Classification: UNCLASSIFIED Caveats: NONE If I get a penny for my thoughts, then I put in my two cents...where does that other penny go?
On Tue, Mar 25, 2014 at 3:22 PM, Steve Grubb <[email protected]> wrote: The view taking in hardening systems is if you don't need something, turn it off so that you don't have inadvertent security problems. Paraphrasing the RHEL5 SNAC guide, it says if you need IPv6, here are the hardening steps. If you do not, then turn it off. That is the prudent thing to do in all cases. An additional thought that we've done on past programs is: Maybe not only "turn off" IPv6, but I've gone through the effort of following the STIGs to set all of the security configurations, AND turn it off. Why you ask? Because if IPv6 is "turned on" by malicious or inadvertent activity later, then it is already STIG-compliant, thereby provide some level of security. If one simply turns it off, it still "may" leave the system somewhat vulnerable IMHO. v/r, Randy Beavers, GSLC, CISSP System Security Engineer Multi-Mission Launcher 256-842-5426 office 256-289-6054 cell [email protected] [email protected] -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Andrew Gilmore Sent: Tuesday, March 25, 2014 4:33 PM To: SCAP Security Guide Subject: Re: IPV6 and security? Thanks for the info! On Tue, Mar 25, 2014 at 3:22 PM, Steve Grubb <[email protected]> wrote: The view taking in hardening systems is if you don't need something, turn it off so that you don't have inadvertent security problems. Paraphrasing the RHEL5 SNAC guide, it says if you need IPv6, here are the hardening steps. If you do not, then turn it off. That is the prudent thing to do in all cases. Definitely, and for the last 12 years, all I've heard is we don't need IPV6, turn it off. Put another way, its not that IPv6 is insecure...its very well tested. Its that if you don't need it or use it and a security bulletin comes along for it, its easy to dismiss because you didn't intend to use it. This was part of my real question, I guess. Much of what I had heard about IPV6 focused on the relative maturity of the stack, compared to IPV4, and suggested that some of the same types of critical vulnerabilities that we saw in the 90s may be lurking in this stack. It's good to hear your confidence in the tech. I'd put this back on the OP. Who said it _is_ insecure? I implied that there were concerns, but that was an uninformed position. This may have been fostered in other benchmarks I've been involved in, but I'd have to go re-read them to make sure I wasn't reading it in. Thanks! Andrew Classification: UNCLASSIFIED Caveats: NONE _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
