[190471] in North American Network Operators' Group
RE: NAT firewall for IPv6?
daemon@ATHENA.MIT.EDU (Naslund, Steve)
Tue Jul 5 10:57:50 2016
X-Original-To: nanog@nanog.org
From: "Naslund, Steve" <SNaslund@medline.com>
To: "nanog@nanog.org" <nanog@nanog.org>
Date: Tue, 5 Jul 2016 14:54:16 +0000
In-Reply-To: <95791.1467729202@turing-police.cc.vt.edu>
Errors-To: nanog-bounces@nanog.org
That is a good point. In order for your PCs to be compromised via ipv6, th=
ey would have to be able to establish ipv6 connectivity to each other or to=
an internet location. =20
If your network is not configured to support ipv6 it will probably only be =
possible for your clients to communicate with each other via ipv6 on the lo=
cal LAN meaning they could only be infecting each other. In order for your=
clients to be receiving traffic from the Internet via ipv6 would probably =
require routing and ipv6 configuration support that it sounds like your net=
work does not have. If your firewall is passing v6 traffic, it must unders=
tand it enough to forward it across interfaces.
At this point it does not much matter whether the transport layer is v4 or =
v6 because this problem is higher up the protocol stack. Setting up your f=
irewall to bypass v6 (i.e. just pass it) was a huge tactical error (might b=
e why your consultant is out of business :) and a bit hard for me to unders=
tand. If you want v6 then you would apply the same policies that you do to=
v4 traffic and if you don't want v6 you would just tell the firewall to dr=
op it. =20
I think it is much more probable that you are receiving malware via ipv4 or=
even executable attachments that the out of control firewall is not detect=
ing.
I can tell you that we use the most current versions of Checkpoint firewall=
s with all of the malware bells and whistles (megabucks) and they are not s=
till 100% effective all of the time. We stop thousands of hacking and malw=
are attempts per hour but it only takes one to become a big pain to deal wi=
th.
Steven Naslund=20
Chicago IL
-----Original Message-----
From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Valdis.Kletnieks@=
vt.edu
Sent: Tuesday, July 05, 2016 9:33 AM
To: Edgar Carver
Cc: nanog@nanog.org
Subject: Re: NAT firewall for IPv6?
On Fri, 01 Jul 2016 21:28:54 -0500, Edgar Carver said:
> We're having problems where viruses are getting through Firefox, and=20
> we think it's because our Palo Alto firewall is set to bypass=20
> filtering for IPv6.
Do you have any actual evidence (device logs, tcpdump, netflow, etc) that =
support that train of thought?
Remember that your Palo Alto isn't stopping 100% of the icky stuff on the
IPv4 side either - the sad truth is that most commercial security software =
is only able to identify and block between 30% and 70% of the crap that's o=
ut in the wild. There's also BYOD issues where a laptop comes in and infect=
s all your systems from behind the firewall (as Marcus Ranum says: "Crunchy=
on the outside, soft and chewy inside").
In any case,your first two actions should be to recover the password for th=
e Palo Alto, and make sure it has updated pattern definitions in effect on =
both
IPv4 and IPv6 connections.
And your third should be to re-examine your vendor rules of engagement, to =
ensure your deliverables include things like passwords and update support s=
o you're not stuck if your vendor goes belly up..
