IPv6 Firewall on CPEs - Default on or off
Mikael Abrahamsson
swmike at swm.pp.se
Tue Nov 27 12:12:36 CET 2012
On Tue, 27 Nov 2012, Ignatios Souvatzis wrote:
> Well, it demonstrates that IPv6-CPE connected machines are not magically
> bullet-proof. Thanks to the rough firewalling brought by the NATing of
> most network customers, the prevalent attack vectors might be higher
> level nowadays, but the others will reappear when a relevant number or
> machines are directly reachable.
I worry less about remote exploits (they are not that common) but for
services the customers have on their home lan where they have easy or no
passwords for access, and they expect the Internet not to reach these. We
saw this in ~2000, where people had file shares open, and they
connected their computer directly to the LAN ETTH connection and then
someone "stole" their pictures. There were articles in the press about how
easy neighbours could see each others files. So even though I hate it, I
would probably at minimum block certain "low tcp/udp ports" by default.
The ideas floating about having two LANs, one Internet and one "secure",
also has merit.
--
Mikael Abrahamsson email: swmike at swm.pp.se
More information about the ipv6-ops
mailing list