv6 was particularly an unsupported scenario.... things change. http://technet.microsoft.com/en-us/magazine/2009.07.cableguy.aspx
"From Microsoft's perspective, IPv6 is a mandatory part of the Windows operating system and it is enabled and included in standard Windows service and application testing during the operating system development process. Because Windows was designed specifically with IPv6 present, Microsoft does not perform any testing to determine the effects of disabling IPv6. If IPv6 is disabled on Windows Vista, Windows Server 2008, or later versions, some components will not function."
Anonymous
Jan 13th 2014
1 decade ago
On online CentOS servers with IPv6 I have the same IPTABLES rules fot both IPv4 and IPv6.
Anonymous
Jan 13th 2014
1 decade ago
Another thing is Teredo which comes enabled by default on some of the windows based system and some services (Direct Access) require it to operate - like it or not, IPv6 is here. You should always lock down individual hosts by first disabling all unnecessary services and then firewalling off the rest you can't disable - instead of blaming 'lack of security' on IPv6.
Finally it's hard to protect against something you are not aware of - how many of end-users know they have IPv6 stack enable, configured and working? Even if they do, what can they do about it?
My choice is usually Mikrotik or pfSense - both do great work with IPv6, either native or tunneled (Hi HE, I'm waving at you guys).
Tomasz
Anonymous
Jan 13th 2014
1 decade ago
I feel strongly that Enterprise IPv6 networks should have both a network-based firewall at public network entry points, that should do ingres and egress filtering: that is, you should eschew neither. Layer the defenses; no reliance on any one firewall for network connection-based security.
The former's job is to help defend the perimeter -- block incoming connections to unknown ports; the latter's job, is to help protect other systems, when peer system on the LAN inevitably gets infected with malware or otherwise breached, by a pivoting attacker, rogue insider, etc.
The network-based firewall, should log outgoing and incoming connections, and it should be sophisticated to deny traffic based on protocol/application detection, in addition to standard 5-tuple allow list, with default deny on incoming and outgoing side.
Software firewall on each host: every client, every server. The host firewalls on client or server machines should not be administered by someone whose job would be more convenient with a "permit any any" rule.
Steps should be taken to periodically ensure that all firewalls are operating correctly; with especial attention to software firewalls on hosts, that might have been tampered with by software, or users with local admin privileges to their workstation.
[quote]
Another thing is Teredo which comes enabled by default on some of the windows based system and some services (Direct Access) require it to operate - like it or not, IPv6 is here.[/quote]
Implement IPv6 proper on your network, and block tunneling protocols such as Teredo :)
[quote]first disabling all unnecessary services and then firewalling off the rest you can't disable[/quote]
Yes... and sometimes, get a more secure alternative set up, and get "necessary" services uninstalled or turned off.
Don't forget to push out policies to disable WPAD and NetBIOS/NetBEUI on Windows networks, and ensure systems require signing for file sharing traffic.
Best to require IPsec between all hosts on the LAN, for all allowed communications; the Windows advanced firewall can handle this.
Anonymous
Jan 13th 2014
1 decade ago
and, to an extent, it's also true for SOHO networks.
Host-based filtering is great if available. For many widgets in a modern home, it seems that the manufacturers assume a perfectly good internet; smart TVs, NAS boxes, digital media servers, tablets, smart home controllers, etc. In order to prevent intrusions and unauthorized use of these mostly unprotected widgets would you like to have external protection, and a traditional filtering firewall that understands IPv6 is a good start.
OpenBSD PF (PF or on any other * BSD taste) in a mini-machine delivers this splendidly.
A tiny PC, i.e. CompuTech "Fit PC2i", with OpenBSD and PF (or any other * BSD flavor using PF) inserted between the Internet and the credulous devices does the job.
Anonymous
Jan 13th 2014
1 decade ago
and, to an extent, it's also true for SOHO networks.
Host-based filtering is great if available. For many widgets in a modern home, it seems that the manufacturers assume a perfectly good internet; smart TVs, NAS boxes, digital media servers, tablets, smart home controllers, etc. In order to prevent intrusions and unauthorized use of these mostly unprotected widgets would you like to have external protection, and a traditional filtering firewall that understands IPv6 is a good start.
OpenBSD PF (PF or on any other * BSD taste) in a mini-machine delivers this splendidly.
A tiny PC, i.e. CompuTech "Fit PC2i", with OpenBSD and PF (or any other * BSD flavor using PF) inserted between the Internet and the credulous devices does the job.
Anonymous
Jan 13th 2014
1 decade ago
( no NAT when using ipv6)
Anonymous
Jan 13th 2014
1 decade ago
As for additional ports: I am working on an option to add additional ports.
Anonymous
Jan 13th 2014
1 decade ago
Host-based firewall = single point of failure. 1,000 host based-firewalls = 1,000 single points of failure on your network.
And please don't get me started on Group Policy Objects being a security tool. It's a "push it out and pray" mechanism, one with zero feedback on whether it ever got applied and whether it is working.
How many home users do you know that will replace a perfectly functioning home router just because it doesn't handle IPv6 properly? Zee-roe.
I've got friends still using WEP-only routers because they still work and, after all, it says on the box that is is 128-bit encryption.
Anonymous
Jan 13th 2014
1 decade ago