RE: NAT firewall for IPv6?

["Naslund, Steve" <SNaslund () medline com>]

That is a good point.  In order for your PCs to be compromised via ipv6, they would have to be able to establish ipv6 
connectivity to each other or to an internet location.  

If your network is not configured to support ipv6 it will probably only be possible for your clients to communicate 
with each other via ipv6 on the local LAN meaning they could only be infecting each other.  In order for your clients 
to be receiving traffic from the Internet via ipv6 would probably require routing and ipv6 configuration support that 
it sounds like your network does not have.  If your firewall is passing v6 traffic, it must understand it enough to 
forward it across interfaces.

At this point it does not much matter whether the transport layer is v4 or v6 because this problem is higher up the 
protocol stack.  Setting up your firewall to bypass v6 (i.e. just pass it) was a huge tactical error (might be why your 
consultant is out of business :) and a bit hard for me to understand.  If you want v6 then you would apply the same 
policies that you do to v4 traffic and if you don't want v6 you would just tell the firewall to drop it.  

I think it is much more probable that you are receiving malware via ipv4 or even executable attachments that the out of 
control firewall is not detecting.

I can tell you that we use the most current versions of Checkpoint firewalls with all of the malware bells and whistles 
(megabucks) and they are not still 100% effective all of the time.  We stop thousands of hacking and malware attempts 
per hour but it only takes one to become a big pain to deal with.


Steven Naslund 
Chicago IL




-----Original Message-----
From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of Valdis.Kletnieks () vt edu
Sent: Tuesday, July 05, 2016 9:33 AM
To: Edgar Carver
Cc: nanog () nanog org
Subject: Re: NAT firewall for IPv6?

On Fri, 01 Jul 2016 21:28:54 -0500, Edgar Carver said:

> We're having problems where viruses are getting through Firefox, and 
> we think it's because our Palo Alto firewall is set to bypass 
> filtering for IPv6.

Do you have any actual evidence (device logs, tcpdump, netflow,  etc) that support that train of thought?

Remember that your Palo Alto isn't stopping 100% of the icky stuff on the
IPv4 side either - the sad truth is that most commercial security software is only able to identify and block between 
30% and 70% of the crap that's out in the wild. There's also BYOD issues where a laptop comes in and infects all your 
systems from behind the firewall (as Marcus Ranum says: "Crunchy on the outside, soft and chewy inside").

In any case,your first two actions should be to recover the password for the Palo Alto, and make sure it has updated 
pattern definitions in effect on both
IPv4 and IPv6 connections.

And your third should be to re-examine your vendor rules of engagement, to ensure your deliverables include things like 
passwords and update support so you're not stuck if your vendor goes belly up..