IPv6 Firewall on CPEs - Default on or off

Cameron Byrne cb.list6 at gmail.com
Mon Nov 26 19:38:42 CET 2012


On Mon, Nov 26, 2012 at 10:17 AM, Nick Hilliard <nick at foobar.org> wrote:
> On 26/11/2012 17:35, Doug Barton wrote:
>> 1. Customers have the expectation that there will be "protection" at the
>> router, even if they can't articulate what/why.
>> 2. The fact that there is little/no exploitation of inbound v6 by
>> attackers currently does not mean that there will not be any in the
>> future. In fact, the opposite is true. As v6 deployments become more
>> popular, with firewalls default off, that will become a more popular
>> attack vector.
>> 3. If v6 develops the reputation of being a security vulnerability it
>> will be devastating to long-term deployment.
>
> Although i hate "me too" emails, I'm completely with Doug on this one.
>
> As operations people we have a general requirement to make sensible
> recommendations for non technical people.  What's good for us (not much
> firewalling) is probably not a good idea for granny, her unpatched version
> of vista and the unmaintained router underneath the telephone table with a
> trash default password.
>
> Nick

So what is the risk assessment for an unpatched version of vista?

Would an IPv6 stateful inspection firewall prevent risks?  If so, which ones?

My thought is that since XP SP3 (?)  firewalls and auto-update are on
by default.

Since Vista, firewall, auto-update, IPv6 and AV are all free and on by
default.  And if you turn off updates or AV, it nags you.

But, please don't say  turn on a firewall without giving an explicit
problem the firewall solves for said user.  Please cite CVE IDs  in
your threat analysis / risk assessment.

I fear that the culture of "IT" is that we needed network firewall to
protect broken hosts in 2003, and since then we have been carrying
that lesson with us without revisiting the need.

CB


More information about the ipv6-ops mailing list