RE: NAT firewall for IPv6?

["Naslund, Steve" <SNaslund () medline com>]

On another note, using a firewall to stop viruses is probably not going to work in general (unless the firewall has 
some additional malware detection engine).  

Here is the issue in a nutshell.  A firewall primarily controls where people can connect to and from on a network.  The 
problem with that is that a lot of malware is received from sites that your users intended to go to.  People click on 
links without knowing where they go and people go to less than reputable web sites (or reputable sites that we recently 
compromised).  If you, by default, allow your users to access the Internet with a browser they are vulnerable to 
malware.  Even with malware detection capability you are still vulnerable to signatures and attacks that are not yet 
able to be detected.

Even if filtering was enabled on your Palo Alto for ipv6 it would not help at this point because you have no idea what 
signatures it is using to filter with and when the last time those were updated  I doubt your v4 filtering is of much 
use either at this point.  URL filtering is largely a big game of whack a mole that you will lose eventually.  Malware 
filtering is based on one or both of the following methods.  

        1.  You filter URLs known to be bad players (you are vulnerable until your protection vendor realizes they are 
bad players).

        2.  You filter based on adaptive detection of code that looks suspicious.  This is a bit better but still 
vulnerable because the bad guys are always innovating to pass through these devices.

My recommendation would be network malware detection (possibly through a firewall add-on) as well as good virus/malware 
detection on the client computers.  Sometimes the malware is easier to detect at the client because it reveals itself 
by trying to access unauthorized memory, processes, or storage.

Steven Naslund
Chicago IL




-----Original Message-----
From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of Edgar Carver
Sent: Friday, July 01, 2016 9:29 PM
To: nanog () nanog org
Subject: NAT firewall for IPv6?

Hello NANOG community. I was directed here by our network administrator since she is on vacation. Luckily, I minored in 
Computer Science so I have some familiarity.

We have a small satellite campus of around 170 devices that share one external IPv4 and IPv6 address via NAT for 
internet traffic. Internal traffic is over an MPLS.

We're having problems where viruses are getting through Firefox, and we think it's because our Palo Alto firewall is 
set to bypass filtering for IPv6. Unfortunately, the network admin couldn't give me the password since a local 
consultant set it up, and it seems they went out of business. I need to think outside the box.

Is there some kind of NAT-based IPv6 firewall I can setup on the router that can help block viruses? I figure that's 
the right place to start since all the traffic gets funneled there. We have a Cisco Catalyst as a router. Or, ideally, 
is there an easy way to turn off IPv6 completely? I really don't see a need for it, any legitimate service should have 
an IPv4 address.

I'd really appreciate your advice. I plan to drive out there tomorrow, where I can get the exact model numbers and 
stuff.

Regards,
Dr. Edgar Carver