[190512] in North American Network Operators' Group
Re: NAT firewall for IPv6?
daemon@ATHENA.MIT.EDU (Larry Sheldon)
Tue Jul 5 18:52:05 2016
X-Original-To: nanog@nanog.org
To: nanog@nanog.org
From: Larry Sheldon <larrysheldon@cox.net>
Date: Tue, 5 Jul 2016 17:51:07 -0500
In-Reply-To: <CAMJ2qG0_Z4yArNt6jc10c+OhRSV-2Gv0k0thNdJD9WSuFaA-Ww@mail.gmail.com>
Errors-To: nanog-bounces@nanog.org
My how the world has changed!
On 7/1/2016 21:28, Edgar Carver wrote:
> Hello NANOG community. I was directed here by our network administrator
> since she is on vacation.
I am Old School, I guess. In my day Step One would be "Fire the
administrator." The job is by nature a 24 X 7 X 52 job and "On Call"
the rest of the time. "Vacation" is never a reason to leave your
assignment insecure.
"NAT-based firewall"? Really?
How long has the consultant been out of business?
Luckily, I minored in Computer Science so I have
> some familiarity.
>
> We have a small satellite campus of around 170 devices that share one
> external IPv4 and IPv6 address via NAT for internet traffic. Internal
> traffic is over an MPLS.
>
> We're having problems where viruses are getting through Firefox, and we
> think it's because our Palo Alto firewall is set to bypass filtering for
> IPv6. Unfortunately, the network admin couldn't give me the password since
> a local consultant set it up, and it seems they went out of business. I
> need to think outside the box.
>
> Is there some kind of NAT-based IPv6 firewall I can setup on the router
> that can help block viruses? I figure that's the right place to start since
> all the traffic gets funneled there. We have a Cisco Catalyst as a
> router. Or, ideally, is there an easy way to turn off IPv6 completely? I
> really don't see a need for it, any legitimate service should have an IPv4
> address.
>
> I'd really appreciate your advice. I plan to drive out there tomorrow,
> where I can get the exact model numbers and stuff.
>
> Regards,
> Dr. Edgar Carver
>
--
"Everybody is a genius. But if you judge a fish by
its ability to climb a tree, it will live its whole
life believing that it is stupid."
--Albert Einstein
From Larry's Cox account.
