Re: IPv6 for Websites

On 9/28/12 2:40 PM, "Joseph L. Brunner" <joe_at_affirmedsystems.com> wrote:

>Sadly,
>
>While I agree with you that it's coming -
>
>Then it's security risk to put EVERYTHING out on the internet with no
>firewall. For many years "nat" has been a "firewall" of sorts - the
>inside hosts were somewhat protected by way of them not being reachable
>via their RFC1918 addressing -

That's a little bit of a misnomer. A NAT border device just runs
interference for the devices behind it, but ultimately, those devices are
still connectable, and NAT doesn't provide security in that regard. You
can craft packets that are capable of attacking a host behind a NAT, and
NAT doesn't really provide much obfuscation anymore if you can sniff the
data stream coming directly out of the NAT border device.

There has been security research done that shows it's possible to
determine the number of devices behind a NAT, as well as the possibility
of identifying individual machines behind the NAT, simply from the traffic
flows.

I know the entire "NAT is a security feature! No it isn't!" is one of the
holy wars in the network operations world, so I'm not going to get too far
into it, I'll simply say that I believe NAT's only benefit comes from
address conservation, and the ability to integrate two networks of
overlapping IP space until one side or the other can be re-addressed.
Outside of that, NAT can go burn in the deepest pit of hell. The security
benefits of NAT can be performed by a properly configured firewall.

IPv6 security, on the other hand, is in a very sad state of affairs, and
the astute will realize that there will be a whole lot of money to be made
in that arena as folks transition to ipv6. I jokingly refer to ipv6 as my
secret weapon for defeating internal network security controls, as I've
run across many enterprises which locked down ipv4 extremely well, but
they forgot to account for ipv6, and I've been able to snake past the
firewalls, proxies and other filters with a simple tunnel to a
dual-stacked host.

I maintain a full enterprise network in my home lab (in function, not in
scale) just to keep current on technologies I'm likely to see in my
capacity as a network engineer. I've been planning to migrate the entire
network to native ipv6 for awhile now, and one of the holdups is ipv6
security. It's to the point where I'm going to have to basically roll my
own custom setups in order to secure my border, because none of the open
source solutions have taken ipv6 seriously enough for me to actually
deploy.

>
>Now,
>
>We are getting /44's or /32's from ARIN, doling them out via DHCPv6 to
>desktops and devices - who should be left to maintain the firewall? The
>carrier? The coffee bar?
>
>Pretty scary stuff...

Blogs and organic groups at http://www.ccie.net
Received on Fri Sep 28 2012 - 14:59:07 ART