Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Got an IPv6 Firewall? - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Got an IPv6 Firewall?

Just like the call "Winter is Coming" in Game of Thrones, we keep hearing IPv6 is coming to our networks spreading doom and gloom to our most priced assets. But just like the clothing worn by some of the actors of the TV show isn't exactly suited for winter, the network security infrastructure deployed currently wouldn't give you a hint that IPv6 is around the corner.

On the other hand, here are some recent numbers:

  • Over 25% of Comcast customers are "actively provisioned with native dual stack broadband" (see comcast6.net)
  • 40% of the Verizon Wireless network is using IPv6 as of December 2013 (http://www.worldipv6launch.org/measurements/)
  • Between July and December last year, Akamai saw IPv6 traffic go up by about a factor of 5 (http://www.akamai.com/ipv6)

When I made our new "Quickscan" router scanning tool available last week, I left it IPv6 enabled. So it is no surprise, that I am getting e-mails like the following:

The results were "interesting"
...
A few weeks ago I had installed an IPv6 capable modem and updated my router config to enable IPv6. The results were glorious in that IPv6 ran like a charm.
The sober facts arose when I ran the ISC router scan - it used my IPv6 address, which hooked directly to my desktop (behind my firewall) and pulled up my generally unused native Apache service. 
I went over my router config with a fine-tooth comb and realized that my router has no support for IPv6 filtering.

So does your firewall filter IPv6? Or just "use it"? Do you have sufficient host based controls in place? You don't necessarily have to assign globally routable IPv6 addresses. You could use proxies to terminate "global" IPv6 and only use ULA addresses internally. But in particular home users are unlikely to go that route.
 
(I am working on making the "quickscan" tool (https://isc.sans.edu/quickscan.html [login required]) more generic. For now it only scans common router admin and backdoor ports)

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute

IPv6 Security Training ( https://www.sans.org/sec546 )
Twitter

I will be teaching next: Defending Web Applications Security Essentials - SANS Munich March 2019

Johannes

3413 Posts
ISC Handler
Way back in my Microsoft ISA days, Microsoft released an advisory that under no circumstances were you to enable IPv6 on the server operating system. The ISA firewall was completely non-IPv6 aware so the underlying server operating system simply routed the traffic through with no indication in the logs. I also recall an issue back in the '90s where a military base (in Japan, I think) had a pen test and they were completely solid. But when the testers used IPv6, they were able to access all internal systems.

Red Hat Enterprise Linux v4, now unsupported but no doubt still in use lots of places, enabled IPv6 by default with absolutely no indication in the installer that it was doing do. RHEL v5 and later at least give you the option in the installer now. :-)
Anonymous
Quoting Anonymous:Way back in my Microsoft ISA days, Microsoft released an advisory that under no circumstances were you to enable IPv6 on the server operating system.


And then a few years later they came out with Server 2008 with IPv6 enabled by default, Windows Advanced firewall supporting V6, and indicated that disabling IPv6 was particularly an unsupported scenario.... things change. http://technet.microsoft.com/en-us/magazine/2009.07.cableguy.aspx

"From Microsoft's perspective, IPv6 is a mandatory part of the Windows operating system and it is enabled and included in standard Windows service and application testing during the operating system development process. Because Windows was designed specifically with IPv6 present, Microsoft does not perform any testing to determine the effects of disabling IPv6. If IPv6 is disabled on Windows Vista, Windows Server 2008, or later versions, some components will not function."
Mysid

146 Posts
On my home LAN I have an IPv6 tunnel with HE and a frontend pfSense firewall that handles IPv6 tunnel. On pfSense I enabled the basic IPv6 firewall that has basically the same rules of a standard NAT: all connection originating from LAN are permitted, all connections originating from WAN are denied.

On online CentOS servers with IPv6 I have the same IPTABLES rules fot both IPv4 and IPv6.
lrosa

5 Posts
Isn't one of the assumptions of IPv6 that it gives true end-to-end connectivity as it should be and means that the best place to protect the host is the host based firewall? Not that network based ones are useless, but they will have to do more general type of filtering and then the final vote is left for the host based firewall.

Another thing is Teredo which comes enabled by default on some of the windows based system and some services (Direct Access) require it to operate - like it or not, IPv6 is here. You should always lock down individual hosts by first disabling all unnecessary services and then firewalling off the rest you can't disable - instead of blaming 'lack of security' on IPv6.
Finally it's hard to protect against something you are not aware of - how many of end-users know they have IPv6 stack enable, configured and working? Even if they do, what can they do about it?

My choice is usually Mikrotik or pfSense - both do great work with IPv6, either native or tunneled (Hi HE, I'm waving at you guys).

Tomasz
Tomasz

3 Posts
Quoting Tomasz:Isn't one of the assumptions of IPv6 that it gives true end-to-end connectivity as it should be and means that the best place to protect the host is the host based firewall? Not that network based ones are useless, but they will have to do more general type of filtering and then the final vote is left for the host based firewall.


I feel strongly that Enterprise IPv6 networks should have both a network-based firewall at public network entry points, that should do ingres and egress filtering: that is, you should eschew neither. Layer the defenses; no reliance on any one firewall for network connection-based security.

The former's job is to help defend the perimeter -- block incoming connections to unknown ports; the latter's job, is to help protect other systems, when peer system on the LAN inevitably gets infected with malware or otherwise breached, by a pivoting attacker, rogue insider, etc.

The network-based firewall, should log outgoing and incoming connections, and it should be sophisticated to deny traffic based on protocol/application detection, in addition to standard 5-tuple allow list, with default deny on incoming and outgoing side.

