ipv6 question
Michael H. Warfield
mhw at WittsEnd.com
Tue Jan 4 02:03:33 UTC 2011
On Mon, 2011-01-03 at 19:44 -0600, Robert Nichols wrote:
> On 01/03/2011 06:31 PM, Michael H. Warfield wrote:
> > There is a wide spread myth that NAT and the fact that you are on
> > different addresses some how bestows upon you some measure of security.
> > As a leading security researcher, let me impress upon you that nothing
> > could be further from the truth. You can security from the inherent
> > statefulness of your common consumer grade NAT but there are other forms
> > of NAT which do not convey this. Merely the fact that your addresses
> > are mapped do not provide you with any protection. It's the state
> > engine and the dynamic mapping that do this. But, SURPRISE, that
> > exactly what's in a stateful firewall. There is NO intrinsic advantage
> > of NAT over a decent stateful firewall. None.
> >
> > IPv6 also has a number of security advantages over IPv4, not the least
> > of which are "no broadcast address" and "virtually impossible to
> > comprehensively brute force scan". That doesn't mean it can't be
> > scanned (the scans have to be more targeted and intelligent),
> ...
>
> The problem that I see is that any system to which I have ever made a
> connection now has a nice, routable IPv6 address back to the machine
> that made the connection and can start probing that machine to see if
> any vulnerable services might have been inadvertently left listening
> on that interface. No problem if it's a well secured file server,
> but it could also be an internet-aware HDTV or video recorder where
> I have no control over the internal OS. Sounds like all traffic will
> now have to have to be routed through an external IPv6 SPI firewall
> appliance. You no doubt have one of those, but I certainly don't,
> and I suspect one would cost a bit more than my $35 NAT router, plus
> being a bit beyond the administrative abilities of the average home
> user.
No... Look at your default IPv6 netfilter tables.
/etc/sysconfig/ip6tables
That's what firewalls are for. That's what a stateful firewall on your
system is for.
Mike
> --
> Bob Nichols "NOSPAM" is really part of my email address.
> Do NOT delete it.
>
> --
> users mailing list
> users at lists.fedoraproject.org
> To unsubscribe or change subscription options:
> https://admin.fedoraproject.org/mailman/listinfo/users
> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
>
--
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20110103/f3bfddb9/attachment.bin
More information about the users
mailing list