RE: NAT firewall for IPv6?

["Naslund, Steve" <SNaslund () medline com>]

It is all about defense in depth.  The engineers here are speaking to the network pieces (the second N in NANOG is 
network, right :) and we have told this person that it is unlikely that v6 in the only vector and I myself talked about 
malware handling on the clients themselves.  From a network engineering perspective many of us agreed that the biggest 
single threat to his network was a firewall in an unknown state with an unknown administrator password that could be 
owned by anyone on earth at this point.  That single piece threatens the entire network as a whole and is a ticking 
time bomb ready to blow his entire LAN off the Internet if it fails.  

He probably does not own the entire environment himself, he is filling in for a vacationing network engineer.  So he is 
working on the network piece and is probably not responsible for the anti-malware software on the clients (if anyone 
is, see below).

Our "support" as you call it was a response to this person questions about blocking v6 as an attack vector in the first 
place.  We answered his question but then told him that was unlikely to be the problem and what he should do about 
taking back his firewall, securing v6 via the firewall, and handling the malware at the client.  Seems solid advise to 
me so far.

BTW we did not bill him for anything.  He got a lot of free advice from a lot of people he could not even begin to 
afford to employ, so not a bad deal for him.  You also have to understand that this gentleman seems to be in an 
educational environment which usually means lots of clients he does not have control over so having some kind of 
network based malware control is helpful.  Clients in this type of environment have to defend themselves from each 
other and he will likely have stuff brought in from the outside.  Good malware detection in the network can help 
identify clients that contain malware and are a threat to other devices.  Fancier network gear/IDS/IDP would actually 
remove offending clients from the network or at least segments them into an isolation area.

Let me re-iterate:

        1.      Take back ownership of your firewall and bring it up to date including new malware signatures.  If you 
don't have current support, get it...........directly so if your consultant bails you are not dead meat.  This will 
ensure that the outside world will not own or control stuff inside your network while you put the fires out.  At the 
very least it can help malware infected machines from phoning home to their command and control servers which sometimes 
prevents a lot of damage.
        2.      Make your v6 rules mirror at least the security level of your v4 rules.  Passing v6 unchallenged is 
unacceptable.  If your firewall won't do it replace it with one that will.
        3.      Ensure all clients under your control have current anti-virus/anti-malware detection.  Clients have to 
defend themselves from threats internal to the firewall as well as ones outside.  Don't be hard on the outside with a 
soft chewy center.
        4.      Never, ever accept anything less than full administrative control passwords and accounts from your 
consultants, before you give them final payment.  I actually prefer to lock them out when they complete an install 
until I need them to help with something.  This prevents them from holding you hostage or one of their "postal" 
employees from wiping you out as well as preventing them from using your network for experimentation without you 
knowing it.  It is an important part of change control to ensure that outsiders cannot modify your configuration 
without contacting you first.  We usually give our consultants highly logged VPN accounts that we can disable or enable 
as needed.

Steven Naslund
Chicago IL



> > No while that is also needed, it is very unlikely to fix his issue. The issue at hand is that some of their computers 
> > have become virus infected.
> > The fix for that is to upgrade the virus scanner and making sure that all software upgrades are done.

> > Someone comes to you and says his Firefox is getting infected through IPv6.
> > If your support is worth anything, you will not take that at face value and bill him for a ton work related to IPv6. 
> > No, you will go find out what the real issue is and solve that. The only thing we know right now is that he is 
> > > > confused.
> >
> > Regards,
> >
> > Baldur