[6bone] Security over IPv6 networks
Chuck Yerkes
chuck+6bone@snew.com
Wed, 12 Mar 2003 12:50:48 -0500
NAT is not security. Recent exploits have further hammered
this home, but it's never been about security. It's been about
dealing with 8 IP addresses and 200 machines.
Can it help security some? Sure. I made by friend with Windows
and DSL get a NAT box. Badly written client applications can easily
be tricked into downloading bad code eliciting buffer over flow
or, for the really bad programs like Outlook and IE, running code
from strangers. All through NAT.
Is NAT a firewall? Only for the naive.
Cheswick and Bellovin have a second edition of their lovely book
on firewalls and internet security - the first book on the topic
(but certainly not the first paper or article). IPv6 offers more
options, not fewer.
I've run, since the 80's, networks with routable addresses on them.
They all go through 1 (or more) choke points. We built firewalls
in the early 90s. These were boxes that ran proxies (small, well
studied programs that did the actual connection to the net and
protected poorly written programs). We routed through screend
and later IPFilter (pf, ipfw and ipchains are similar tools)
certain protocols in.
> Then is it really possible to protect IPv6 networks (with global
> unicast addresses) as safe as Ipv4 networks using NAT ?
It is as possible to protect IPv6 networks as it is to protect
IPv4 networks. Bastion firewalls and network security principles
don't change with IPv6.
IP version agnostic, IPSec actually may REDUCE security in some
cases, just like ssh tunnelling can be the firewall admins nightmare.
An IPSec connection from a poorly patched machine to a "bad" machine
(or a machine that relays dangerous information) means that the
firewall that might be in between cannot "see" the bad data being
sent in. Scanning programs see an encrypted stream, not an attack
that they may be able to halt.
Quoting BEGIN, Thomas (tbegin@tf1.fr):
> Security... that's a core problem for a lot of engineers !
>
> With IPv4, a lot of enterprises networks were set up with private addresses (e
g 10.x.x.x ). That implies that computers inside the network are unreachable fro
m outside (eg Internet).
>
> Since IPv6 offers a large scale of addresses, I've heard that companies could
address their machines with global unicast addresses (public addresses) and also
benefit fully from IPsec and peer to peer applications.
> That's nice and it is said that it should improve security (IPsec totally used
from sender to receiver).
> But in the other hand, isn't it dangerous to address machines with global unic
ast address and thus make them reachable directly from anywhere and by anybody..
. Besides NAT is often acknowledged as a good shield to secure networks.
>
> Then is it really possible to protect IPv6 networks (with global unicast addre
sses) as safe as Ipv4 networks using NAT ?
>
> I realize this is a big topic and may be there is no easy response but getting
a high performance security is a fundamental factor for the deployement of IPv6
.
>
> But if you have any idea (know enterprises that use public addresses for their
network) please let me know ...
>
> PS: using site local addresses inside IPv6 networks doesn't solve the problem
... ;-))