Search This Blog

Tuesday, December 28, 2010

firewall-wizards Digest, Vol 54, Issue 3

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: IPv6 (Carl Friedberg)
2. Re: IPv6 (Mathew Want)
3. Re: IPv6 (Jim Seymour)
4. Re: IPv6 (Orca)


----------------------------------------------------------------------

Message: 1
Date: Mon, 27 Dec 2010 00:14:14 -0500
From: Carl Friedberg <friedberg@exs.esb.com>
Subject: Re: [fw-wiz] IPv6
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>, Devdas Bhagat
<dvb@users.sourceforge.net>
Message-ID:
<A52149436D8D9E438646C80BB222A67F31F82B481D@Boltzmann.esb.com>
Content-Type: text/plain; charset="us-ascii"

You may not be planning to think about IPV6, but the folks at Redmond have been. If you Google on IPV6 and Windows Server 2008 R2 (or Windows 7, or even Vista), you will find that the IPV6 protocol is a mandatory component of those OS, and you are told that disabling IPV6 (unbinding that protocol from an interface) makes your OS unsupported. Microsoft did not bother to test those OS with IPV6 disabled (or so they say, at this point).

Of course, you may be a lucky person and not have to support current Windows OS on your network. If so, then you don't have to think about IPV6 for years. Otherwise, you better do some reading. You could start with this (a bit old):

http://technet.microsoft.com/en-us/magazine/2009.07.cableguy.aspx

"From Microsoft's perspective, IPv6 is a mandatory part of the Windows operating system and it is enabled and included in standard Windows service and application testing during the operating system development process. Because Windows was designed specifically with IPv6 present, Microsoft does not perform any testing to determine the effects of disabling IPv6. If IPv6 is disabled on Windows Vista, Windows Server 2008, or later versions, some components will not function. Moreover, applications that you might not think are using IPv6-such as Remote Assistance, HomeGroup, DirectAccess, and Windows Mail-could be.

"Therefore, Microsoft recommends that you leave IPv6 enabled, even if you do not have an IPv6-enabled network, either native or tunneled. By leaving IPv6 enabled, you do not disable IPv6-only applications and services (for example, HomeGroup in Windows 7 and DirectAccess in Windows 7 and Windows Server 2008 R2 are IPv6-only) and your hosts can take advantage of IPv6-enhanced connectivity. "

Please, FW Wizards, prove me wrong. Thanks,

Carl Friedberg
www.comets.com

-----Original Message-----
From: firewall-wizards-bounces@listserv.icsalabs.com [mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of Timothy Shea
Sent: Sunday, December 26, 2010 11:23 PM
To: Devdas Bhagat; Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] IPv6

There is much additional complexity in IPv6 regardless of security architecture. And IPSec being "built in" is irreverent to the debate.

Outside of our government contracts - not even remotely thinking about IPv6. Maybe in a few more years.

t.s


On Sun, Dec 26, 2010 at 2:20 PM, Devdas Bhagat <dvb@users.sourceforge.net> wrote:


On Sun, Dec 26, 2010 at 11:56:45AM -0500, Paul D. Robertson wrote:

> Is anyone doing anything interesting with v6 and firewalls? We're
> supposedly coming up on the year that v6 will break out, and most
> organizations I know still don't even route it.


I am looking to start announcing IPv6 early next month. At this point,
Linux and *BSD boxes support IPv6 in their firewall rulesets.

There really shouldn't be much additional complexity with IPv6 in
any good security architecture. It's just another routed protocol,
with longer addresses and IPSec built in.

At the beginning though, we are likely to see simple IPv6 routing
with no AH/ESP.

What will be infinitely more interesting will be the combinations
of IPv4 to IPv6 mapping/NATing/routing which will happen.

Devdas Bhagat

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


--
Tim Shea, CISSP
612-384-6810
tim@tshea.net

http://www.linkedin.com/in/timothyshea

------------------------------

Message: 2
Date: Mon, 27 Dec 2010 17:09:03 +1100
From: Mathew Want <imortl1@gmail.com>
Subject: Re: [fw-wiz] IPv6
To: sonicsai@gmail.com, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<AANLkTik476jAJoU1=ZurBrH_jdF4cX=CQ6_xdqyq3B+d@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

Because I do not want my worktations to be routed to from the internet.
--
Regards,
M@
--
"Some things are eternal by nature,
others by consequence"

