Re: NAT firewall for IPv6?

[Lee <ler762 () gmail com>]

On 7/5/16, Naslund, Steve <SNaslund () medline com> wrote:
> Hard to know where to begin with this one, but let me take a shot at it.
>
> 1.  My top priority would be to get into that Palo Alto firewall.  Get Palo
> Alto on the phone and figure out password recovery with them.  Since you
> don’t have the password it is possible that firewall is compromised.  Do not
> be surprised if you have to jump through some hoops with Palo Alto to prove
> that you own it and what has happened.  Remember their job is to keep people
> out of your network.  They are probably also going to want you to be current
> on support.  If you have to pay to get current on support, do it.  You need
> that help right now badly.
>
> You could ask Palo Alto how to block the v6 while you are at it or even
> better set up a rules that mirror your v4 protection.   I cannot stress
> enough how big a security issue it is to not have access to your firewall
> and not know who does.
>
> 2.  There are lots of ways to shut off ipv6 but my suggestion would be to
> just secure the Palo Alto firewall,

Right.  But how long is it going to take to secure the Palo Alto firewall?
If the central Cisco Catalyst really is an IPv6 router, doing a
conf t
ipv6 access-list denyIPv6
  deny ipv6 any any

interface [whatever connects to the ISP]
 ipv6 traffic-filter denyIPv6 in
 ipv6 traffic-filter denyIPv6 out
end
would be a quick fix for the firewall not doing any ipv6 filtering.
It could also break ipv6 enabled web sites or even internal
connectivity, so it'd be better to get someone on the phone w/ Cisco
tech support and have Cisco figure out the best way to block IPv6 for
you.


>  ... to say that any legitimate service
> should have a ipv4 address is not quite true now and will definitely not be
> true in the near future.

True.  But they're in "stop the bleeding" mode and disabling ipv6 is
just a temp work-around until the firewall is fixed.

Regards,
Lee



> 3.  Just about any kind of firewall or router CPE device can block or
> firewall ipv4 and ipv6 as long as its firmware is fairly recent.  However,
> you would most likely have to replace the Palo Alto with it.  You DO NOT
> WANT THEM BOTH INLINE!  Most likely they are both configured to do ipv4 NAT
> out of the box and that will not work correctly to have them both inline
> together.  While it is possible to set up that sort of thing to work
> correctly, it’s a bad idea and pretty advanced configuration for a temporary
> network admin.  The interaction of one firewall fronting another can be very
> difficult to troubleshoot without a deep understanding of what is going on.
> Referring back to item 1, you are probably going to need to get the
> configuration of the current firewall if you seek to replace it (there will
> be rules in the Palo Alto that you would want to replicate if you are going
> to replace it).
>
> 4.  Cisco Catalyst as the router.....there could be a lot of things going on
> in there.  The Catalyst is primarily a switch with routing functionality.
> It can definitely block ipv6 if configured to do so but we would need to
> know a lot more about its current configuration to give you the best way to
> do that.  It could just be a service providers switch on your premise in
> which case you can't do much with it.  Again, much easier to accomplish Item
> 1 with Palo Alto and let your firewall do what it is supposed to do.
>
> Steven Naslund
> Chicago IL
>
>
>
> -----Original Message-----
> From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of Edgar Carver
> Sent: Friday, July 01, 2016 9:29 PM
> To: nanog () nanog org
> Subject: NAT firewall for IPv6?
>
> Hello NANOG community. I was directed here by our network administrator
> since she is on vacation. Luckily, I minored in Computer Science so I have
> some familiarity.
>
> We have a small satellite campus of around 170 devices that share one
> external IPv4 and IPv6 address via NAT for internet traffic. Internal
> traffic is over an MPLS.
>
> We're having problems where viruses are getting through Firefox, and we
> think it's because our Palo Alto firewall is set to bypass filtering for
> IPv6. Unfortunately, the network admin couldn't give me the password since a
> local consultant set it up, and it seems they went out of business. I need
> to think outside the box.
>
> Is there some kind of NAT-based IPv6 firewall I can setup on the router that
> can help block viruses? I figure that's the right place to start since all
> the traffic gets funneled there. We have a Cisco Catalyst as a router. Or,
> ideally, is there an easy way to turn off IPv6 completely? I really don't
> see a need for it, any legitimate service should have an IPv4 address.
>
> I'd really appreciate your advice. I plan to drive out there tomorrow, where
> I can get the exact model numbers and stuff.
>
> Regards,
> Dr. Edgar Carver