Default security functions on an IPv6 CPE
swmike at swm.pp.se
Fri May 6 09:41:08 CEST 2011
On Thu, 5 May 2011, Doug Barton wrote:
> A) It depends on who you ask. The millions of infected hosts comprising the
> bot armies in the current DDOS wars would seem to argue against your point.
Today, people get infected by browsing or downloading and components in
their operating system environment have security vulnerabilities. "Drive
by infections" are a lot more common compared to remote exploits by means
of exploiting services on their end-systems.
Hackers hack web servers and install java and adobe reader exploits, and
since most end systems are not regularilty up-to-date with these 3rd party
applications, they get p0wned. I have talked to people claiming 20%
infection rate with just Java and Adobe Reader exploits, and hacking blogs
etc to inject links to exploit code is relatively easy, infecting
"regular" people who are surfing "the Internet" is not that hard.
Then we of course have the clasical email attachment vector that people
tend to click on... All of these are not stopped by having a firewall, and
having a firewall default-on causes a lot of other problems without
I work for an SP where we give all devices (mobile and fixed) GUA IPv4
addresses with no filtering (many millions of customers) and we've been
doing this "forever". We provide "Internet Connectivity", and we try not
to filter. We've had to filter TCP/25 and the "windows ports" on some
access types though due to pressure from the outside and customers, but
that's more like "BCP filtering" than actually providing a firewall.
> I'm not familiar with the data points you're providing, however these
> anecdotes don't advance the discussion. In your mind what problems are
> created by enabling the firewall by default?
In my mind, things like video conferencing and other endsystem to
endsystem activity is hampered by a firewall that is default-on.
> Windows XP supports IPv6 (albeit it is not on by default), and it
> certainly was not designed with security in mind. If you put an
> unpatched version of XP on the live, open network it'll be pwned before
> you have a chance to download the first service pack.
Not if it's SP2 or SP3 which has firewall on by default.
Mikael Abrahamsson email: swmike at swm.pp.se
More information about the ipv6-ops