NAT firewall for IPv6?

• Previous message (by thread): NAT firewall for IPv6?
• Next message (by thread): NAT firewall for IPv6?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> On Jul 5, 2016, at 9:33 AM, Valdis.Kletnieks at vt.edu wrote:
> 
> On Fri, 01 Jul 2016 21:28:54 -0500, Edgar Carver said:
> 
>> We're having problems where viruses are getting through Firefox, and we
>> think it's because our Palo Alto firewall is set to bypass filtering for
>> IPv6.
> 
> Do you have any actual evidence (device logs, tcpdump, netflow,  etc) that
> support that train of thought?
> 
> Remember that your Palo Alto isn't stopping 100% of the icky stuff on the
> IPv4 side either - the sad truth is that most commercial security software
> is only able to identify and block between 30% and 70% of the crap that's
> out in the wild.

  That is only the percentage that it identifies from what it can see.  It most likely can not see viruses in encrypted traffic.

"	• A forecast that 70% of global Internet traffic will be encrypted in 2016, with many networks exceeding 80%”

https://www.sandvine.com/pr/2016/2/11/sandvine-70-of-global-internet-traffic-will-be-encrypted-in-2016.html


"In the fourth quarter of 2015 nearly 65 percent of all web connections that Dell observed were encrypted, leading to a lot more under-the-radar attacks, according to the company. Gartner has predicted that 50 percent of all network attacks will take advantage of SSL/TLS by 2017."

http://www.darkreading.com/attacks-breaches/when-encryption-becomes-the-enemys-best-friend/d/d-id/1324580

This article mentions how difficult is it for Sandboxes to detect malware.

https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/fireeye-hot-knives-through-butter.pdf

This article mentions malware that changes it’s download image every 15 seconds.

http://www.darkreading.com/vulnerabilities---threats/cerber-strikes-with-office-365-zero-day-attacks/d/d-id/1326070?_mc=NL_DR_EDT_DR_weekly_20160630&cid=NL_DR_EDT_DR_weekly_20160630&elqTrackId=1d7f1b5bcdb24c469164471a423f746b&elq=01e6838c279149a08e460cdbe3b8b54a&elqaid=70982&elqat=1&elqCampaignId=21896





> There's also BYOD issues where a laptop comes in and infects
> all your systems from behind the firewall (as Marcus Ranum says: "Crunchy on
> the outside, soft and chewy inside”).

  

> In any case,your first two actions should be to recover the password for the
> Palo Alto, and make sure it has updated pattern definitions in effect on both
> IPv4 and IPv6 connections.
> 
> And your third should be to re-examine your vendor rules of engagement, to
> ensure your deliverables include things like passwords and update support
> so you're not stuck if your vendor goes belly up..
> 
> 

---
Bruce Curtis                         bruce.curtis at ndsu.edu
Certified NetAnalyst II                701-231-8527
North Dakota State University        

• Previous message (by thread): NAT firewall for IPv6?
• Next message (by thread): NAT firewall for IPv6?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]