IPv6 Security Issues

Hi guys...

I have been over on the Comodo forums where I have just learnt that the current version of CIS does not support IPv6. But I have also come across some info detailing certain security implications of IPv6 traffic flowing undetected across networks.

A couple of quotes from networkworld.com :

It appears that CIS will not be in a position to support IPv6 until version 4 of the product is released. I am wondering now is it necessary to disable IPv6 here (running Vista Home Premium), or are there other firewalls or other apps that can detect and control IPv6 traffic?

Ta

 

Hi again

Well, its been a week or so now since I have put some measures in place to block anything IPv6-ish.

I have noticed a few odd things though. I cannot update SAS or MBAM definitions. Furthermore, I have a wee weather gadget on my Vista Home Premium desktop here, which has stopped working. (I had a look at this today via Fiddler, and it appears that my machine here is refusing the gadget permission to communicate with the outside world - the error message reads something like '... because the target machine actively refused connection 127.0.0.1:8080').

So, a couple of questions.

1. Are MBAM and SAS dependent on IPv6 for updates, or have I tweaked the firewall here in another way that has knackered these two?

2. Are the concerns alluded to im my post above justified? Or am I worrying over nothing regarding IPv6?

Cheers

 

Re. question 1 (and the weather gadget issue) above - forget it. Some numptey left localhost proxy settings in IE, didnt he...

Question 2 still stands

 

Just so you know, the windows Vista firewall fully supports IPV6. I'm not aware of any hardware firewall that does, though, we should hopefully see them crop up soon in routers.

 

Sure, concern is justified.

A silly example scenario:

Let's assume we have a user who has a software firewall that includes some HIPS type functions from execution protection to detecting various kinds of hooks and other "suspicious" behavior. The user trusts this software to keep him safe and prevent bad stuff from happening, and considers himself pretty educated about the alerts the software makes and how to respond to them. Let's further assume that this software firewall does not control IPv6 traffic at all - it just does not see it, and lets everything in and out, silently.

The user downloads a small "freeware" game executable. Naturally he wants to try it out (why would he download it otherwise?). He executes the file. The firewall complains that he's executing an unknown file, and the user clicks on the yes, go ahead button, expecting the firewall to save him in the off chance that the file does something bad like install a kernel-mode rootkit driver. The firewall gives no further warnings, and indeed the executable seems to be a game. Kind of a boring Minesweeper on steroids type of thing, though. In the background, however, the executable silently reads a few locations on the hard drive, looking for saved browser passwords, game and software license keys and similar things to steal. Once done, it sends that data off to the bad guy's FTP server using an IPv6 connection. And guess what. No firewall alerts. After all, nothing suspicious happened, that the firewall could see: the executable just read a couple of files - and then made an IPv6 connection the firewall could not see. Bored, the user shuts down the game and deletes the file. He never discovers that it attempted to steal some data. That is, before he finds his license keys on crackz sites and blocked by the product vendors. How the heck did that happen, the user thinks.

In short, it's not a good idea to allow traffic in and out of your network, completely uncontrolled.

 

Well, CIS does have some sort of limited functionality for manually inputting rules to block Protocol 41. I have also blocked the Teredo port 3544, but this might be unnecessary/overkill. I dunno.

Like Windchild, I too like to have as much control over the data moving to and from my machines.

I have been getting some interesting firewall alerts relating to P 41 traffic over the last week depending on which DNS set-up I am using (am currently utilising Open DNS). For example, one DNS provider had loads of IPv6 data flowing to and from my machine to an IP of a totally seperate company. At this time with Open DNS, this is greatly reduced, with an Open DNS IP being the only target/source. Am gonna test some other DNS providers over the next few days and see what happens.

Am just curious - NOT paranoid

 

@ tsec

Outpost firewall also supports IPv6.

source: http://www.agnitum.com/products/outpost/whatsnew2008.php