Software firewall on each host: every client, every server. The host firewalls on client or server machines should not be administered by someone whose job would be more convenient with a "permit any any" rule.

Steps should be taken to periodically ensure that all firewalls are operating correctly; with especial attention to software firewalls on hosts, that might have been tampered with by software, or users with local admin privileges to their workstation.


Quote:
Another thing is Teredo which comes enabled by default on some of the windows based system and some services (Direct Access) require it to operate - like it or not, IPv6 is here.


Implement IPv6 proper on your network, and block tunneling protocols such as Teredo :)

Quote:first disabling all unnecessary services and then firewalling off the rest you can't disable


Yes... and sometimes, get a more secure alternative set up, and get "necessary" services uninstalled or turned off.

Don't forget to push out policies to disable WPAD and NetBIOS/NetBEUI on Windows networks, and ensure systems require signing for file sharing traffic.

Best to require IPsec between all hosts on the LAN, for all allowed communications; the Windows advanced firewall can handle this.
Mysid

146 Posts
Agree,
and, to an extent, it's also true for SOHO networks.
Host-based filtering is great if available. For many widgets in a modern home, it seems that the manufacturers assume a perfectly good internet; smart TVs, NAS boxes, digital media servers, tablets, smart home controllers, etc. In order to prevent intrusions and unauthorized use of these mostly unprotected widgets would you like to have external protection, and a traditional filtering firewall that understands IPv6 is a good start.
OpenBSD PF (PF or on any other * BSD taste) in a mini-machine delivers this splendidly.
A tiny PC, i.e. CompuTech "Fit PC2i", with OpenBSD and PF (or any other * BSD flavor using PF) inserted between the Internet and the credulous devices does the job.
JanS

10 Posts
Agree,
and, to an extent, it's also true for SOHO networks.
Host-based filtering is great if available. For many widgets in a modern home, it seems that the manufacturers assume a perfectly good internet; smart TVs, NAS boxes, digital media servers, tablets, smart home controllers, etc. In order to prevent intrusions and unauthorized use of these mostly unprotected widgets would you like to have external protection, and a traditional filtering firewall that understands IPv6 is a good start.
OpenBSD PF (PF or on any other * BSD taste) in a mini-machine delivers this splendidly.
A tiny PC, i.e. CompuTech "Fit PC2i", with OpenBSD and PF (or any other * BSD flavor using PF) inserted between the Internet and the credulous devices does the job.
JanS

10 Posts
I notice a flaw in this test; It uses the ipv6 address used by my browser, not the one used by my router. Which means it doesn't scan for any backdoor in to my router, but for a back door in to my pc! It potentially could show a badly configured or non existent firewall in the router but then you should scan more ports.
( no NAT when using ipv6)
JanS
6 Posts
Correct. There is no easy way to figure out what your gateway IP would be for IPv6.

As for additional ports: I am working on an option to add additional ports.
Johannes

3413 Posts
ISC Handler
"Isn't one of the assumptions of IPv6 that it gives true end-to-end connectivity as it should be and means that the best place to protect the host is the host based firewall? "

Host-based firewall = single point of failure. 1,000 host based-firewalls = 1,000 single points of failure on your network.

And please don't get me started on Group Policy Objects being a security tool. It's a "push it out and pray" mechanism, one with zero feedback on whether it ever got applied and whether it is working.

How many home users do you know that will replace a perfectly functioning home router just because it doesn't handle IPv6 properly? Zee-roe.

I've got friends still using WEP-only routers because they still work and, after all, it says on the box that is is 128-bit encryption.
Anonymous
Quoting Johannes:Correct. There is no easy way to figure out what your gateway IP would be for IPv6.

Not only that, but your "default gateway IP" on the LAN, might be a link-local address such as fe80::1.
If the router wants to be stealthy, there's nothing to say it has to tip off even LAN PCs to its global unicast addresses.

On the other hand, you might be able to figure it out by probing with a number of TCP messages -- start at a hop limit of 64 or so, and start decrementing the Hop limit on the packets, and sending additional IP packets to probe, until the hop limit is low enough, that there is an ICMP Unreachable error reply from a router, indicating the hop limit was exceeded.
Mysid

146 Posts
It could be relatively easy to find my router's 'public' ipv6 address, as the following setting is enabled (as per my ISP's instructions):
Derive global address using the assigned prefix.
Which is explained like this: The FRITZ!Box first attempts to determine the global address from the router advertisement. If this fails, an address from the first /64 subnet of the determined prefix is used.

In the real world this means that if my browser's address shows as 2001:1234:abcd:1:be05:43ff:feeb:6b31 the router will use 2001:1234:abcd::1
Mysid
6 Posts
For home setup, the current edge router (Linux-based ipfilter with conntrack) has explicit IPv6 rules for WAN traffic destined for router (drop all) and select LAN services (allow), with drop for other than traffic "established" by interior systems. LAN addressing is IPv4 static/DHCP and IPv6 SLAAC (no DHCPv6) with globally routable prefix.

Prior, older, consumer edge routers I have had did not have symmetric IPv4/IPv6 filter capability (usually just allow all IPv6 or not).

LAN-resident servers, typically Ubuntu, have ufw configured with explicit allow rules that are symmetric for IPv4/6. Other devices use whatever is typically present (or absent) on such devices. Most interior devices are dual stack IPv4/6 and routinely use IPv6 with RFC 4941 addresses used preferentially.
Gary

3 Posts

Sign Up for Free or Log In to start participating in the conversation!