Default security functions on an IPv6 CPE
merike at doubleshotsecurity.com
Fri May 6 07:42:24 CEST 2011
On May 5, 2011, at 4:58 PM, Jared Mauch wrote:
> On May 5, 2011, at 5:43 PM, Mark Smith wrote:
>> false sense of security is better than no security at all - at least
>> with no security you know you don't have any.
> I recommend taking the 22 minutes needed to watch this, even if you have a good grasp on "security".
OK, so I watched this out of curiosity....interesting from a philosophical perspective. But here's my take on the filter on not filter on v6 CPE devices:
- Hosts are better with shipping IPv6 aware firewalls and 'security' in general but I wouldn't want to solely rely on this. Especially as was already pointed out that when replaced with some 3rd party host firewalls, the inherently good IPv6 firewall gets replaced with something that does not yet understand IPv6. Things should keep getting better but we're not there yet. And I don't think there's been enough evidence of IPv6 based malware to give good empirical data that the hosts can handle it.
- Most users connected to CPEs will never touch the CPE. And as many have stated, the clueful folks will know how to tweak their firewall configs if needed. If you turn on the stateful firewall, will there be any performance impacts for user? Will there be any applications that will get blocked for them with fw turned on by default? If answer to both is no, no reason not to turn it on. But as Gert pointed out, make sure user is aware the IPv6 firewall is ON by default.
More information about the ipv6-ops