[AusNOG] Globally Routed IPv6 and Windows Firewall

Greg Anderson ganderson at raywhite.com
Fri Jul 25 13:37:06 EST 2014


I agree on the difficulties with brute forcing methods, but I personally
don't consider it a silver bullet.  There are ways to identify legitimate
IP addresses without brute forcing - log files, traffic interception etc.


On 25 July 2014 13:34, Joseph Goldman <joe at apcs.com.au> wrote:

>  I think the concern here though is the real 'dumb' home user. NAT
> provides a level of security for inbound attacks to a Personal Computer
> unless specified in port fowarding, so the users have become accustomed to
> that level of security (even if they dont know about it).
>
> It was a question that came up in my mind earlier this week too, and not
> all modem/routers are featured with firewalls to do this - and with pretty
> much any ISP having to allow BYOD, you can't control if peoples routers
> will ever have this feature. For business/managed connections I tend to
> personally go MikroTIK routers so they do have the full featured firewall,
> and I would definitely be setting up rules for IPv6 once we start our
> end-user roll-out, but I can't control residential customer xyz's JB Hi-Fi
> bought D-Link, and I don't really want the helpdesk flooded with calls
> about attacks and virus' either.
>
> The only comfort that I got was that IPv6 is so vast that brute-forcing
> seems illogical and unlikely to net many results. I will be interested to
> see others opinions on the matter :)
>
>
> On 25/07/14 13:20, Damien Gardner Jnr wrote:
>
> What I do (and we do at work) is run stateful firewalling on the
> home/office router, and don't allow inbound traffic on v6 unless it's for
> an established session.   Same as we did all those years ago when our
> homes/offices had a public /24 (We all had that at home right? ;) ).   It's
> certainly not a new problem :)
>
>  Cheers,
>
> DG
>
>
> On 25 July 2014 13:11, Greg Anderson <ganderson at raywhite.com> wrote:
>
>> Good day Ladies and Gentlemen!
>>
>>  I had a quick question because try as I might, anybody I have asked
>> this question to so far (and Google) have been unable to answer the
>> question for me.
>>
>>  With the deployment of a dual stack IPv6 solution either in a corporate
>> or residential environment, I expect most users would have a single NIC in
>> most cases.
>>
>>  For Windows firewall, IPv4 addresses in common cases are not globally
>> routed addresses that often have less restrictive firewall rules and
>> services running on them (EG SNMP, File/Printer sharing, RDP, Homegroup
>> etc).  In these cases, some would often use "Domain" or "Private" firewall
>> profiles on these NIC's.
>>
>>  With the deployments of IPv6, they will also have local link IPv6
>> addresses (fine as they are not globally routed either obviously), and at
>> some point many will have a globally routed IPv6 address.  So this means,
>> for a given NIC, you will now have:
>>
>>  - IPv4 Reserved address for Private local networking
>>  - IPv6 Reserved address for Private local networking
>> - IPv6 Globally routed address (and possibly a second temporary address)
>>
>>  Suddenly when the deployment of Globally routed IPv6 addresses happen:
>> because the NIC has a private profile there is suddenly private services
>> exposed to the Internet.  (Let's put our tin foil hat on and ignore the
>> difficulties of brute force scanning an IPv6 subnet).
>>
>>  Option 1 is obvious - change your NIC's network type to public, and if
>> you don't want everything to break reconfigure all your rules to permit
>> traffic only from local link addresses (IE - a real pain in the _)
>>
>>  Is there an option 2?  Ideally, I would like the public ranges to be
>> automatically detected (or specifically reconfigurable) as a globally
>> routed IP address range and therefore to be able to apply multiple profiles
>> (Public and Private/Domain) to a single NIC.
>>
>>  I am considering this from a residential dumb end user perspective as
>> well as enterprise - so whilst I would like a technical solution (and I am
>> aware those of us smart enough can still firewall at the edge just like we
>> do today) - many residential users will not have these skills - they are
>> likely to really open themselves up.  So I am interested to see if I am
>> missing something very obvious...
>>
>>  Thoughts?
>>
>>  - Greg
>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>>
>
>
>  --
>
> Damien Gardner Jnr
> VK2TDG. Dip EE. GradIEAust
> rendrag at rendrag.net -  http://www.rendrag.net/
> --
> We rode on the winds of the rising storm,
>  We ran to the sounds of thunder.
> We danced among the lightning bolts,
>  and tore the world asunder
>
>
> _______________________________________________
> AusNOG mailing listAusNOG at lists.ausnog.nethttp://lists.ausnog.net/mailman/listinfo/ausnog
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>


--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140725/88108514/attachment.html>


More information about the AusNOG mailing list