topic Re: Security in IPv6 Trial

Security

David_W — Sat, 04 Jun 2011 11:17:20 GMT

Using this scanner shows common ports except 80 are closed (I don't believe it reports them as stealth, if no reply is met it responds with closed). Naturally I'd prefer port 80 to be closed/stealth, if I run an IPV4 test it shows stealth on all ports (including 80) which begs the question, how does one secure an IPV6 based system?
Oddly I put my IPV6 address into Chrome and it did show up a webpage just saying "Hello!" and I have no idea where that came from, unless there is a html document on my router which just says Hello!
/edit - I found the Hello! file, it is on my webserver.
/edit2 - I turned on PlusNets firewall (which should block 80) and it had no effect (port 80 still open) so it looks like PN's firewall needs to be upgraded to support IPV6 too?

Re: Security

customersmatter — Sun, 05 Jun 2011 17:03:42 GMT

David,
Hi. It's my firewall tester that you've used/mentioned above. Apologies for not knowing how Plusnet are running their trial (despite being a Plusnet customer) - hence all the questions that follow. What OS are you running? Are you running a software firewall on your end machine(s) or are you just reliant on your router/modem (or Plusnet's) capabilities? Do you definitely have an IPv6 firewall configured - are there other services on your server that are supporting IPv6 -i.e. apart from your webserver? Does the firewall provide any traffic logs/statistics? An IPv4 firewall won't impact IPv6 traffic unless the IPv6 traffic is tunneled/encapsulated in IPv4 - and that will generally mean that the tunneled traffic is either allowed or disallowed via the IPv4 firewall - it won't impact individual IPv6 services/ports.
Best wishes,
Tim.

Re: Security

brueton — Mon, 06 Jun 2011 04:59:55 GMT

I used the scanner on Linux, Windows 7 & Android.
It reported closed on the listed ports on all three Operating Systems.
PB

Re: Security

customersmatter — Mon, 06 Jun 2011 07:41:49 GMT

One other thing to mention - the link that David referenced above isn't optimal - if you enter at that point with an IPv4 address then you will get an error from my Apache server. Please use the following link in preference which checks your address suitability first:
http://ipv6.chappell-family.com/ipv6tcptest/index.php
Thanks,
Tim.

Re: Security

David_W — Mon, 06 Jun 2011 10:34:21 GMT

I'm running Windos 7 with Kaspersky Internet Security for my firewall on my system, my router is a Cisco 877W with firewall enabled (I'll post the firewall bits) and also with PlusNets own firewall system turned on (which should block 80 but needs upgrading to support IPV6 traffic).

access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 23 permit 192.168.0.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip host 66.220.2.74 any
access-list 102 permit ip host 216.66.80.26 any
access-list 103 remark auto generated by CCP firewall configuration
access-list 103 remark CCP_ACL Category=1
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by CCP firewall configuration
access-list 104 remark CCP_ACL Category=1
access-list 104 remark HE-Tunnel-Tunnel
access-list 104 permit ip host 216.66.80.26 any
access-list 104 remark HE-Tunnel-Ping
access-list 104 permit ip host 66.220.2.74 any
access-list 104 remark Auto generated by CCP for NTP (123) 212.159.13.50
access-list 104 permit udp host 212.159.13.50 eq ntp any eq ntp
access-list 104 deny   ip 192.168.0.0 0.0.0.255 any
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any unreachable
access-list 104 deny   ip 10.0.0.0 0.255.255.255 any
access-list 104 deny   ip 172.16.0.0 0.15.255.255 any
access-list 104 deny   ip 192.168.0.0 0.0.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   ip host 0.0.0.0 any
access-list 104 deny   ip any any log
dialer-list 1 protocol ip permit

There is nothing there that I can see would allow port 80 traffic through the firewall so there is a combination of PN's firewall and my Cisco firewall not picking it up and dropping it.
/edit
Found a sample config to modify so will give it a whirl:

ipv6 inspect name traffic tcp
ipv6 inspect name traffic udp
ipv6 inspect name traffic ftp
ipv6 inspect name traffic icmp
!
interface tunnel1
 ipv6 traffic-filter tu1-in in
 ipv6 traffic-filter tu1-out out
!
ipv6 access-list tu1-in
 permit icmp any any echo-request
 permit icmp any any echo-reply
 permit tcp 2001:4fff::/32 any eq 22
 evaluate reflectout
 deny ipv6 any any log-input
!
ipv6 access-list tu1-out
 permit icmp any any echo-reply
 permit icmp any any echo-request
 permit tcp any any reflect reflectout
 permit udp any any reflect reflectout
 deny ipv6 any any log-input
!

Re: Security

_CN_ — Mon, 06 Jun 2011 10:50:04 GMT

Quote from: David
/edit2 - I turned on PlusNets firewall (which should block 80) and it had no effect (port 80 still open) so it looks like PN's firewall needs to be upgraded to support IPV6 too?

