Re: NAT firewall for IPv6?

[Dovid Bender <dovid () telecurve com>]

You may want to look into a new product by Ixia
https://www.ixiacom.com/products/threatarmor (seems their site is under
maint atm).


On Tue, Jul 5, 2016 at 10:31 AM, Naslund, Steve <SNaslund () medline com>
wrote:

> On another note, using a firewall to stop viruses is probably not going to
> work in general (unless the firewall has some additional malware detection
> engine).
>
> Here is the issue in a nutshell.  A firewall primarily controls where
> people can connect to and from on a network.  The problem with that is that
> a lot of malware is received from sites that your users intended to go to.
> People click on links without knowing where they go and people go to less
> than reputable web sites (or reputable sites that we recently
> compromised).  If you, by default, allow your users to access the Internet
> with a browser they are vulnerable to malware.  Even with malware detection
> capability you are still vulnerable to signatures and attacks that are not
> yet able to be detected.
>
> Even if filtering was enabled on your Palo Alto for ipv6 it would not help
> at this point because you have no idea what signatures it is using to
> filter with and when the last time those were updated  I doubt your v4
> filtering is of much use either at this point.  URL filtering is largely a
> big game of whack a mole that you will lose eventually.  Malware filtering
> is based on one or both of the following methods.
>
>         1.  You filter URLs known to be bad players (you are vulnerable
> until your protection vendor realizes they are bad players).
>
>         2.  You filter based on adaptive detection of code that looks
> suspicious.  This is a bit better but still vulnerable because the bad guys
> are always innovating to pass through these devices.
>
> My recommendation would be network malware detection (possibly through a
> firewall add-on) as well as good virus/malware detection on the client
> computers.  Sometimes the malware is easier to detect at the client because
> it reveals itself by trying to access unauthorized memory, processes, or
> storage.
>
> Steven Naslund
> Chicago IL
>
>
>
>
> -----Original Message-----
> From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of Edgar Carver
> Sent: Friday, July 01, 2016 9:29 PM
> To: nanog () nanog org
> Subject: NAT firewall for IPv6?
>
> Hello NANOG community. I was directed here by our network administrator
> since she is on vacation. Luckily, I minored in Computer Science so I have
> some familiarity.
>
> We have a small satellite campus of around 170 devices that share one
> external IPv4 and IPv6 address via NAT for internet traffic. Internal
> traffic is over an MPLS.
>
> We're having problems where viruses are getting through Firefox, and we
> think it's because our Palo Alto firewall is set to bypass filtering for
> IPv6. Unfortunately, the network admin couldn't give me the password since
> a local consultant set it up, and it seems they went out of business. I
> need to think outside the box.
>
> Is there some kind of NAT-based IPv6 firewall I can setup on the router
> that can help block viruses? I figure that's the right place to start since
> all the traffic gets funneled there. We have a Cisco Catalyst as a router.
> Or, ideally, is there an easy way to turn off IPv6 completely? I really
> don't see a need for it, any legitimate service should have an IPv4 address.
>
> I'd really appreciate your advice. I plan to drive out there tomorrow,
> where I can get the exact model numbers and stuff.
>
> Regards,
> Dr. Edgar Carver