A few years back I set up IPv6 connectivity on my home network for the first time. I had a rush of exhilaration when the first ping and traceroute commands completed successfully. Suddenly, I was free of Network Address Translation and bypassing my firewall, connecting directly to any IPv6 device on the Internet. But then it slowly dawned on me that those people same people could also directly connect to my device! In a panic, I wondered if my SMB shares were visible to the world, or if criminals could relentlessly probe my open ports for zero-day vulnerabilities. How could I even check if I had any open ports? My fear got the best of me and I disabled IPv6.
I contacted my friend Dan and posed my dilemma to him. How could I tell if my ports were locked down on a machine which ran IPv6? A number of sites provided port scanners for IPv4, but nobody had a general purpose scanner for IPv6. Hurricane Electric provided one, but only for devices that were on their network. Dan hacked up a primitive IPv6 open port testing site, which uses NMAP to scan an IPv6 visitor for typically vulnerable ports before issuing a simple report. I was pleased to discover that my computer did not answer on any of those commonly attacked ports.
In this process, I discovered that many modern operating systems with IPv6 enabled also come with a set of reasonable host firewall defaults which do not expose listening ports as much as I had expected based on my experience with IPv4. Many hosts with IPv6 enabled by default also come with some very sensible settings to prevent network-launched crimes of opportunity from malicious users.
IPv6 also provides a natural defense against classic portscanning attacks, where an attacker probes for commonly vulnerable ports of every IP address on a subnet. For densely packed IPv4 service provider networks with one IP address assigned per typical user, a few thousand probes across a known DSL or cable subnet can yield a rich collection of potential targets. Since the address space of IPv6 is so much larger and sparsely populated than IPv4, blind portscanning of subnets becomes impractical since a typical IPv6 subnet contains quintillions of addresses hosting a relatively small number of end devices.
Most people already have IPv6 capability whether they know it or not. All Microsoft operating systems such as Windows Vista and all MacOS releases since 10.2 have IPv6 installed enabled by default. Mobile devices running Android 2.1, Apple iOS 4.0, and Symbian 7.0 are configured likewise as is nearly every *nix variant you can name. Even the venerable and ubiquitous Windows XP has a latent IPv6 stack which can be activated with a single command.
Typically, IPv6 enabled systems will prefer IPv6 connections over IPv4, so a misconfigured or malfunctioning IPv6 network will cause connectivity problems. Many popular troubleshooting regimens simply prescribe disabling IPv6 as the “solution,” which really does nothing more than to hide the underlying problem with the IPv6 network. When you have a network problem that is “solved” by disabling IPv6, you have masked the symptom of a bigger problem that warrants further investigation.
A combination of hardware and software firewalls provides a higher level of security
I got a call from my great aunt the other day. She wants to get online and has just bought a new computer. She’s heard her friends talk about bad guys on the Internet and asked me how she should protect herself. I told her she should get security gear for her computer before doing anything else. I explained that like the security gate at her apartment complex, computer security gear can prevent bad guys from getting inside.
That got me thinking about security for small businesses. What security solution should you use to protect your small business?
You need the equivalent of security gates for your network. Firewalls do precisely that. And though you’ve probably heard of firewalls for computer security, you may not know how they work and whether you should get one for your business.
Few aspects of networking have experienced as much change in recent years as the network firewall. Once considered a desktop security device, then embraced as the cadre of gateway security for businesses of all sizes, the firewall has lost its “place”. Don’t get me wrong, I’m not belittling the importance of the network firewall – in fact, my intention is quite the opposite!
Today Cisco made an announcement that supports the notion that the network firewall is more important than ever. But where does it belong? Marketers and IT professionals, alike, are all guilty of using the silly “brick wall” graphic in all our presentations. I’ve done it myself more times than I can count – right there, between the network edge and the DMZ. After all, that’s where it has traditionally lived, right?
The problem is that with the advent of cloud computing, virtualization, and the ability to gain anytime/anywhere access to data from a wide range of devices, it’s hard to tell where the network begins and where it ends these days. And if we can’t find the network edge, where do we place the firewall? How do we protect our network assets from the deluge of Internet-borne threats? Read More »