NAT firewall for IPv6?

Naslund, Steve SNaslund at medline.com
Tue Jul 5 14:31:35 UTC 2016


On another note, using a firewall to stop viruses is probably not going to work in general (unless the firewall has some additional malware detection engine).  

Here is the issue in a nutshell.  A firewall primarily controls where people can connect to and from on a network.  The problem with that is that a lot of malware is received from sites that your users intended to go to.  People click on links without knowing where they go and people go to less than reputable web sites (or reputable sites that we recently compromised).  If you, by default, allow your users to access the Internet with a browser they are vulnerable to malware.  Even with malware detection capability you are still vulnerable to signatures and attacks that are not yet able to be detected.

Even if filtering was enabled on your Palo Alto for ipv6 it would not help at this point because you have no idea what signatures it is using to filter with and when the last time those were updated  I doubt your v4 filtering is of much use either at this point.  URL filtering is largely a big game of whack a mole that you will lose eventually.  Malware filtering is based on one or both of the following methods.  

	1.  You filter URLs known to be bad players (you are vulnerable until your protection vendor realizes they are bad players).

	2.  You filter based on adaptive detection of code that looks suspicious.  This is a bit better but still vulnerable because the bad guys are always innovating to pass through these devices.

My recommendation would be network malware detection (possibly through a firewall add-on) as well as good virus/malware detection on the client computers.  Sometimes the malware is easier to detect at the client because it reveals itself by trying to access unauthorized memory, processes, or storage.

Steven Naslund
Chicago IL




-----Original Message-----
From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Edgar Carver
Sent: Friday, July 01, 2016 9:29 PM
To: nanog at nanog.org
Subject: NAT firewall for IPv6?

Hello NANOG community. I was directed here by our network administrator since she is on vacation. Luckily, I minored in Computer Science so I have some familiarity.

We have a small satellite campus of around 170 devices that share one external IPv4 and IPv6 address via NAT for internet traffic. Internal traffic is over an MPLS.

We're having problems where viruses are getting through Firefox, and we think it's because our Palo Alto firewall is set to bypass filtering for IPv6. Unfortunately, the network admin couldn't give me the password since a local consultant set it up, and it seems they went out of business. I need to think outside the box.

Is there some kind of NAT-based IPv6 firewall I can setup on the router that can help block viruses? I figure that's the right place to start since all the traffic gets funneled there. We have a Cisco Catalyst as a router. Or, ideally, is there an easy way to turn off IPv6 completely? I really don't see a need for it, any legitimate service should have an IPv4 address.

I'd really appreciate your advice. I plan to drive out there tomorrow, where I can get the exact model numbers and stuff.

Regards,
Dr. Edgar Carver


More information about the NANOG mailing list