hjlbx

IPv6 Protection and EIS

Recommended Posts

I use EIS.

 

Recently, my ISP started both IPv4 and native IPv6 support.

 

I have read that there are security risks associated with IPv6 - and that a NAT router will not protect a system using IPv6.

 

Other places I have read that a "stateful" firewall is needed.

 

Another online source states that port-forwarding to a good firewall is the best protection when using IPv6.  (I thought - why need port-forwarding for IPv6 if it Is NAT-less ! ?)

 

What is Emsi's recommendation(s) regarding IPv6 and configuring EIS for best protection ?

 

Thanks in advance.

Share this post


Link to post
Share on other sites

Lots of modern consumer routers provide some level of protection for devices connected via IPv6 - I know ASUS, Netgear and D-Link all provide a stateful firewall option for IPv6 clients (using ip6tables to drop connections w/invalid state, etc)

 

Here's example output of ip6tables -L from one such device:

ip6tables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all      anywhere             anywhere             rt type:0 segsleft:0
ACCEPT     all      anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all      anywhere             anywhere             state NEW
ACCEPT     all      anywhere             anywhere             state NEW
ACCEPT     ipv6-nonxt    anywhere             anywhere             length 40
ACCEPT     all      anywhere             anywhere
ACCEPT     all      anywhere             anywhere
ACCEPT     udp      anywhere             anywhere             udp spt:547 dpt:546
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp destination-unreachable
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp packet-too-big
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp time-exceeded
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp parameter-problem
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp echo-request
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp echo-reply
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmptype 130
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmptype 131
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmptype 132
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp router-solicitation
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp router-advertisement
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp neighbour-solicitation
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp neighbour-advertisement
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmptype 141
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmptype 142
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmptype 143
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmptype 148
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmptype 149
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmptype 151
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmptype 152
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmptype 153
DROP       all      anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
DROP       all      anywhere             anywhere             state INVALID
ACCEPT     all      anywhere             anywhere             state RELATED,ESTABLISHED
DROP       all      anywhere             anywhere             rt type:0 segsleft:0
ACCEPT     all      anywhere             anywhere
DROP       all      anywhere             anywhere             state INVALID
ACCEPT     all      anywhere             anywhere
ACCEPT     ipv6-nonxt    anywhere             anywhere             length 40
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp destination-unreachable
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp packet-too-big
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp time-exceeded
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp parameter-problem
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp echo-request
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp echo-reply
DROP       all      anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all      anywhere             anywhere             rt type:0 segsleft:0

Chain PControls (0 references)
target     prot opt source               destination
ACCEPT     all      anywhere             anywhere

Chain logaccept (0 references)
target     prot opt source               destination
LOG        all      anywhere             anywhere             state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "ACCEPT "
ACCEPT     all      anywhere             anywhere

Chain logdrop (0 references)
target     prot opt source               destination
LOG        all      anywhere             anywhere             state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "DROP "
DROP       all      anywhere             anywhere

Share this post


Link to post
Share on other sites

What is Emsi's recommendation(s) regarding IPv6 and configuring EIS for best protection ?

There appears to be a lot of confusion about IPv6 and NAT, and a lot of sources are saying things that appear to be contradictory. A lot of sources are also saying that NAT does not increase security, and then citing poor examples of why that is the case (such as e-mails containing malicious content or NAT allowing your browser to load webpages). A lot of articles are also calling NAT a problem, and specifically citing VoIP as their example of why. It seems to me like they are just repeating things they heard somewhere else, and perhaps aren't fully understanding what they are talking about to begin with.

As for me, I am not much of an authority on IPv6. I still use IPv4 on my internal network, as does my ISP. That being said, routers that use ip6tables do provide IPv6 firewall support (as m0unds already mentioned). If the router has NAT that works with IPv6, then it will provide protection against anything that is not being forwarded. Most commercial routers for home use have fairly poor security (which may be where the "NAT doesn't increase security" myth comes from), so you may want to avoid using the firmware that comes with the router if you are comfortable with flashing a third-party firmware on the router yourself.

If you have any concerns about the security of the router you are using, then you can configure your network type in EIS as Public in order to increase the security.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.