--On Sunday, December 16, 2001 09:31:44 PM +0000 Janos Mohacsi
<[EMAIL PROTECTED]> wrote:
>> This is at the moment imho a big link-local security hole if IPv6
>> is automagically enabled but not configured, because it's easy to
>> detect a MAC address of a firewall's interface and calculate the
>> EUI-64 identifier. Afterwards a bad-guy start a radvd on the link
>> and possible (if not switched off on FW), the FW's interface learn
>> the prefix.
>> Bad-guy can now run an IPv6 portscan on FW's interface.
> Internal interface cannot be
> problematical, since this is your trusted network.
Hmm, you only have a trusted Layer 2network if you firewall isn't
directly connected via Layer 2 to clients. I'm sure that many of this
cheaper design versions are exist, no router between FW and clients
is in place.
In common:
To much bad code reaches the internal network via Layer 7 protocols
and aren't catched in real-time (e.g. e-mail worms). Therefore you
have to protect your FW against the inside attacks also.
It's in the same class like ARP spoofing and MAC address flodding of
Layer 2 switches (which revert to in "fail-safe" hub mode
afterwards). Happy sniffing afterwards...
Peter
---------------------------------------------------------------------
The IPv6 Users Mailing List
Unsubscribe by sending "unsubscribe users" to [EMAIL PROTECTED]