On 27 December 2010 13:25, sai <sonicsai@gmail.com> wrote:
> Why would you want to NAT66?
>
> On 12/27/10, Roger Marquis <marquis@roble.com> wrote:
>> Paul D. Robertson wrote:
>>> Is anyone doing anything interesting with v6 and firewalls? ?We're
>>> supposedly coming up on the year that v6 will break out, and most
>>> organizations I know still don't even route it.
>>
>> We're not allowing IPv6 through any firewalls (that I know of) until gear
>> that'll do NAT66, NAT64, and NAT46 becomes available.
>>
>> Roger Marquis
>> _______________________________________________
>> firewall-wizards mailing list
>> firewall-wizards@listserv.icsalabs.com
>> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>


------------------------------

Message: 3
Date: Mon, 27 Dec 2010 16:21:25 -0500
From: Jim Seymour <jseymour@LinxNet.com>
Subject: Re: [fw-wiz] IPv6
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <4D190355.4040409@LinxNet.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Carl Friedberg wrote:
> You may not be planning to think about IPV6, but the folks at Redmond have been. If you Google on IPV6 and Windows Server 2008 R2 (or Windows 7, or even Vista), you will find that the IPV6 protocol is a mandatory component of those OS, and you are told that disabling IPV6 (unbinding that protocol from an interface) makes your OS unsupported. Microsoft did not bother to test those OS with IPV6 disabled (or so they say, at this point).
[snip]

Not seeing what bearing any of that, or what I deleted, has on the original
question.

Neither my border router nor my (current, archaic) firewall do IPv6. Nor,
come to think of it, does any of my core LAN equipment. If I tried to
approach my boss to tell him we needed to throw away all of our network
gear and replace it, at a cost of 10s of thousands of dollars, to support
IPv6, he'd either fire me or have me committed.

And yes: The corporate LAN is, unfortunately, riddled with 'doze PCs.
Oddly enough: The lack of IPv6 support on LAN, WLAN, and 'net
connection (and WLAN, when we had one) did not seem to be a problem.

Jim

--
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.

------------------------------

Message: 4
Date: Mon, 27 Dec 2010 15:03:13 -0800
From: "Orca" <klrorca@Hotmail.com>
Subject: Re: [fw-wiz] IPv6
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <COL109-DS12B3B685158FB62B928073A5000@phx.gbl>
Content-Type: text/plain; format=flowed; charset="iso-8859-1";
reply-type=response

IPv6 is supported on most Cisco, Juniper, Foundry and and other major player
gear for a while now. For Cisco almost all gear that supports IOS 12.2
onwards (and introduced in 12.0), so generally speaking, most company LAN
environments need not spend a huge amount of money supporting IPV6 in your
LAN, unless one built their corporate gear with cheap SOHO gear.
Additionally Cisco ASA, Checkpoint, and Juniper firewalls all support IPv6.
Most major DNS and DHCP vendors all support IPv6. Most major server/desktop
OS also support IPv6.

Both the ACE and F-5 support IPv6 as well, for major load-balancers.

Here is a good list of features, series and IOS levels for Cisco Products:
http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-roadmap.html#wp1121383

I have been implementing dual stack IPv6 in two datacenters projects I
designed in the last few years, one was for a Windows shop and one for
Solaris/Red Hat shop, using Cisco, F-5 and Juniper gear.

In most cases it is not too difficult, and works readily with existing
equipment, with maybe an OS update here and there.

Windows does allow removal of IPV6 from the IP stack, I am unsure what you
mean about it making it "unsupported", there is nothing I could find from
M.S. that states you must have IPv6 running in your IP stack for them to
"support" your O.S.


-----Original Message-----
From: Jim Seymour
Sent: Monday, December 27, 2010 1:21 PM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] IPv6

Carl Friedberg wrote:
> You may not be planning to think about IPV6, but the folks at Redmond have
> been. If you Google on IPV6 and Windows Server 2008 R2 (or Windows 7, or
> even Vista), you will find that the IPV6 protocol is a mandatory component
> of those OS, and you are told that disabling IPV6 (unbinding that protocol
> from an interface) makes your OS unsupported. Microsoft did not bother to
> test those OS with IPV6 disabled (or so they say, at this point).
[snip]

Not seeing what bearing any of that, or what I deleted, has on the original
question.

Neither my border router nor my (current, archaic) firewall do IPv6. Nor,
come to think of it, does any of my core LAN equipment. If I tried to
approach my boss to tell him we needed to throw away all of our network
gear and replace it, at a cost of 10s of thousands of dollars, to support
IPv6, he'd either fire me or have me committed.

And yes: The corporate LAN is, unfortunately, riddled with 'doze PCs.
Oddly enough: The lack of IPv6 support on LAN, WLAN, and 'net
connection (and WLAN, when we had one) did not seem to be a problem.

Jim

--
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 54, Issue 3
***********************************************

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)