Re: ipv6 question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 01/03/2011 06:31 PM, Michael H. Warfield wrote:
> There is a wide spread myth that NAT and the fact that you are on
> different addresses some how bestows upon you some measure of security.
> As a leading security researcher, let me impress upon you that nothing
> could be further from the truth.  You can security from the inherent
> statefulness of your common consumer grade NAT but there are other forms
> of NAT which do not convey this.  Merely the fact that your addresses
> are mapped do not provide you with any protection.  It's the state
> engine and the dynamic mapping that do this.  But, SURPRISE, that
> exactly what's in a stateful firewall.  There is NO intrinsic advantage
> of NAT over a decent stateful firewall.  None.
>
> IPv6 also has a number of security advantages over IPv4, not the least
> of which are "no broadcast address" and "virtually impossible to
> comprehensively brute force scan".  That doesn't mean it can't be
> scanned (the scans have to be more targeted and intelligent),
...

The problem that I see is that any system to which I have ever made a
connection now has a nice, routable IPv6 address back to the machine
that made the connection and can start probing that machine to see if
any vulnerable services might have been inadvertently left listening
on that interface.  No problem if it's a well secured file server,
but it could also be an internet-aware HDTV or video recorder where
I have no control over the internal OS.  Sounds like all traffic will
now have to have to be routed through an external IPv6 SPI firewall
appliance.  You no doubt have one of those, but I certainly don't,
and I suspect one would cost a bit more than my $35 NAT router, plus
being a bit beyond the administrative abilities of the average home
user.

-- 
Bob Nichols     "NOSPAM" is really part of my email address.
                 Do NOT delete it.

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux