The Unified Network Services (UNS) portfolio of Layer 4-7 services (such as ACE and WAAS) also includes Cisco’s data center security solutions. A critical part of that security portfolio is our virtualization-aware firewall solution, Virtual Security Gateway (VSG). In a series of upcoming blog posts, I’ll be sharing a few use case scenarios that our customers are implementing with VSG.
For those of you new to VSG, I’ll point out that VSG’s role is to act as a virtual firewall between zones of virtual machines. Isolating traffic between VM zones has been very challenging prior to VSG because: 1) security policies have to be enforced between VMs running on the same server or same virtual switch (where there’s no place to put a firewall), 2) VMs move all around the network and the security policies (as enforced in the firewall) must follow the VM, and 3) the need to maintain segregation of duties for compliance purposes between the security and application server teams, where security is potentially enforced inside the virtual server.
A few years back I set up IPv6 connectivity on my home network for the first time. I had a rush of exhilaration when the first ping and traceroute commands completed successfully. Suddenly, I was free of Network Address Translation and bypassing my firewall, connecting directly to any IPv6 device on the Internet. But then it slowly dawned on me that those people same people could also directly connect to my device! In a panic, I wondered if my SMB shares were visible to the world, or if criminals could relentlessly probe my open ports for zero-day vulnerabilities. How could I even check if I had any open ports? My fear got the best of me and I disabled IPv6.
I contacted my friend Dan and posed my dilemma to him. How could I tell if my ports were locked down on a machine which ran IPv6? A number of sites provided port scanners for IPv4, but nobody had a general purpose scanner for IPv6. Hurricane Electric provided one, but only for devices that were on their network. Dan hacked up a primitive IPv6 open port testing site, which uses NMAP to scan an IPv6 visitor for typically vulnerable ports before issuing a simple report. I was pleased to discover that my computer did not answer on any of those commonly attacked ports.
In this process, I discovered that many modern operating systems with IPv6 enabled also come with a set of reasonable host firewall defaults which do not expose listening ports as much as I had expected based on my experience with IPv4. Many hosts with IPv6 enabled by default also come with some very sensible settings to prevent network-launched crimes of opportunity from malicious users.
IPv6 also provides a natural defense against classic portscanning attacks, where an attacker probes for commonly vulnerable ports of every IP address on a subnet. For densely packed IPv4 service provider networks with one IP address assigned per typical user, a few thousand probes across a known DSL or cable subnet can yield a rich collection of potential targets. Since the address space of IPv6 is so much larger and sparsely populated than IPv4, blind portscanning of subnets becomes impractical since a typical IPv6 subnet contains quintillions of addresses hosting a relatively small number of end devices.
Most people already have IPv6 capability whether they know it or not. All Microsoft operating systems such as Windows Vista and all MacOS releases since 10.2 have IPv6 installed enabled by default. Mobile devices running Android 2.1, Apple iOS 4.0, and Symbian 7.0 are configured likewise as is nearly every *nix variant you can name. Even the venerable and ubiquitous Windows XP has a latent IPv6 stack which can be activated with a single command.
Typically, IPv6 enabled systems will prefer IPv6 connections over IPv4, so a misconfigured or malfunctioning IPv6 network will cause connectivity problems. Many popular troubleshooting regimens simply prescribe disabling IPv6 as the “solution,” which really does nothing more than to hide the underlying problem with the IPv6 network. When you have a network problem that is “solved” by disabling IPv6, you have masked the symptom of a bigger problem that warrants further investigation.
A combination of hardware and software firewalls provides a higher level of security
I got a call from my great aunt the other day. She wants to get online and has just bought a new computer. She’s heard her friends talk about bad guys on the Internet and asked me how she should protect herself. I told her she should get security gear for her computer before doing anything else. I explained that like the security gate at her apartment complex, computer security gear can prevent bad guys from getting inside.
That got me thinking about security for small businesses. What security solution should you use to protect your small business?
You need the equivalent of security gates for your network. Firewalls do precisely that. And though you’ve probably heard of firewalls for computer security, you may not know how they work and whether you should get one for your business.