[6bone] Security over IPv6 networks
Hank Nussbacher
hank@att.net.il
Thu, 13 Mar 2003 14:00:03 +0200
At 12:50 PM 12-03-03 -0500, Chuck Yerkes wrote:
>NAT is not security. Recent exploits have further hammered
>this home, but it's never been about security. It's been about
>dealing with 8 IP addresses and 200 machines.
>
>Can it help security some? Sure. I made by friend with Windows
>and DSL get a NAT box. Badly written client applications can easily
>be tricked into downloading bad code eliciting buffer over flow
>or, for the really bad programs like Outlook and IE, running code
>from strangers. All through NAT.
>
>Is NAT a firewall? Only for the naive.
Checkpoint will soon be releasing their "Calgary" release (FP4) - Early
Availability 2 should be ready next week.
From their beta documentation of FP4:
IPv6
22)In Calgary,FireWall-1 supports IPv6 out of the box.
Supported platforms
•Solaris 8/9
•Nokia IPSO 3.7
Supported features
•Dual stack –both IPv6 and IPv4 on the same interface.
•IPv6 access control with accept/drop/reject/log actions.
•Simple TCP and UDP services,and ICMPv6.
•IPv6 FTP service (active and passive).
•IPv6 Host and Network objects.
•Using IPv6 &IPv4 objects in the same rule base.
•IPv6 logging and IPv6 filters.
•Implied rules for enabling traffic needed for IPv6 discovery IPv6 fragments.
•Using IPv6 requires a special license which is not included in the trial
period and EVAL licenses.
-Hank