NAT firewall for IPv6?

Naslund, Steve SNaslund at medline.com
Tue Jul 5 20:41:07 UTC 2016


It is all about defense in depth.  The engineers here are speaking to the network pieces (the second N in NANOG is network, right :) and we have told this person that it is unlikely that v6 in the only vector and I myself talked about malware handling on the clients themselves.  From a network engineering perspective many of us agreed that the biggest single threat to his network was a firewall in an unknown state with an unknown administrator password that could be owned by anyone on earth at this point.  That single piece threatens the entire network as a whole and is a ticking time bomb ready to blow his entire LAN off the Internet if it fails.  

He probably does not own the entire environment himself, he is filling in for a vacationing network engineer.  So he is working on the network piece and is probably not responsible for the anti-malware software on the clients (if anyone is, see below).

Our "support" as you call it was a response to this person questions about blocking v6 as an attack vector in the first place.  We answered his question but then told him that was unlikely to be the problem and what he should do about taking back his firewall, securing v6 via the firewall, and handling the malware at the client.  Seems solid advise to me so far.

BTW we did not bill him for anything.  He got a lot of free advice from a lot of people he could not even begin to afford to employ, so not a bad deal for him.  You also have to understand that this gentleman seems to be in an educational environment which usually means lots of clients he does not have control over so having some kind of network based malware control is helpful.  Clients in this type of environment have to defend themselves from each other and he will likely have stuff brought in from the outside.  Good malware detection in the network can help identify clients that contain malware and are a threat to other devices.  Fancier network gear/IDS/IDP would actually remove offending clients from the network or at least segments them into an isolation area.

Let me re-iterate:

	1. 	Take back ownership of your firewall and bring it up to date including new malware signatures.  If you don't have current support, get it...........directly so if your consultant bails you are not dead meat.  This will ensure that the outside world will not own or control stuff inside your network while you put the fires out.  At the very least it can help malware infected machines from phoning home to their command and control servers which sometimes prevents a lot of damage.
	2.	Make your v6 rules mirror at least the security level of your v4 rules.  Passing v6 unchallenged is unacceptable.  If your firewall won't do it replace it with one that will.
	3.	Ensure all clients under your control have current anti-virus/anti-malware detection.  Clients have to defend themselves from threats internal to the firewall as well as ones outside.  Don't be hard on the outside with a soft chewy center.
	4.  	Never, ever accept anything less than full administrative control passwords and accounts from your consultants, before you give them final payment.  I actually prefer to lock them out when they complete an install until I need them to help with something.  This prevents them from holding you hostage or one of their "postal" employees from wiping you out as well as preventing them from using your network for experimentation without you knowing it.  It is an important part of change control to ensure that outsiders cannot modify your configuration without contacting you first.  We usually give our consultants highly logged VPN accounts that we can disable or enable as needed.

Steven Naslund
Chicago IL



>>No while that is also needed, it is very unlikely to fix his issue. The issue at hand is that some of their computers have become virus infected.
>>The fix for that is to upgrade the virus scanner and making sure that all software upgrades are done.

>>Someone comes to you and says his Firefox is getting infected through IPv6.
>>If your support is worth anything, you will not take that at face value and bill him for a ton work related to IPv6. No, you will go find out what the real issue is and solve that. The only thing we know right now is that he is >>confused.
>>
>>Regards,
>>
>>Baldur


More information about the NANOG mailing list