| IPV6 Firewalls? If I manage to get an IPV6 address block I understand that it is large enough to make unlikely anyone could find something to exploit except by luck.
However many websites record the visiting IP address and if they're compromised then my IP would be obtained.
So that raises the issue of where to get an IPV6 firewall for my client machines.
Any suggestions? Or just wait for Windows 8?
Jim |
|
| Comodo Firewall has an option to enable IPv6 filtering. |
|
| reply to mdgolfbum
Appliance-based or Host-based?
SOHO, SMB, or enterprise?
said by mdgolfbum :However many websites record the visiting IP address and if they're compromised then my IP would be obtained.
So that raises the issue of where to get an IPV6 firewall for my client machines.
Not exactly sure what you mean by this. If you're worried about cross-site scripting, driveby
downloads, etc. just remember a firewall does NOT protect against these sort of attacks.
Regards |
|
JoelC707Premium
join:2002-07-09
Stone Mountain, GA
kudos:4 | said by HELLFIRE:said by mdgolfbum :However many websites record the visiting IP address and if they're compromised then my IP would be obtained.
So that raises the issue of where to get an IPV6 firewall for my client machines.
Not exactly sure what you mean by this. If you're worried about cross-site scripting, driveby downloads, etc. just remember a firewall does NOT protect against these sort of attacks. Regards I think what he/she is referring to is the fact that a /64 has more addresses than all of IPv4, the ability to locate a single in use address such as 2001:0db8:85a3:0000:0000:8a2e:0370:7334 is very unlikely in just random pings. It'd take a long time to sniff out an alive host that way. That could give IPv6 some inherent, albeit false sense of security. But yeah I suspect that's not entirely the concern this person has.
To the OP: most available firewalls now a days have some kind of IPv6 support although some of it is still in the works because IPv6 adoption in the end user segment is still relatively new. Are you looking for a software firewall (something akin to the windows firewall since you mentioned waiting for Windows 8) or a hardware firewall that would run in your router? If you tell us what you have now or want to use we can tell you whether it supports IPv6 or what you will need to do to make it work or replace it with. |
|
| reply to mdgolfbum
If I manage to get an IPV6 address block I understand that it is large enough to make unlikely anyone could find something to exploit except by luck.
You statement is not accurate. What you are probably referring to is that *traditional* methods of recon will not work with IPv6. For example, I can't realistically do a ping or nmap scan of a IPv6 subnet as it would take hundreds if not thousands of years.
However, that doesn't mean I can't find your hosts. There are many other methods.
The easiest is to send out a multicast to the all nodes address and see who responds FF02::1. If I don't have multicast connectivity, then I can go after DNS. I can do a brute force on the DNS server handling your subnet your network. There are many other creative ways as well including just looking at your packets if I can trick you into communicating with me. If I was the admin on DSLReports (assuming it was Dual Stacked), I could just look in the server logs to get your IPv6 address.
Bottom line, yes a firewall is still an advisable part of your security setup. NAT however, is not required. |
|
| I think I found what I'm looking for on the client side in Windows 7 Firewall.
I agree that a proper firewall appliance with a nice web interface would be desireable.
Jim |
|
