[190466] in North American Network Operators' Group
Re: NAT firewall for IPv6?
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Tue Jul 5 10:34:40 2016
X-Original-To: nanog@nanog.org
To: Edgar Carver <dredgarcarver@gmail.com>
From: Valdis.Kletnieks@vt.edu
In-Reply-To: <CAMJ2qG0_Z4yArNt6jc10c+OhRSV-2Gv0k0thNdJD9WSuFaA-Ww@mail.gmail.com>
Date: Tue, 05 Jul 2016 10:33:22 -0400
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
--==_Exmh_1467729201_2533P
Content-Type: text/plain; charset=us-ascii
On Fri, 01 Jul 2016 21:28:54 -0500, Edgar Carver said:
> We're having problems where viruses are getting through Firefox, and we
> think it's because our Palo Alto firewall is set to bypass filtering for
> IPv6.
Do you have any actual evidence (device logs, tcpdump, netflow, etc) that
support that train of thought?
Remember that your Palo Alto isn't stopping 100% of the icky stuff on the
IPv4 side either - the sad truth is that most commercial security software
is only able to identify and block between 30% and 70% of the crap that's
out in the wild. There's also BYOD issues where a laptop comes in and infects
all your systems from behind the firewall (as Marcus Ranum says: "Crunchy on
the outside, soft and chewy inside").
In any case,your first two actions should be to recover the password for the
Palo Alto, and make sure it has updated pattern definitions in effect on both
IPv4 and IPv6 connections.
And your third should be to re-examine your vendor rules of engagement, to
ensure your deliverables include things like passwords and update support
so you're not stuck if your vendor goes belly up..
--==_Exmh_1467729201_2533P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Exmh version 2.5 07/13/2001
iQIVAwUBV3vFMAdmEQWDXROgAQIyXA//ciPJk2wKa12pWxe6e+QFNilVfQd718i+
8X6qJLrQxB9LkJuhlwie0k6ng3tKNLYGgO8FTpE4Vo/SwrZBqtgDuSPxKlLuxLO7
8EwWnDZT3WVLCS59nQZW4TmxdP9JsbUdrrdU2zPp7Z2t66Ybkvd0e26IoDaDPc1I
6oYSfJEhrPElvaVJ3TRR702sNfoKn2FdsGKt/izeSgYSE1c6al5b7CYmB/6tbgu5
mfvf1XKKp3R5bk8nCs+AnV37Qsdo4d9Jhwp6pm29+/XGKCI+pLtLAnCU0czt/aeC
FFMZSpCEKQNbGh4cFNd7HZeoEyZzSjKhqz+eXVTNkLuhc/DPZyauOvlmWsDdTEwI
VI+tyVoGpABs5lhm7bEaJzbyY277flJU2PrGb1bo4cGZHRlvS1Zf08DegQwwVb2h
ePJlEv2iwdBRdXN7Lvg1/GYKvAoSnIWByK6gL8481hfwLS+TrVmMnZv0gJUNwij3
DWV41UX+5vzi8Cbeo6+VXznRtC6QXCBepeRW22fzSWvQDjcAFOGD7nzVGhQtSCAT
y8lFqvNw6QkWFHVi/lUlRbA1ee3TiJbDz4OKWiwdijUQu4VMHMr8CNQnCGR+IGUc
+BdOZpWqj3GBnEdjk1PHe66+NPFCcIdd3b/W9RZVD5VrrJPS1RDwMQ5Lwn0ss50j
c12i31rR2XM=
=gb5l
-----END PGP SIGNATURE-----
--==_Exmh_1467729201_2533P--
