nanog mailing list archives

Re: NAT firewall for IPv6?

From: Bruce Curtis <bruce.curtis () ndsu edu>
Date: Tue, 5 Jul 2016 14:47:53 +0000

On Jul 5, 2016, at 9:33 AM, Valdis.Kletnieks () vt edu wrote:

On Fri, 01 Jul 2016 21:28:54 -0500, Edgar Carver said:

We're having problems where viruses are getting through Firefox, and we
think it's because our Palo Alto firewall is set to bypass filtering for
IPv6.


Do you have any actual evidence (device logs, tcpdump, netflow,  etc) that
support that train of thought?

Remember that your Palo Alto isn't stopping 100% of the icky stuff on the
IPv4 side either - the sad truth is that most commercial security software
is only able to identify and block between 30% and 70% of the crap that's
out in the wild.


  That is only the percentage that it identifies from what it can see.  It most likely can not see viruses in encrypted 
traffic.

"       • A forecast that 70% of global Internet traffic will be encrypted in 2016, with many networks exceeding 80%”

https://www.sandvine.com/pr/2016/2/11/sandvine-70-of-global-internet-traffic-will-be-encrypted-in-2016.html


"In the fourth quarter of 2015 nearly 65 percent of all web connections that Dell observed were encrypted, leading to a 
lot more under-the-radar attacks, according to the company. Gartner has predicted that 50 percent of all network 
attacks will take advantage of SSL/TLS by 2017."

http://www.darkreading.com/attacks-breaches/when-encryption-becomes-the-enemys-best-friend/d/d-id/1324580

This article mentions how difficult is it for Sandboxes to detect malware.

https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/fireeye-hot-knives-through-butter.pdf

This article mentions malware that changes it’s download image every 15 seconds.

http://www.darkreading.com/vulnerabilities---threats/cerber-strikes-with-office-365-zero-day-attacks/d/d-id/1326070?_mc=NL_DR_EDT_DR_weekly_20160630&cid=NL_DR_EDT_DR_weekly_20160630&elqTrackId=1d7f1b5bcdb24c469164471a423f746b&elq=01e6838c279149a08e460cdbe3b8b54a&elqaid=70982&elqat=1&elqCampaignId=21896

There's also BYOD issues where a laptop comes in and infects
all your systems from behind the firewall (as Marcus Ranum says: "Crunchy on
the outside, soft and chewy inside”).

In any case,your first two actions should be to recover the password for the
Palo Alto, and make sure it has updated pattern definitions in effect on both
IPv4 and IPv6 connections.

And your third should be to re-examine your vendor rules of engagement, to
ensure your deliverables include things like passwords and update support
so you're not stuck if your vendor goes belly up..


---
Bruce Curtis                         bruce.curtis () ndsu edu
Certified NetAnalyst II                701-231-8527
North Dakota State University

Current thread:

RE: NAT firewall for IPv6?, (continued)
- RE: NAT firewall for IPv6? Naslund, Steve (Jul 05)
  - Re: NAT firewall for IPv6? Lee (Jul 05)
    - RE: NAT firewall for IPv6? Naslund, Steve (Jul 05)
    - Re: NAT firewall for IPv6? Lee (Jul 05)
    - Re: NAT firewall for IPv6? Baldur Norddahl (Jul 05)
    - Re: NAT firewall for IPv6? A . L . M . Buxey (Jul 05)
    - Re: NAT firewall for IPv6? Jason R (Jul 06)
- RE: NAT firewall for IPv6? Naslund, Steve (Jul 05)
  - Re: NAT firewall for IPv6? Dovid Bender (Jul 05)
- Re: NAT firewall for IPv6? Valdis . Kletnieks (Jul 05)
  - Re: NAT firewall for IPv6? Bruce Curtis (Jul 05)
  - RE: NAT firewall for IPv6? Naslund, Steve (Jul 05)
- Re: NAT firewall for IPv6? Brielle Bruns (Jul 05)
- Re: NAT firewall for IPv6? A . L . M . Buxey (Jul 05)
  - Re: NAT firewall for IPv6? Spencer Ryan (Jul 05)
    - Re: NAT firewall for IPv6? Valdis . Kletnieks (Jul 05)
    - Re: NAT firewall for IPv6? Spencer Ryan (Jul 05)
    - Re: NAT firewall for IPv6? A . L . M . Buxey (Jul 05)
- Re: NAT firewall for IPv6? Tom Beecher (Jul 05)
- Re: NAT firewall for IPv6? Octavio Alvarez (Jul 05)
  - Re: NAT firewall for IPv6? Baldur Norddahl (Jul 05)

(Thread continues...)