IPv6 Security
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Trials
- :
- IPv6 Trial
- :
- IPv6 Security
IPv6 Security
17-12-2013 10:09 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Re: IPv6 Security
17-12-2013 10:21 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I'm of the opinion that out of the Box any unsolicited inbound IPv6 traffic should be dropped and then it's upto the user to change the settings to allow access to various services.
Re: IPv6 Security
17-12-2013 10:48 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Re: IPv6 Security
18-12-2013 12:19 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Re: IPv6 Security
18-12-2013 9:45 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Given this there is very little a stateful firewall can actually do. We must therefore be very careful that we don’t focus on the wrong problem - just because we’ve lost the inherent stateful restrictions of an IPv4 NAT doesn’t necessarily mean we are any more vulnerable.
All that said, whilst the majority of attacks might well be at the application layer, the majority doesn't equal the entirety and so there are still some prudent steps that ought to be taken to protect elements of the network layer and also to help shield some of the more common applications/services from attack that might be vulnerable in their default or otherwise badly configured state.
To that end there is a draft informational RFC published under draft-v6ops-vyncke-balanced-ipv6-security-01.txt that proposes such an stance as a default CPE configuration. It is based upon a real IPv6 deployment (Swisscom) and claims to have resulted in no known security incidents. Of course, security is an arms race and methods of attack are an ever-moving target so such a configuration would need to evolve to suit the changing landscape but as a general principle I fully support it.
Again though, the real issue is malware and mitigation of that threat lies almost exclusively in user education and host-based security.
Re: IPv6 Security
18-12-2013 9:59 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Re: IPv6 Security
18-12-2013 10:26 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
There is a very real risk that the opportunity to benefit from one of the fundamental potential enablers of IPv6 - open end-to-end connectivity - could be completely missed if we don't pull our socks up and implement 'proper' security.
Perhaps this will happen automatically though as a result of evolution in response to the changing landscape - with the current traditional IPv4 setup sitting behind a NAT there is arguably no benefit (but potential drawback) from shipping network devices with unique passwords and secure network stacks. With the open nature of IPv6, specifically the ubiquitous use of a globally unique address space, vendors should hopefully be forced to change their default stance in response to this.
Re: IPv6 Security
31-12-2013 9:44 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
After all lets face it even if today all the manufacturers started doing security properly there would still be 1000's of devices out there with insecure default configurations/
Re: IPv6 Security
31-12-2013 12:24 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Perimeter firewall is essential, even if all your devices do have good security themselves - multiple layers of protection and all that.
Plus of course, we need to consider that probably 99+% of users have no idea at all - and the kit sent out needs to be secure by default. Those of us who want more openness, or public facing services etc are most likely knowledgable to deal with the security issues that go with that. Just eliminating NAT will make many things so much easier - eg things like SIP and Torrents should work fairly well (and without messy workarounds) as long as firewalls handle outbound connections properly and permit the reverse traffic.
Re: IPv6 Security
31-12-2013 12:29 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote from: SimonHobson as long as firewalls handle outbound connections properly and permit the reverse traffic.
That's the easy bit. The real difficulty lies with configuring firewalls to permit wanted outside-initiated traffic whilst blocking that which we don't want. If we don't achieve this then we might as well go back to sitting behind a NAT again.
Re: IPv6 Security
31-12-2013 12:36 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote from: SimonHobson Yup, agree 100%
Perimeter firewall is essential, even if all your devices do have good security themselves - multiple layers of protection and all that.
Plus of course, we need to consider that probably 99+% of users have no idea at all - and the kit sent out needs to be secure by default. Those of us who want more openness, or public facing services etc are most likely knowledgable to deal with the security issues that go with that. Just eliminating NAT will make many things so much easier - eg things like SIP and Torrents should work fairly well (and without messy workarounds) as long as firewalls handle outbound connections properly and permit the reverse traffic.
allow established/related and outbound should be a reasonably sensible out of the box configuration I believe as it should allow any outbound traffic and any replies to come back but drop unsolicited inbound.
Then of course there should be options in the router gui to open up additional inbound ports.
Re: IPv6 Security
31-12-2013 12:42 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
If my mum buys an IP camera for keeping an eye on the cat from her phone whist she's out she shouldn't have to enter the router GUI ('the what what?' she'll say) to enable it to work.
IPv6 is a unique opportunity to regain the end-to-end connectivity that was a fundamental architectural principle of the design of the Internet and whilst the environment might have changed we should be very careful effectively undermining any chance to get it back by blindly implementing old techniques.
Did you read the 'balanced security' proposal? If so, what are your thoughts?
Re: IPv6 Security
31-12-2013 12:49 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Re: IPv6 Security
31-12-2013 3:35 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Quote from: MJN ... an expression of opinion for debate rather than a you're wrong I'm right stance!
Indeed, for there is no "right" or "wrong" for this - only shades of better or worse which will vary depending on your viewpoint.
Personally, I think uPNP is a gaping security chasm - but as pointed out, for most people it's the only way their <whatever> will work for them. There are already devices which come with default settings that open up ports with uPNP to their buggy software and then expose the entire network to attack. In other words, uPNP is only as secure as your least secure device - and some stuff is "not very secure" by misdesign.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page