Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2014-01-13 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Got an IPv6 Firewall?

Published: 2014-01-13
Last Updated: 2014-01-13 13:43:36 UTC
by Johannes Ullrich (Version: 1)
13 comment(s)

Just like the call "Winter is Coming" in Game of Thrones, we keep hearing IPv6 is coming to our networks spreading doom and gloom to our most priced assets. But just like the clothing worn by some of the actors of the TV show isn't exactly suited for winter, the network security infrastructure deployed currently wouldn't give you a hint that IPv6 is around the corner.

On the other hand, here are some recent numbers:

  • Over 25% of Comcast customers are "actively provisioned with native dual stack broadband" (see comcast6.net)
  • 40% of the Verizon Wireless network is using IPv6 as of December 2013 (http://www.worldipv6launch.org/measurements/)
  • Between July and December last year, Akamai saw IPv6 traffic go up by about a factor of 5 (http://www.akamai.com/ipv6)

When I made our new "Quickscan" router scanning tool available last week, I left it IPv6 enabled. So it is no surprise, that I am getting e-mails like the following:

The results were "interesting"
...
A few weeks ago I had installed an IPv6 capable modem and updated my router config to enable IPv6. The results were glorious in that IPv6 ran like a charm.
The sober facts arose when I ran the ISC router scan - it used my IPv6 address, which hooked directly to my desktop (behind my firewall) and pulled up my generally unused native Apache service. 
I went over my router config with a fine-tooth comb and realized that my router has no support for IPv6 filtering.

So does your firewall filter IPv6? Or just "use it"? Do you have sufficient host based controls in place? You don't necessarily have to assign globally routable IPv6 addresses. You could use proxies to terminate "global" IPv6 and only use ULA addresses internally. But in particular home users are unlikely to go that route.
 
(I am working on making the "quickscan" tool (https://isc.sans.edu/quickscan.html [login required]) more generic. For now it only scans common router admin and backdoor ports)

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute

IPv6 Security Training ( https://www.sans.org/sec546 )
Twitter

Keywords: ipv6
13 comment(s)
Diary Archives