There are many parts of the platform that have not been touched for this IPv6 trial, the Plusnet firewall is one of those
Carl

Re: Security

_CN_ — Mon, 06 Jun 2011 10:59:25 GMT

Hi David
Test reports all closed on my setup using Cisco 877W
My firewall config
ipv6 inspect name myfw6 ftp
ipv6 inspect name myfw6 icmp
ipv6 inspect name myfw6 udp
ipv6 inspect name myfw6 tcp
ipv6 access-list in-acl6
permit icmp any any
permit tcp any any established
permit udp any any eq 546
permit udp any eq domain any
deny ipv6 any any log
interface Dialer1
ipv6 traffic-filter in-acl6 in
ipv6 inspect myfw6 out
The logs showing the scan
Jun 6 11:53:39: %IPV6_ACL-6-ACCESSLOGP: list in-acl6/60 denied tcp 2001:470:1F08:185C::2(22963) -> 2A02:16C8:6080:304:D69A:20FF:FE79:1A40(21), 1 packet
Jun 6 11:53:39: %IPV6_ACL-6-ACCESSLOGP: list in-acl6/60 denied tcp 2001:470:1F08:185C::2(18331) -> 2A02:16C8:6080:304:D69A:20FF:FE79:1A40(22), 1 packet
Jun 6 11:53:39: %IPV6_ACL-6-ACCESSLOGP: list in-acl6/60 denied tcp 2001:470:1F08:185C::2(27710) -> 2A02:16C8:6080:304:D69A:20FF:FE79:1A40(23), 1 packet
Jun 6 11:53:39: %IPV6_ACL-6-ACCESSLOGP: list in-acl6/60 denied tcp 2001:470:1F08:185C::2(5429) -> 2A02:16C8:6080:304:D69A:20FF:FE79:1A40(25), 1 packet
Jun 6 11:53:39: %IPV6_ACL-6-ACCESSLOGP: list in-acl6/60 denied tcp 2001:470:1F08:185C::2(19946) -> 2A02:16C8:6080:304:D69A:20FF:FE79:1A40(53), 1 packet
Jun 6 11:53:39: %IPV6_ACL-6-ACCESSLOGP: list in-acl6/60 denied tcp 2001:470:1F08:185C::2(29261) -> 2A02:16C8:6080:304:D69A:20FF:FE79:1A40(79), 1 packet
Jun 6 11:53:39: %IPV6_ACL-6-ACCESSLOGP: list in-acl6/60 denied tcp 2001:470:1F08:185C::2(12198) -> 2A02:16C8:6080:304:D69A:20FF:FE79:1A40(80), 1 packet
Jun 6 11:53:40: %IPV6_ACL-6-ACCESSLOGP: list in-acl6/60 denied tcp 2001:470:1F08:185C::2(24158) -> 2A02:16C8:6080:304:D69A:20FF:FE79:1A40(110), 1 packet
Jun 6 11:53:40: %IPV6_ACL-6-ACCESSLOGP: list in-acl6/60 denied tcp 2001:470:1F08:185C::2(7895) -> 2A02:16C8:6080:304:D69A:20FF:FE79:1A40(111), 1 packet
Jun 6 11:53:40: %IPV6_ACL-6-ACCESSLOGP: list in-acl6/60 denied tcp 2001:470:1F08:185C::2(5758) -> 2A02:16C8:6080:304:D69A:20FF:FE79:1A40(113), 1 packet
Jun 6 11:53:40: %IPV6_ACL-6-ACCESSLOGP: list in-acl6/60 denied tcp 2001:470:1F08:185C::2(19683) -> 2A02:16C8:6080:304:D69A:20FF:FE79:1A40(119), 1 packet
Jun 6 11:53:40: %IPV6_ACL-6-ACCESSLOGP: list in-acl6/60 denied tcp 2001:470:1F08:185C::2(15637) -> 2A02:16C8:6080:304:D69A:20FF:FE79:1A40(135), 1 packet
Jun 6 11:53:40: %IPV6_ACL-6-ACCESSLOGP: list in-acl6/60 denied tcp 2001:470:1F08:185C::2(4721) -> 2A02:16C8:6080:304:D69A:20FF:FE79:1A40(139), 1 packet
Jun 6 11:53:40: %IPV6_ACL-6-ACCESSLOGP: list in-acl6/60 denied tcp 2001:470:1F08:185C::2(19006) -> 2A02:16C8:6080:304:D69A:20FF:FE79:1A40(143), 1 packet
Jun 6 11:53:40: %IPV6_ACL-6-ACCESSLOGP: list in-acl6/60 denied tcp 2001:470:1F08:185C::2(4301) -> 2A02:16C8:6080:304:D69A:20FF:FE79:1A40(389), 1 packet
Jun 6 11:53:41: %IPV6_ACL-6-ACCESSLOGP: list in-acl6/60 denied tcp 2001:470:1F08:185C::2(29049) -> 2A02:16C8:6080:304:D69A:20FF:FE79:1A40(427), 1 packet
Jun 6 11:53:41: %IPV6_ACL-6-ACCESSLOGP: list in-acl6/60 denied tcp 2001:470:1F08:185C::2(20105) -> 2A02:16C8:6080:304:D69A:20FF:FE79:1A40(443), 1 packet
Jun 6 11:53:41: %IPV6_ACL-6-ACCESSLOGP: list in-acl6/60 denied tcp 2001:470:1F08:185C::2(16043) -> 2A02:16C8:6080:304:D69A:20FF:FE79:1A40(445), 1 packet
Jun 6 11:53:41: %IPV6_ACL-6-ACCESSLOGP: list in-acl6/60 denied tcp 2001:470:1F08:185C::2(2025) -> 2A02:16C8:6080:304:D69A:20FF:FE79:1A40(631), 1 packet
Jun 6 11:53:41: %IPV6_ACL-6-ACCESSLOGP: list in-acl6/60 denied tcp 2001:470:1F08:185C::2(9981) -> 2A02:16C8:6080:304:D69A:20FF:FE79:1A40(873), 1 packet
Jun 6 11:53:41: %IPV6_ACL-6-ACCESSLOGP: list in-acl6/60 denied tcp 2001:470:1F08:185C::2(18106) -> 2A02:16C8:6080:304:D69A:20FF:FE79:1A40(993), 1 packet
Jun 6 11:53:41: %IPV6_ACL-6-ACCESSLOGP: list in-acl6/60 denied tcp 2001:470:1F08:185C::2(8710) -> 2A02:16C8:6080:304:D69A:20FF:FE79:1A40(1025), 1 packet
Jun 6 11:53:41: %IPV6_ACL-6-ACCESSLOGP: list in-acl6/60 denied tcp 2001:470:1F08:185C::2(20647) -> 2A02:16C8:6080:304:D69A:20FF:FE79:1A40(1026), 1 packet
Jun 6 11:53:41: %IPV6_ACL-6-ACCESSLOGP: list in-acl6/60 denied tcp 2001:470:1F08:185C::2(3058) -> 2A02:16C8:6080:304:D69A:20FF:FE79:1A40(1029), 1 packet
Jun 6 11:53:41: %IPV6_ACL-6-ACCESSLOGP: list in-acl6/60 denied tcp 2001:470:1F08:185C::2(21502) -> 2A02:16C8:6080:304:D69A:20FF:FE79:1A40(1030), 1 packet
Jun 6 11:53:41: %IPV6_ACL-6-ACCESSLOGP: list in-acl6/60 denied tcp 2001:470:1F08:185C::2(22303) -> 2A02:16C8:6080:304:D69A:20FF:FE79:1A40(1080), 1 packet
Jun 6 11:53:42: %IPV6_ACL-6-ACCESSLOGP: list in-acl6/60 denied tcp 2001:470:1F08:185C::2(6856) -> 2A02:16C8:6080:304:D69A:20FF:FE79:1A40(1720), 1 packet
Jun 6 11:53:42: %IPV6_ACL-6-ACCESSLOGP: list in-acl6/60 denied tcp 2001:470:1F08:185C::2(8466) -> 2A02:16C8:6080:304:D69A:20FF:FE79:1A40(3128), 1 packet
Jun 6 11:53:42: %IPV6_ACL-6-ACCESSLOGP: list in-acl6/60 denied tcp 2001:470:1F08:185C::2(25300) -> 2A02:16C8:6080:304:D69A:20FF:FE79:1A40(5000), 1 packet
HTH

