IPv6 Firewall on CPEs - Default on or off

Benedikt Stockebrand me at benedikt-stockebrand.de
Tue Nov 27 17:38:08 CET 2012 

Hi Ragnar and list,

"Anfinsen, Ragnar" <Ragnar.Anfinsen at altibox.no> writes:

> We only have central management, because then the CPE setting are
> persistent when we swap the unit at the customers, even with other models.

ok, that complicates things a bit---you may need extra time to add
some features to your customer self care (or whatever you call it)
interface.

> Well, for me, turning the "personal firewall" off by accident will never
> happen,

How do you troubleshoot a problem if you suspect that personal
firewall to be the problem?  Especially if for once you don't have a
test lab at hand?

> but I know for a fact that I am not the average user either. ;)

Right:-)

> However, even if you turn off the firewall, the host will not accept
> traffic unless the port is open anyway, so then it comes down to how open
> the application is.

And a lot of software developers are happy to provide some code that
appears to be working somehow by the time their sales/marketing people
promised to deliver.

> The firewall in Vista++ is actually quite good. When you select "home
> network" it blocks any traffic not coming from your own LAN, both on IPv4
> and IPv6. So it also works great without a CPE firewall.

Ok, I've never had a reason to look into that myself.

> I believe that any equipment supporting IPv6 should be secure enough to be
> able to live on a non firewalled IPv6 LAN.

Hmm, considering the increased popularity of fixed-purpose network
devices I don't agree on that.  While not related to consumer grade
stuff, let's just say that there are apparently people who have
learned the hard way to request and install security updates for
network printers.

And what about stuff that has been "ported as is" from IPv4 to IPv6?

>>That's the major point.  Basically, if you provide some new
>>security-sensitive feature to your customers, you should *never* do so
>>without making sure that they know and understand about it.  And that
>>is easiest done by setting the defaults so they have to consciously
>>enable it.
>
> So you are here saying that the customer should enable the firewall
> themselves?

Nonono, you've got that the wrong way around.  If you provide people
with IPv6 as a new feature, then they have to address some new
security concerns.  The best approach to do so is to provide default
settings that change as little as possible for them and then let them
change the settings whenever they want.

Some subthreads here have diverted into the different issue of
*forcing* these settings on people, so let me reiterate that I am only
talking about *default* settings here.  Beyond the default setting I'd
consider any IPv6 service that denies me the possibility to make my
machines accessible from outside broken deficient.

>>What may be even worse, it'll likely give IPv6 the same kind of bad
>>press that Teredo already did, slowing down the global deployment even
>>more.
>
> I don't think it is the same thing. As long as one informs the customers
> about IPv6 this will not happen.

Why not inform them that you have maintained the pre-IPv6 behaviour as
default but they can change that whenever they want?

> Luckily we are not in the US, in Norway the customer is responsible for
> their own actions, and as long as they have the option of not using the
> internet, then it will not hold up in court. :)

Well, I'm neither, but I doubt that Norwegian judges are significantly
more IT-savvy than their colleagues all around the world:-)

But to take your reasoning to the (insane) extreme: If you local
supermarket sold handguns, "for our customer's convenience" preloaded
and with the safety catch released, then wouldn't that be considered
irresponsible (legally and otherwise)?

In other words: As professionals we are responsible to provide our
unprofessional customers with default settings that they can actually
cope with.

>>PS: Maybe some time some CPE vendor has both the brains and guts to
>>    build gear that has two "internal" interfaces---a "red" one that
>>    is open to access from the "outside" and a "green" one that only
>>    allows access from the "inside" to the "outside".  But that won't
>>    help you right now.
>
> Like DMZ? This I can configure today on the CPE, but I think it would
> complicate things even more.

Kind of, but in a consumer compatible way.  I'd like a "red socket"
and a "green socket" and a big label "don't put anything into the red
socket without asking daddy for permission first" sort of thing.

You don't really want to force Joe Average User to write packet filter
rules, no matter how fancy the frontend.


Cheers,

    Benedikt

-- 
			 Business Grade IPv6
		    Consulting, Training, Projects

Benedikt Stockebrand, Dipl.-Inform.   http://www.benedikt-stockebrand.de/

More information about the ipv6-ops mailing list