Default security functions on an IPv6 CPE

Mikael Abrahamsson swmike at swm.pp.se
Fri May 6 09:41:08 CEST 2011 

On Thu, 5 May 2011, Doug Barton wrote:

> A) It depends on who you ask. The millions of infected hosts comprising the 
> bot armies in the current DDOS wars would seem to argue against your point.

Today, people get infected by browsing or downloading and components in 
their operating system environment have security vulnerabilities. "Drive 
by infections" are a lot more common compared to remote exploits by means 
of exploiting services on their end-systems.

Hackers hack web servers and install java and adobe reader exploits, and 
since most end systems are not regularilty up-to-date with these 3rd party 
applications, they get p0wned. I have talked to people claiming 20% 
infection rate with just Java and Adobe Reader exploits, and hacking blogs 
etc to inject links to exploit code is relatively easy, infecting 
"regular" people who are surfing "the Internet" is not that hard.

Then we of course have the clasical email attachment vector that people 
tend to click on... All of these are not stopped by having a firewall, and 
having a firewall default-on causes a lot of other problems without 
helping much.

I work for an SP where we give all devices (mobile and fixed) GUA IPv4 
addresses with no filtering (many millions of customers) and we've been 
doing this "forever". We provide "Internet Connectivity", and we try not 
to filter. We've had to filter TCP/25 and the "windows ports" on some 
access types though due to pressure from the outside and customers, but 
that's more like "BCP filtering" than actually providing a firewall.

> I'm not familiar with the data points you're providing, however these 
> anecdotes don't advance the discussion. In your mind what problems are 
> created by enabling the firewall by default?

In my mind, things like video conferencing and other endsystem to 
endsystem activity is hampered by a firewall that is default-on.

> Windows XP supports IPv6 (albeit it is not on by default), and it 
> certainly was not designed with security in mind. If you put an 
> unpatched version of XP on the live, open network it'll be pwned before 
> you have a chance to download the first service pack.

Not if it's SP2 or SP3 which has firewall on by default.

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se

More information about the ipv6-ops mailing list