Re: Security

David_W — Mon, 06 Jun 2011 11:10:16 GMT

Cheers Carl, I used your config and it's now showing as all closed, which is a major improvement on my config which stopped IPV6 working

Re: Security

MJN — Mon, 06 Jun 2011 11:48:00 GMT

Quote from: David
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 23 permit 192.168.0.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
<snip>
There is nothing there that I can see would allow port 80 traffic through the firewall so there is a combination of PN's firewall and my Cisco firewall not picking it up and dropping it.

I know you're sorted but it's probably worth mentioning for anyone else reading: the access list above is, in Cisco terms, an 'ip' access list i.e. it is IPv4 only. Given that IPv4 and IPv6 are two separate network stacks and are implemented independently by the IOS then, as you now have, you also need an IPv6 access list applied to an interface in order to control IPv6 traffic through it. Thus, two access lists would be applied - one for IPv4 and one for IPv6.
Incidentally there is, amongst other IPv6-related tools, a good port scanner at www.subnetonline.com/pages/ipv6-network-tools/online-ipv6-port-scanner.php which you may find useful as you can specify the target address i.e. you are not limited to only testing from your own machine (the understandable restriction being you can only check for one port at a time but this is often all that's required).
Mathew

Re: Security

David_W — Sun, 14 Aug 2011 21:14:28 GMT

As an update to this, I played with my config today (ok, I broke my config and got it working today but the theory is sound!) and switched from classic based firewall to the newer zone based firewall. By default it appears it's treating IPV6 and IPV4 traffic the same so is applying the rules no matter where the traffic comes from. The IPV6 firewall test showed all my ports as stealth (yay) so it looks like if your router supports zone based firewalling you already got an IPV6 firewall in place without any further kerfuffle.