Blog index > IPv6 Stateful Firewalls
avatar

Recommendation for IPv6 Stateful Firewalls

September 26, 2011

IPv6 provides an address for each node on the Internet. So NAT has no more use for address depletion.

NAT also provides some basic security. But NAT as any stateful device can also be the target for DoS attacks. And any NAT device within a network provides an easily exploited opportunity for undetected Man In The Middle (MITM) attacks. Only End-to-End security offers protection from exploits related with ARP or ND+MLD where End-to-End security is likely only possible with IPv6. This does not need to be IPsec.

A RFC was written to explain how to get the security benefits provided by NAT without NAT.
This is rfc4864 Local Node Protection

Basically, NAT is not a security feature but it provides some basic security. Why?

One reason is because PAT or NAPT is stateful and people think that it does provide security. NPTv6,  which is not stateful, will not provide this security while on the other hand, NPTv6 provides address independency but still breaks some applications.

Another example of why people think NAT provides security is that without NAT they think that all the Internal Servers will be seen from the Internet! Whereas it is not an obligation.

  • In IPv4 with NAT, when you don’t want that internal server to be visible from the outside, you just don’t configure a static translation with a Public address.
  • In IPv6 without NAT, when you don’t want that internal server to be visible from the outside, you don’t configure a Global Unique Address to this host but instead give it a Unique Local Address (ULA). The ULA are not routed to the outside on the Internet and you get exactly the same behavior.
  • In IPv4 with NAT, when you want an internal server to be reachable from the outside, you must provision a public address for this host and a static NAT translation for this host.
  • In IPv6 without NAT, when you want an internal server to be reachable from the outside, you must provision a Global Unique Address and that’s it! No need for a static translation!

There are no more risks in IPv6 and its Global Unique Address without a NAT Static Translation.

 

Because we need Security for IPv6, we still need to implement IPv6 Firewalls.

If we use a router or hardware device-based stateful firewall, we may block incoming traffic not initiated from the outside and then we lose the end-to-end connectivity.

A solution could be for these firewalls to allow incoming traffic while allowing traffic inspection such as  DPI, IDS, Mail Guard or any feature to inspect the traffic on-the-flight so we may still be able to block any incoming attack before it has a chance to get in the network.

This would be complemented by enabling the IPv6 Firewall feature which is provided in any Windows, MAC OS X or Linux/Unix OS.

Another good document to study when you want to implement an IPv6 Firewall is the NSAFirewall Design Considerations for IPv6

 

But recently, the IETF has provided useful recommendations  for IPv6 Firewall:
rfc6092 “Simple Security in IPv6 Gateway CPE”

Basically this recommendation provides all the best practices, filtering rules to prevent spoofing, or block packets with Martian addresses or a multicast in the source address.

rfc6092 “Simple Security in IPv6 Gateway CPE” also recommends to implement stateful firewalls which do not allow incoming traffic not initiated from the inside with the exception of IPSec traffic. So by default, IPSec incoming would be enabled. This is good enough to allow end-to-end connectivity.

And the rfc6092 does not say that any other traffic but IPSec must be blocked. It is still possible to allow some important applications if needed for peer-to-peer connectivity.

Also, by providing a unique address to each node, IPv6 will restore the end-to-end connectivity while it will be more end-to-end “address-ability” as no one would accept end-to-end connectivity for any traffic at all time between any node!

The rfc6092 does not say that any other traffic but IPSec must be blocked. It is still possible to allow some important applications if needed for peer-to-peer connectivity.

 

 

Now, which router-based or hardware-based Firewalls to use ?
The choice of is getting larger and larger with:

There is a basic CISCO IOS Firewall for IPv6
CISCO IOS has an interesting zone based firewall
.
The CISCO PIX have been replaced by ASA

FORTIGATE from FORTINETalso supports IPv6

Juniper SSG

Checkpoints
ip6tables
on Linux

 

 

Fred BOVY, CCIE #3013
Fast Lane’s Resident IPv6 Expert
fred.bovy@fastlaneus.com

Tags: , ,

Leave a Reply

You must be logged in to post a comment.