That is a good point.  In order for your PCs to be compromised via ipv6, they 
would have to be able to establish ipv6 connectivity to each other or to an 
internet location.  

If your network is not configured to support ipv6 it will probably only be 
possible for your clients to communicate with each other via ipv6 on the local 
LAN meaning they could only be infecting each other.  In order for your clients 
to be receiving traffic from the Internet via ipv6 would probably require 
routing and ipv6 configuration support that it sounds like your network does 
not have.  If your firewall is passing v6 traffic, it must understand it enough 
to forward it across interfaces.

At this point it does not much matter whether the transport layer is v4 or v6 
because this problem is higher up the protocol stack.  Setting up your firewall 
to bypass v6 (i.e. just pass it) was a huge tactical error (might be why your 
consultant is out of business :) and a bit hard for me to understand.  If you 
want v6 then you would apply the same policies that you do to v4 traffic and if 
you don't want v6 you would just tell the firewall to drop it.  

I think it is much more probable that you are receiving malware via ipv4 or 
even executable attachments that the out of control firewall is not detecting.

I can tell you that we use the most current versions of Checkpoint firewalls 
with all of the malware bells and whistles (megabucks) and they are not still 
100% effective all of the time.  We stop thousands of hacking and malware 
attempts per hour but it only takes one to become a big pain to deal with.


Steven Naslund 
Chicago IL




-----Original Message-----
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of 
valdis.kletni...@vt.edu
Sent: Tuesday, July 05, 2016 9:33 AM
To: Edgar Carver
Cc: nanog@nanog.org
Subject: Re: NAT firewall for IPv6?

On Fri, 01 Jul 2016 21:28:54 -0500, Edgar Carver said:

> We're having problems where viruses are getting through Firefox, and 
> we think it's because our Palo Alto firewall is set to bypass 
> filtering for IPv6.

Do you have any actual evidence (device logs, tcpdump, netflow,  etc) that 
support that train of thought?

Remember that your Palo Alto isn't stopping 100% of the icky stuff on the
IPv4 side either - the sad truth is that most commercial security software is 
only able to identify and block between 30% and 70% of the crap that's out in 
the wild. There's also BYOD issues where a laptop comes in and infects all your 
systems from behind the firewall (as Marcus Ranum says: "Crunchy on the 
outside, soft and chewy inside").

In any case,your first two actions should be to recover the password for the 
Palo Alto, and make sure it has updated pattern definitions in effect on both
IPv4 and IPv6 connections.

And your third should be to re-examine your vendor rules of engagement, to 
ensure your deliverables include things like passwords and update support so 
you're not stuck if your vendor goes belly up..


Reply via email to