Re: [fw-wiz] IPv6 and firewall policies?

From: Paul D. Robertson (paul_at_compuwar.net)
Date: 11/01/04

  • Next message: Servie Platon: "[fw-wiz] NIGERIAN EMAIL SCAM"
    To: Darren Reed <darrenr@reed.wattle.id.au>
    Date: Sun, 31 Oct 2004 18:49:41 -0500 (EST)
    
    

    On Mon, 1 Nov 2004, Darren Reed wrote:

    > > We were fortunate in starting with ALGs for IPv4 firewalling, because it
    > > took away so many of the issues with fragmentation, flags and
    > > segmentation- or at least relegated them to a single stack's
    > > implementation. With IPv6, I'm afraid we're going to come at it from a
    > > packet filter first approach, and that's got me worried that we're going
    > > to go through the same cycle all over again.
    >
    > To some extent, I think you're right...
    >
    > Some web resources I found quickly:
    >
    > http://www.terena.nl/conferences/tnc2004/core_getfile.php?file_id=323
    > http://www.seanconvery.com/v6-v4-threats.pdf

    Thanks, I'll add those to my ever enlarging IPv6 bookmarks...

    > There's only one free firewall I wouldn't use for IPv6 - pf.

    *cough* that won't get any response *cough* ;)

    > It has no ability to match (and drop) packets given the presence of
    > IPv6 extension headers except for fragments (drops automatically),
    > leaving you open to attack through use of routing headers (at the
    > very least.) Maybe they don't consider this a problem, I don't know,
    > but everyone else seems to let you filter on extension headers and
    > the routing header is deemed to be the IPv6 equivalent of IPv4's
    > loose source routing option and what does everyone do with that?

    Well, it seems at least firewalls won't be obsoleted by v6- but that's all
    the good news I can see so far.

    > So I think there's some amount of danger in going through that cycle
    > again if things like that can be ignored but some people are aware of
    > these things and are documenting them and making sure people are not
    > left in the blind about the risks, etc.

    I'm just afraid that given the specs, and the "though shalt support all
    this foo" stuff that we're in for a cycle that includes lots of pain, kind
    of like IPSec originally.

    I've just started going through the v6ops archives[1], it's good to see
    that security is being raised in some of the discussions, but all the tunnel
    broker and routing stuff has me at least slightly worried, as does the
    zeroconf foo.

    Still, perhaps v6 will give us the chance to get folks to do egress
    filtering at their borders by default- maybe that's where we should be
    pushing firewall author's/vendor's buttons first?

    Paul
    [1] http://ops.ietf.org/lists/v6ops/
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    paul@compuwar.net which may have no basis whatsoever in fact."
    probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Servie Platon: "[fw-wiz] NIGERIAN EMAIL SCAM"

    Relevant Pages

    • RE: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?)
      ... Both Firewalls and IDSs have to have "some" degree of "smarts" to be able to do their ... version of router used to also do firewall-like filtering) could ONLY filter on source IP. ... Join the security experts from SafeNet on August 26 at 1:00 PM, and learn how to successfully integrate IPSec security into VPN processors and appliances to provide powerful yet cost-effective VPN solutions for your customers. ...
      (Focus-IDS)
    • Re: More dumb netfilter questions
      ... Patrick Schaaf wrote: ... >> Some of the netfilter/iptables docs show a flowchart with the various ... Between the natand filter or ... You know the IP routing table? ...
      (comp.os.linux.security)
    • Re: More dumb netfilter questions
      ... Patrick Schaaf wrote: ... >> Some of the netfilter/iptables docs show a flowchart with the various ... Between the natand filter or ... You know the IP routing table? ...
      (comp.security.firewalls)
    • Re: More dumb netfilter questions
      ... Patrick Schaaf wrote: ... >> Some of the netfilter/iptables docs show a flowchart with the various ... Between the natand filter or ... You know the IP routing table? ...
      (comp.security.firewalls)
    • Re: controling ports
      ... I have a dedicated filter up, ... Personal firewalls ... and do a few reg. ... > what ports it can and can't use. ...
      (microsoft.public.win2000.security)