IPv6 Firewall on CPEs - Default on or off

[Anfinsen, Ragnar]

On 26.11.12 12:04, "Benedikt Stockebrand" <me at benedikt-stockebrand.de>
wrote:


>Hi Ragnar and list,

Hi. :)

>First of all: I assume that your CPEs are managed by your customers
>themselves, not by you.  If you manage them centrally, the situation
>is slightly different, though the end result is pretty much the same.

We only have central management, because then the CPE setting are
persistent when we swap the unit at the customers, even with other models.

>If all between your customer's system and the Internet is a "personal
>firewall" that is easy to turn off by accident, or during
>troubleshooting, or for gaming, then you *want* that redundancy.

Well, for me, turning the "personal firewall" off by accident will never
happen, but I know for a fact that I am not the average user either. ;)
However, even if you turn off the firewall, the host will not accept
traffic unless the port is open anyway, so then it comes down to how open
the application is.

>And a question rather than a statement: If I configure a Vista++
>system to run in a "trusted network"/"home network" or whatever, will
>it then assume to be protected by a "diode-style" CPE configuration?
>If so, then setting the CPE default to "open both ways" is asking for
>massive trouble.

The firewall in Vista++ is actually quite good. When you select "home
network" it blocks any traffic not coming from your own LAN, both on IPv4
and IPv6. So it also works great without a CPE firewall.

>What about devices that don't come with a "personal firewall"?  I
>know people who use a network printer at home simply because that
>allows to make it accessible to everyone in the household.  The same
>applies to SIP phones and such.

I believe that any equipment supporting IPv6 should be secure enough to be
able to live on a non firewalled IPv6 LAN.


>> However, the arguments against is that the customer is used to
>> having a security layer on IPv4 in the CPE (NAT), and it would be
>> bad to allow IPv6 unprotected into the customers LAN.
>
>That's the major point.  Basically, if you provide some new
>security-sensitive feature to your customers, you should *never* do so
>without making sure that they know and understand about it.  And that
>is easiest done by setting the defaults so they have to consciously
>enable it.

So you are here saying that the customer should enable the firewall
themselves?

>What may be even worse, it'll likely give IPv6 the same kind of bad
>press that Teredo already did, slowing down the global deployment even
>more.

I don't think it is the same thing. As long as one informs the customers
about IPv6 this will not happen.

>And to make things really ugly this even has a legal dimension to it:
>If any of your customers is getting attacked via IPv6 then you might
>actually be held liable for the damages---because you didn't take care
>of the risks of that new technology that "you forced upon them".
>Maybe you should talk to some layers about their opinion---and a few
>random judges, to get an idea of how far you can expect to get a
>reasonable court decision if any of your customers sues you:-(

Luckily we are not in the US, in Norway the customer is responsible for
their own actions, and as long as they have the option of not using the
internet, then it will not hold up in court. :)

>PS: Maybe some time some CPE vendor has both the brains and guts to
>    build gear that has two "internal" interfaces---a "red" one that
>    is open to access from the "outside" and a "green" one that only
>    allows access from the "inside" to the "outside".  But that won't
>    help you right now.

Like DMZ? This I can configure today on the CPE, but I think it would
complicate things even more.

/Ragnar