Re: Requirements for IPv6 Firewalls

[Eugeniu Patrascu <eugen () imacandi net>]

On Thu, Apr 17, 2014 at 9:05 PM, William Herrin <bill () herrin us> wrote:

> Here's the drill: From an enterprise security perspective, deploying
> IPv6 is high risk. I have to re-implement every rule I set on my IPv4
> addresses all over again with my IPv6 addresses and hope I don't screw
> it up in a way that lets an adversary wander right in. That risk is
> compounded exponentially if the _initial_ deployment can't follow an
> identical security posture to the IPv4 system. Without availability of
> the kind of NAT present in the IPv4 deployment, I have a problem whose
> solution is: sorry network team, return when the technology is mature.
It's a bigger risk to think that NAT somehow magically protects you against
stuff on the Internet.
Also, if your problem is that someone can screw up firewalls rules, then
you have bigger issue in your organization than IPv6.

There's a fair argument to be made which says that kind of NAT is
> unhealthy. If its proponents are correct, they'll win that argument
> later on with NAT-incompatible technology that enterprises want. After
> all, enterprise security folk didn't want the Internet in the
> corporate network at all, but having a web browser on every desk is
> just too darn useful. Where they won't win that argument is in the
> stretch of maximum risk for the enterprise security folk.
Any technology has associated risks, it's a matter of how you
reduce/mitigate them.
This paranoia thingie about IPv6 is getting a bit old.
Just because you don't (seem to) understand how it works, it doesn't mean
no one else should use it.

Eugeniu