On 9/9/2010 3:24 AM, Adam Tauno Williams wrote:
Second, most organizations are far from ready, although some are more ready than they know since windows and linux and mac(i think) have been shipping IPv6 stacks for some time now.
It is actually funny. I've been to a couple organizations where I can move around their network via IPv6 and they didn't even know it. And their oblivious firewalls don't do anything to protect them. They aren't ready in a very special kind of way - their security is essentially broken. All because they aren't "ready" to support IPv6.
Exactly my point. Just because you have an ipv6 stack doesn't mean you are ready to use it. Until a couple years ago IPTables/Netfilter firewalls were essentially useless when ipv6 was turned in the network. They didn't even know there was traffic going on behind their back. Yet that's what is built into virtually all cheap AND expensive routers. Anything built prior to about 2006 which hasn't had a software upgrade is at risk here. (And most routers NEVER get a software update). There is no generic way to defend against it because a port that is open is open regardless of whether you arrive via the ipv4 stack or the ipv6 stack. So you end up configuring a firewall on every device, especially windows devices where many ports are open by default. This is why the safest thing to do is to block all ipv6 traffic at the perimeter until you can do a complete site survey or at least assure yourself that your perimeter firewall can filter ipv6 traffic. That way all you have to worry about is people like you on the inside. ;-) -- _____________________________________ At one time I had a Real Sig. Its been downsized. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org