ipv6 question

Michael H. Warfield mhw at WittsEnd.com
Tue Jan 4 02:03:33 UTC 2011 

On Mon, 2011-01-03 at 19:44 -0600, Robert Nichols wrote: 
> On 01/03/2011 06:31 PM, Michael H. Warfield wrote:
> > There is a wide spread myth that NAT and the fact that you are on
> > different addresses some how bestows upon you some measure of security.
> > As a leading security researcher, let me impress upon you that nothing
> > could be further from the truth.  You can security from the inherent
> > statefulness of your common consumer grade NAT but there are other forms
> > of NAT which do not convey this.  Merely the fact that your addresses
> > are mapped do not provide you with any protection.  It's the state
> > engine and the dynamic mapping that do this.  But, SURPRISE, that
> > exactly what's in a stateful firewall.  There is NO intrinsic advantage
> > of NAT over a decent stateful firewall.  None.
> >
> > IPv6 also has a number of security advantages over IPv4, not the least
> > of which are "no broadcast address" and "virtually impossible to
> > comprehensively brute force scan".  That doesn't mean it can't be
> > scanned (the scans have to be more targeted and intelligent),
> ...
> 
> The problem that I see is that any system to which I have ever made a
> connection now has a nice, routable IPv6 address back to the machine
> that made the connection and can start probing that machine to see if
> any vulnerable services might have been inadvertently left listening
> on that interface.  No problem if it's a well secured file server,
> but it could also be an internet-aware HDTV or video recorder where
> I have no control over the internal OS.  Sounds like all traffic will
> now have to have to be routed through an external IPv6 SPI firewall
> appliance.  You no doubt have one of those, but I certainly don't,
> and I suspect one would cost a bit more than my $35 NAT router, plus
> being a bit beyond the administrative abilities of the average home
> user.

No...  Look at your default IPv6 netfilter tables.

/etc/sysconfig/ip6tables

That's what firewalls are for.  That's what a stateful firewall on your
system is for.

Mike

> -- 
> Bob Nichols     "NOSPAM" is really part of my email address.
>                  Do NOT delete it.
> 
> -- 
> users mailing list
> users at lists.fedoraproject.org
> To unsubscribe or change subscription options:
> https://admin.fedoraproject.org/mailman/listinfo/users
> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
> 

-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20110103/f3bfddb9/attachment.bin

More information about the users mailing list