Re: [fw-wiz] IPv6 redo;;

From: R. DuFresne (dufresne_at_sysinfo.com)
Date: 09/17/04

  • Next message: Christopher Hicks: "[fw-wiz] LDAP and Kerberos?" 
    To: "Marcus J. Ranum" <mjr@ranum.com>
Date: Fri, 17 Sep 2004 14:44:21 -0400 (EDT)

    On Fri, 17 Sep 2004, Marcus J. Ranum wrote:

    > R. DuFresne wrote:
    > >1. how are firewalls going to deal with IPv6 addressing? Or, will IPv6
    > >negate the need for firewalling and push everything into encryption
    > >boundries?
    >
    > I don't think network-level crypto is going to solve any
    > interesting problems (and may create new ones) so it
    > won't ever become pervasive. This is especially the case,
    > in my opinion, because in the last few years most of the
    > apps that "need" security have added tunnelling over
    > SSL or other crypto as an option. The place where
    > host-to-host crypto is attractive is between hosts that
    > have some kind of pre-established trust relationship.
    > I.e.: more like a VPN member than an E-commerce
    > transaction. My guess is that the vast majority of
    > crypto in use on the Internet today is more the transactional
    > type in which individuals are temporarily establishing
    > secured connections between machines that don't
    > really "know eachother" well enough to justify establishing
    > a full trust boundary between them. The only way I see
    > IPv6 crypto becoming pervasive is if it's so ridiculously
    > easy to set up and it's turned on by default, that nobody
    > notices it's there and working. What's the likelihood of
    > that?
    >
    > I guess the short form of what I just said is, "the IETF
    > took too long, and that particular problem is being
    > addressed in an ad hoc manner and the installed base
    > will rule."
    >
    > >2. icmp redirects, are they still a danger in the IPv6 realm such as they
    > >were and are in traditional TCP/IP?
    >
    > I'd love to know the answer to this one, too. ;)
    > I'm comfortable assuming that there will be whole new kinds
    > of attacks to discover. If options and features convert into
    > vulnerabilities and opportunities for DOS at the usual rate,
    > IPv6 is going to be a fertile playground for hackers.

    I had an off list reply to this specific which stated this is still an
    issue in IPv6 and should be addressed as it now is in IPv4.

    thanks for the replies. I'm still trying to get a handle on how IPv6 will
    function as pertains firewalls and other security tools;

    point being the vast majority of firewalls are filters by nature, scoring
    upon IP addresses <singular and in ranges> in conjunction with ports
    <protocol specifics are limited to proxy firewall systems, the vast
    majority or products key on a port number, rather then protocol behaviour>
    so, I'm confused how this might work with IPv6 and the various addresses
    that an interface can be configured with in this way. I did a google
    search to see what firewalls were IPv6 complaint, with the intention of
    doing a second or more to see how other security devices <i.e. IDS (it's
    various forms) and such> faired in this area as well, but, noted that
    vendors seem to still be working on firewalls, let alone other products in
    use in IPv4 for network and systems security so stopped at that point...

    Another offlist reply pointed me to a SANS cert paper someone did for
    their cert process on how OPENBSD can do this already with ip, but, I have
    been unable to access the paper in question, SANS seems to have lost it...

    Thanks,

    Ron DuFresne 

    -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart
testing, only testing, and damn good at it too!
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
  • Next message: Christopher Hicks: "[fw-wiz] LDAP and Kerberos?"

    Relevant Pages

    • windows 2000 objects
      ... look into crypto (and I would read the posts here. ... networking permissions, and the like. ... look at firewalls and add on security. ... >among processes and the protection of resources from ...
      (microsoft.public.win2000.security)
    • Re: [Full-Disclosure] Sidewinder G2
      ... On Tue, 18 Nov 2003, David Maynor wrote: ... > I think that may be a bad example as that talks about crypto challenges ... > as oppsoed to operational security products. ... > cryptanalysis and bug hunting in firewalls. ...
      (Full-Disclosure)
    • Re: Defense in Depth
      ... What is meant by "layers" of security, is this: the entry points that must be ... Physical Layer - Physical access to the resources. ... attacks and other attacks that go after the software itself. ... "layer" in one long chain (lots of firewalls). ...
      (Security-Basics)
    • RE: Wireless Security for Home Users
      ... for most home users to create and/or manage 2 firewalls and a DMZ. ... As with most network security, ... investigate additional security features available from the WAP ...
      (Security-Basics)
    • RE: [Full-Disclosure] RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!
      ... > 1) I don't trust MS products for security related tasks. ... firewalls running on NT? ... necessary steps to mitigate the risk and protect yourself. ... We still had six boxes hit. ...
      (Full-Disclosure)