[100606] in North American Network Operators' Group
Re: IPv6 firewall support
daemon@ATHENA.MIT.EDU (David Freedman)
Mon Oct 29 09:09:24 2007
To: nanog@merit.edu
From: David Freedman <david.freedman@uk.clara.net>
Date: Mon, 29 Oct 2007 13:11:06 +0000
X-Complaints-To: usenet@ger.gmane.org
In-Reply-To: <D03E4899F2FB3D4C8464E8C76B3B68B00145E5B3@E03MVC4-UKBR.domain1.systemhost.net>
Errors-To: owner-nanog@merit.edu
Have to say, using screenOS 5.4 on our juniper kit and relatively happy.
Elsewhere, if you just want a packet filter, v6 ACLs are fine, depending
of course whether they are done in hardware or software and if this is
appropriate for your application (i.e , ACL in software path is
perfectly appropriate in a number of scenarios where you have dedicated
router and low traffic environment....)
Dave.
michael.dillon@bt.com wrote:
> Some people have claimed that they cannot yet sell
> IPv6 Internet access because there is no IPv6 firewall
> support. According to this ICANN study:
> http://www.icann.org/committees/security/sac021.pdf
> this is not quite true. At least 30% of the 42 vendors
> surveyed, had IPv6 support.
>
> According to this talk
> <http://www.guug.de/veranstaltungen/ecai6-2007/slides/2007-ECA-I6-Status
> -IPv6-Firewalling-PeterBieringer-Talk.pdf>
> many open-source and commercial firewalls supporting IPv6 are available.
>
> IPCop is based on Linux
> <http://www.ipcop.org/index.php?module=pnWikka&tag=IPCopScreenshots>
>
> m0n0wall is based on FreeBSD
> <http://m0n0.ch/wall/screenshots.php>
>
> pfSense is also based on FreeBSD
> <http://pfsense.com/index.php?id=26>
>
> FWBuilder is a management tool that builds filter setups for
> several different firewalls.
> <http://www.fwbuilder.org/archives/cat_screenshots.html>
>
> Checkpoint FW1 NGX R65 on SecurePlatform supports IPv6
>
> FortiGate supports IPv6 in FortiOS 3.0 and up.
>
> Juniper SSG (formerly Netscreen) supports IPv6 in ScreenOS 6.0 and up.
>
> Cisco ASA (formerly PIX) supports IPv6 in version 7.0 and up.
>
> I suspect that the people complaining about IPv6 support are
> partially complaining because they have older hardware that
> the vendor does not plan to upgrade to IPv6 support until
> they have all features implemented in their newer products,
> and partially complaining because their vendor has not
> implemented some feature which they happen to use.
>
> Commercial firewall support may be lagging behind OS and
> router support, but not by much. And if commercial vendors
> are not responsive, maybe you should try pricing out an open
> source solution with a consultant. I believe there is a gap
> here that startup firewall companies could fill if they
> understand the enterprise market.
>
> --Michael Dillon
>