On another note, using a firewall to stop viruses is probably not going to work
in general (unless the firewall has some additional malware detection engine).
Here is the issue in a nutshell. A firewall primarily controls where people
can connect to and from on a network. The problem with that is that a lot of
malware is received from sites that your users intended to go to. People click
on links without knowing where they go and people go to less than reputable web
sites (or reputable sites that we recently compromised). If you, by default,
allow your users to access the Internet with a browser they are vulnerable to
malware. Even with malware detection capability you are still vulnerable to
signatures and attacks that are not yet able to be detected.
Even if filtering was enabled on your Palo Alto for ipv6 it would not help at
this point because you have no idea what signatures it is using to filter with
and when the last time those were updated I doubt your v4 filtering is of much
use either at this point. URL filtering is largely a big game of whack a mole
that you will lose eventually. Malware filtering is based on one or both of
the following methods.
1. You filter URLs known to be bad players (you are vulnerable until
your protection vendor realizes they are bad players).
2. You filter based on adaptive detection of code that looks
suspicious. This is a bit better but still vulnerable because the bad guys are
always innovating to pass through these devices.
My recommendation would be network malware detection (possibly through a
firewall add-on) as well as good virus/malware detection on the client
computers. Sometimes the malware is easier to detect at the client because it
reveals itself by trying to access unauthorized memory, processes, or storage.
Steven Naslund
Chicago IL
-----Original Message-----
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Edgar Carver
Sent: Friday, July 01, 2016 9:29 PM
To: nanog@nanog.org
Subject: NAT firewall for IPv6?
Hello NANOG community. I was directed here by our network administrator since
she is on vacation. Luckily, I minored in Computer Science so I have some
familiarity.
We have a small satellite campus of around 170 devices that share one external
IPv4 and IPv6 address via NAT for internet traffic. Internal traffic is over an
MPLS.
We're having problems where viruses are getting through Firefox, and we think
it's because our Palo Alto firewall is set to bypass filtering for IPv6.
Unfortunately, the network admin couldn't give me the password since a local
consultant set it up, and it seems they went out of business. I need to think
outside the box.
Is there some kind of NAT-based IPv6 firewall I can setup on the router that
can help block viruses? I figure that's the right place to start since all the
traffic gets funneled there. We have a Cisco Catalyst as a router. Or, ideally,
is there an easy way to turn off IPv6 completely? I really don't see a need for
it, any legitimate service should have an IPv4 address.
I'd really appreciate your advice. I plan to drive out there tomorrow, where I
can get the exact model numbers and stuff.
Regards,
Dr. Edgar Carver
