NAT also provides some basic security. But NAT as any stateful device can also be the target for DoS attacks. And any NAT device within a network provides an easily exploited opportunity for undetected Man In The Middle (MITM) attacks. Only End-to-End security offers protection from exploits related with ARP or ND+MLD where End-to-End security is likely only possible with IPv6. This does not need to be IPsec.
A RFC was written to explain how to get the security benefits provided by NAT without NAT.
This is rfc4864 Local Node Protection
Basically, NAT is not a security feature but it provides some basic security. Why ?
One reason is because PAT or NAPT is stateful that people think that it does provide security. NPTv6 which is not stateful will not provide this security on the other end NPTv6 provides address independancy but still breaks some applications.
Another example because people think NAT provides security is that without NAT they think that all the Internal Servers will be seen from the Internet! Whereas it is not an obligation.
- In IPv4 with NAT, when you don't want that an internal server to be visible from the outside, you just don't configure a static translation with a Public address.
- In IPv6 without NAT, when you don't want that an internal server to be visible from the outside, you just don't configure a Global Unique Address to this host but just a Unique Local Address (ULA). The ULA are not routed to the outside on the Internet and you got exactly the same behavior.
- In IPv4 with NAT when you want an internal server to be reachable from the outside, you must provision a public address for this host and a static NAT translation for this host.
- In IPv6 without NAT when you want an internal server to be reachable from the outside, you must provision a Global Unique Address and that's it! No need for a static translation!
Because we still need Security for IPv6, we still need to implement IPv6 Firewalls.
If we use router or hardware device-based stateful firewall we may block incoming traffic not initiated from the outside and then we lose again the end-to-end connectivity.
A solution could be for theses firewalls to allow incoming traffic while allowing traffic inspection such as DPI, IDS, Mail Guard or any feature to inspect the traffic on-the-flight so we may still be able to block any incoming attack before it has a chance to get in the network.
This would be complemented by enabling the IPv6 Firewall feature which is provided in any Windows, MAC OS X or Linux/Unix OS.
Another good document to study when you want to implement an IPv6 Firewall is the NSA "Firewall Design Considerations for IPv6"
But recently, the IETF has provided a useful recommendations for IPv6 Firewall:
rfc6092 "Simple Security in IPv6 Gateway CPE
Basically this recommendation provides all the best practices filtering rules to prevent spoofing or block packets with Martian addresses or a multicast in the source address.
Actually it is already in the IPv6 RFC that a router must drop a packet with a multicast source address. I tested this and it was working as expected. With or without CEFv6 enabled, a CISCO router running IOS was dropping such packets silently.
rfc6092 "Simple Security in IPv6 Gateway CPE" also recommends to implement stateful firewalls which do not allow incoming traffic not initiated from the inside with the exception of IPSec traffic. So by default, IPSec incoming would be enabled. This is good enough to allow end-to-end connectivity.And the rfc6092 does not say that any other traffic but IPSec must be blocked. It is still possible to allow some important applications if needed for peer-to-peer connectivity.
Also, by providing a unique address to each node, IPv6 was also supposed to restore the end-to-end connectivity while it will be more end-to-end "address-ability" as no one would accept end-to-end connectivity for any traffic at all time between any node !
Now, which router-based or hardware-based Firewalls to use ?
The choice of is getting larger and larger with:
There is a basic CISCO IOS Firewall for IPv6
CISCO IOS has an interesting zone based firewall.
The CISCO PIX have been replaced by ASA
FORTIGATE from FORTINETalso supports IPv6
Juniper SSG
Checkpoints
ip6tables on Linux
I will post more information about the CISCO IOS zone based firewall soon.
Fred BOVY
CCIE #3013
Skype:fredericbovy
fred@fredbovy.com
Aucun commentaire:
Enregistrer un commentaire