Re: ipv6 question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2011-01-03 at 19:44 -0600, Robert Nichols wrote: 
> On 01/03/2011 06:31 PM, Michael H. Warfield wrote:
> > There is a wide spread myth that NAT and the fact that you are on
> > different addresses some how bestows upon you some measure of security.
> > As a leading security researcher, let me impress upon you that nothing
> > could be further from the truth.  You can security from the inherent
> > statefulness of your common consumer grade NAT but there are other forms
> > of NAT which do not convey this.  Merely the fact that your addresses
> > are mapped do not provide you with any protection.  It's the state
> > engine and the dynamic mapping that do this.  But, SURPRISE, that
> > exactly what's in a stateful firewall.  There is NO intrinsic advantage
> > of NAT over a decent stateful firewall.  None.
> >
> > IPv6 also has a number of security advantages over IPv4, not the least
> > of which are "no broadcast address" and "virtually impossible to
> > comprehensively brute force scan".  That doesn't mean it can't be
> > scanned (the scans have to be more targeted and intelligent),
> ...
> 
> The problem that I see is that any system to which I have ever made a
> connection now has a nice, routable IPv6 address back to the machine
> that made the connection and can start probing that machine to see if
> any vulnerable services might have been inadvertently left listening
> on that interface.  No problem if it's a well secured file server,
> but it could also be an internet-aware HDTV or video recorder where
> I have no control over the internal OS.  Sounds like all traffic will
> now have to have to be routed through an external IPv6 SPI firewall
> appliance.  You no doubt have one of those, but I certainly don't,
> and I suspect one would cost a bit more than my $35 NAT router, plus
> being a bit beyond the administrative abilities of the average home
> user.

No...  Look at your default IPv6 netfilter tables.

/etc/sysconfig/ip6tables

That's what firewalls are for.  That's what a stateful firewall on your
system is for.

Mike

> -- 
> Bob Nichols     "NOSPAM" is really part of my email address.
>                  Do NOT delete it.
> 
> -- 
> users mailing list
> users@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe or change subscription options:
> https://admin.fedoraproject.org/mailman/listinfo/users
> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
> 

-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw@xxxxxxxxxxxx
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!

Attachment: signature.asc
Description: This is a digitally signed message part

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux