Forgot your password?
typodupeerror
Networking Security Technology

Obsession With Firewalls Could Hinder IPv6 278

Posted by Zonk
from the keep-the-chains-off dept.
DosIgriegas writes "The obsession with firewalls in IPv6 may result in some of the quirks of IPv4 reappearing. Ars Technica has an article looking at the topic in depth, exploring the technical challenges of securing the new protocol, and looking a the re-emergence of old problems in new guises. 'Ironically, what's required to make IPv6 work through a stateful firewall is almost identical to what's required to make IPv4 work though NAT. This means the IETF's efforts to keep IPv6 NAT-free in order to make protocols do their job without messy workarounds are defeated by the notion that everything should be firewalled.' If we decide to stick with firewalls in IPv6, we'll see many of the same hard-to-diagnose network problems that we have with IPv4."
This discussion has been archived. No new comments can be posted.

Obsession With Firewalls Could Hinder IPv6

Comments Filter:
  • by eldavojohn (898314) * <eldavojohn@gmFREEBSDail.com minus bsd> on Tuesday May 08, 2007 @11:27AM (#19037451) Journal
    Request:

    Obsession With Firewalls Could Hinder IPv6
    *incoming request on port 9045, port reserved for new ideas*

    Response: 'Obsession'?! I don't know what you're talking about.

    *request identified as critical of host*
    *request forwarded to port 6666*
    *incoming request on port 6666, port reserved for criticism*


    Response: Maybe I'm not the problem, maybe IPv6 is the problem? Shouldn't a solution to a problematic situation meet the needs of said situation, not the other way around?

    *incoming request passed through network firewall, computer hardware firewall and finally rejected by software firewall, request complete*
    --
    Come on, this is like intercourse, sometimes girls/requests just require double or even triple bagging, the last thing you want is a virus. Some girls are regular port scanners ifyaknowwhatImean ...
    • Re:Transmission (Score:5, Insightful)

      by Sancho (17056) on Tuesday May 08, 2007 @12:09PM (#19038075) Homepage
      The problem was that NAT makes connections somewhat hard to deal with. IPV6 was designed to solve that problem. The problen now is that we realize that computers are vulnerable and need protection. IPV6 was not designed to solve that problem, and furthermore, it's not a problem which is likely to be overcome using technology or a new protocol.
  • by gstoddart (321705) on Tuesday May 08, 2007 @11:28AM (#19037477) Homepage
    Not to overuse the whole 'defective by design' thing, but:

    'This means the IETF's efforts to keep IPv6 NAT-free in order to make protocols do their job without messy workarounds are defeated by the notion that everything should be firewalled.' If we decide to stick with firewalls in IPv6, we'll see many of the same hard-to-diagnose network problems that we have with IPv4.

    So, they're saying the way to get security in IPv6 is to throw away the whole concept of firewalls and hope that the protocol won't leave us with out collective bums hanging out in the wind??

    I can't see a widespread adoption of a protocol that wants to get rid of firewalls. Now, I guess it's entirely possible that the IPv6 would secure networks since I'm not really up to speed on it's details. But I'm going to need an awful lot of convincing before I put any machines onto a network without something physically between me and it.

    Unless IPv6 is very different, the only way I'm going to be able to set up my own personal network (and secure it) is with NAT. I'll take 'hard to diagnose' over pwn3d any day.

    This just sounds so wrong.

    Cheers
    • by Detritus (11846) on Tuesday May 08, 2007 @11:32AM (#19037533) Homepage
      You can still have firewalls, it's just that some firewall "features" have unintended consequences.

      The old-style stateless firewall will work just fine.

      • by drinkypoo (153816) <martin.espinoza@gmail.com> on Tuesday May 08, 2007 @11:46AM (#19037723) Homepage Journal

        The old-style stateless firewall will work just fine.

        Actually, the article is saying that many protocols require connections to odd ports, and connections from random hosts (think bittorrent) so firewalling must be application-controlled.

        It's similar to NAT in that both NAT and firewalling (of IPv4 or IPv6) require that you make and break rules on the firewall to allow traffic to get where it needs to go.

        Of course, you could just firewall all privileged ports... But then you'd still be leaving things open for inward connections to trojans with a daemon.

        • Re: (Score:3, Interesting)

          by gstoddart (321705)

          Actually, the article is saying that many protocols require connections to odd ports, and connections from random hosts (think bittorrent) so firewalling must be application-controlled.

          But, who is going to trust an application to determine network policy? The first malicious application to come along will bork the whole system, won't it? I mean, 'random' hosts is the perfect invitation for badness.

          Maybe I'm just (once again) demonstrating my ignorance of such things, but this sounds like it will introduce

          • by drinkypoo (153816) <martin.espinoza@gmail.com> on Tuesday May 08, 2007 @11:57AM (#19037883) Homepage Journal

            But, who is going to trust an application to determine network policy? The first malicious application to come along will bork the whole system, won't it? I mean, 'random' hosts is the perfect invitation for badness.

            It's worth mentioning that there is little or no reason for most people to run these programs at work, with certain notable exceptions like FTP (Which should just be allowed to fucking die already) and Bittorrent (which can be configured to use a single port.)

            Maybe I'm just (once again) demonstrating my ignorance of such things, but this sounds like it will introduce more problems than it fixes.

            It's not introducing a problem! This problem exists today with IPv4 whether you are using NAT or just firewalling!

            What they're saying is that IPv6 is not going to fix a problem with the logistics of firewalling that is already with us today.

            • Re: (Score:2, Insightful)

              by Anonymous Coward
              with certain notable exceptions like FTP (Which should just be allowed to fucking die already)

              What would you suggest replacing FTP with? I do agree that the whole control/data port thing is just fucking weird, but passive FTP at least makes it sane again.

              Somehow I get the feeling you're going to say "WebDAV".
              • How about sftp? Works great for me. ;)
              • by drinkypoo (153816)

                What would you suggest replacing FTP with? I do agree that the whole control/data port thing is just fucking weird, but passive FTP at least makes it sane again.

                the problem with passive FTP is that many many FTP servers do not support it.

                Like the sibling, I would probably vote for sftp; encrypted, tunneled...

                I've never gotten WebDav to work :P

            • Re: (Score:3, Interesting)

              by gclef (96311)
              Right...so, a VoIP phone (running SIP or H323, which do this sort of dynamic port-allocation) is not something useful for work?
              • by arodland (127775)
                Not half as useful as one using IAX would be, because it doesn't pull all of the stupid useless shenanigans that SIP does, and is therefore firewall-friendly. :)
              • by drinkypoo (153816)

                Right...so, a VoIP phone (running SIP or H323, which do this sort of dynamic port-allocation) is not something useful for work?

                It's useful, but ideally it would be used only on the local network, or through some sort of gateway.

                It's worth mentioning that it's not necessary for it to do dynamic port allocation, the whole idea is silly, and it should never have been handled in that fashion.

          • by Niten (201835)

            No, he isn't saying that we should allow applications to control our firewall settings (as is already done by default in many consumer NAT routers, incidentally, with UPnP). What he's saying is that modern firewalls, as a result of the complexities introduced by NAT and other technologies, need to think on the application level (OSI layer 7) rather than network and transport levels (OSI layers 3 and 4).

            This is already achievable using, e.g., Linux's L7-filter module in iptables (and is part of the reason

    • Re: (Score:2, Interesting)

      by Tuoqui (1091447)
      I do not believe they are saying that we should have NO FIREWALLS at all. I think the idea is to have more permissive firewalls since with that many IP addresses available in IPv6 the odds someone will be RANDOMLY scanning and hitting something for someone is so remote that it is almost a guarantee that they're specifically looking for you.

      The current scanning networks and such works because of one thing, you can almost count on hitting some IP addresses at any given block on the IPv4 network. Also because
      • by Moraelin (679338) on Tuesday May 08, 2007 @12:56PM (#19038715) Journal
        Sorry to rain on that parrade, but the (variants of) "IPv6 is secure because it's a 64 bit space and noone will ever guess your address" sound... surrealistic. It's security by obscurity of the worst kind. The kind that can't possibly work.

        We live in an age where far larger combinations of bits -- e.g., email addresses or name/password combinations -- are sniffed, phished, compiled into lists and sold, etc. What on Earth makes people think that a fixed IPv6 address would be more secure? No, honestly, what's so special about an 8 byte IPv6 address that makes it un-sniffable?

        The notion that your machine is only findable by raw brute-force scanning is pretty laughable. Yes, it's one of the easiest and most non-brainer methods, but it's not the only one.

        As a counter-example, look at how email viruses work. Because they _do_ work without scanning and without looking for you speciffically. They just go through more hops, each hop sending itself further to everyone in your address book.

        Guess what? The exact same can be trivially adapted to an IPv6 worm. Each pwned machine just continuously looks for incoming and outgoing connections, and tries to spread to those too.

        Or how about lists of static addresses, the same as the lists of email addresses that spammers buy and sell. Only unlike email addresses, if you're unfirewalled, you can't keep yours secret. You _have_ to tell each visited site your address every time you connect to it, so it knows where to send the response packets.

        So basically it's the setup for the easiest kind of phishing imaginable. It's like automatically giving your email address to every site you ever visited, except this time it's your IPv6 address. Someone just has to create or pwn a popular site, and just record all the IP's that connect to it. Voila, that's a nice list to sell to the hackers. No more brute force scanning needed.

        We already have major corporations whose computers are spam bots. What makes you think none will host IP recording bots? How do you know none of the ecommerce sites or forums you visit could be pwned to record all those static IPv6 addresses?

        Or it just takes one bored intern working at a major ISP to run a sniffer and get a huge list of all static IPv6 addresses that sent or received anything through their pipe. Remember, idiots exist everywhere. One guy sold the whole list of AOL addresses to spammers, for example. So are you _sure_ noone will sell the list of allocated/known IPv6 addresses?

        And since it's static addresses (after all, the whole idea is to get rid of NAT, right? No more dynamic addresses and remapping, right?), you know that each address logged will be available for a long long time thereafter.

        Basically let's stop using the whole "we're secure by obscurity" concept to rest already. If there are other security mechanisms in place, fine, I want to hear about them. But "noone will find your IPv6 address" is _not_ security. If you want to talk security, you start from the most paranoid scenarios imaginable, not from wishful thinking.
        • by kebes (861706) on Tuesday May 08, 2007 @03:43PM (#19041591) Journal
          Everything you've said is true...

          However, I don't think the argument is "the large IPv6 address space provides robust security" but rather "it's an extra roadblock to attackers."

          Switching to the large IPv6 address space doesn't mean that we can get lazy with patching our boxes, surfing safely, blocking ports, having strong passwords, and so on. However, it does mean, at least, that one vector of attack (port scanning) is no longer possible, or at least very difficult.

          All the workarounds and attacks you describe are certainly possible, but they mean extra effort on the part of the attacker, which induces a corresponding decrease in the frequency and success rate of attacks. And it's worth noting that in addition to the workarounds that the attackers will no doubt employ, there may very well be some clever usages of IPv6 to counter them. For instance, if I'm in control of 10^20 addresses, I may run my web browser from a VM whose IP address changes on every connection. So knowing the IP of my web-browser doesn't give you the IP of my file server, etc. Similarly the 10^20 - 4 addresses that I'm not using can be a very efficient honeypot for detecting attackers.

          To re-iterate: the large address space of IPv6 should not be viewed as "killer security"... but nor should we ignore that it will provide a (arguably minor) security advantage.
        • Re: (Score:3, Informative)

          by MajroMax (112652)

          The notion that your machine is only findable by raw brute-force scanning is pretty laughable. Yes, it's one of the easiest and most non-brainer methods, but it's not the only one.

          And on a dense IP space like IPv4, it's also the fastest method of scanning and spreading. For a worm propagating in its initial phases, its rate of growth is determined by how many "hits" it gets over N probes. By moving from IPv4 to IPv6, the search space goes from "very dense" to "highly sparse". If the worm still propaga

      • by Kadin2048 (468275) *
        I think the idea is to have more permissive firewalls since with that many IP addresses available in IPv6 the odds someone will be RANDOMLY scanning and hitting something for someone is so remote that it is almost a guarantee that they're specifically looking for you.

        No. I don't know of any non-clueless person who is pushing IPv6 and claiming that the address space, in and of itself, is a security enhancement. That's just wrong and bad.

        Just think -- every time you go to a website, that server has your IPv6
    • by Kadin2048 (468275) * <slashdot DOT kadin AT xoxy DOT net> on Tuesday May 08, 2007 @12:16PM (#19038161) Homepage Journal
      I really don't think the problem is as big as it's being made out to be.

      The advantage to IPv6 is that you can have more fully routable addresses, to the point where there wouldn't be any NAT anymore -- you might still have dynamically assigned addresses, but they'd still be fully routable across the entire network. This makes firewalling a lot simpler, because you can have more than one DMZed device.

      Devices which are known to be relatively secure and are designed to sit out in full view of the public -- for instance, maybe a VoIP appliance that by definition has to accept incoming traffic, but rejects everything else (but which needs lots of ports and can't tolerate NAT or much 'dumb' firewalling), could be easily put into its own DMZ without compromising the rest of your LAN. Right now, with IPv4 and only one shared IP address per household, this is fairly difficult -- all firewall rules need to be port-based. With IPv6, you can also do more complex address-based routing.

      So, let's say you have a network consisting of four devices and an IPv6 firewall; you have two highly insecure Windows boxes (for whatever reason) which aren't designed to and consequently cannot safely be exposed to the world, plus a hardened BSD machine which can have certain ports exposed (say, for email and SSH), and an VoIP appliance which needs to be able to make whatever connections it wants. You configure the firewall (which all traffic passes through) to not perform any packet filtering on the VoIP appliance's address, effectively leaving it outside the perimeter. (Hopefully the manufacturer of the appliance knows what they're doing. But, to be safe, you could set it up so that traffic from it doesn't get let in to the firewalled zone, so someone couldn't compromise it and use it to get in to the rest of your network.) The BSD machine's address gets only the necessary ports opened, with everything else to it automatically rejected. And the Windows boxes are totally firewalled, with all incoming connections rejected unless a port is specifically requested open.

      The firewall required to do this isn't any less complex than a current NAT/stateful-firewall, but it provides several advantages. Rather than having only one externally-facing address for the entire LAN, and routing traffic based on the port or TCP connection, you can just route based on the IPv6 address, and create all sorts of (in)flexible rules based on how much trust you have in the destination device, which can include creating further subnets that are isolated from each other, for security purposes.

      IPv6 isn't "insecure," in fact I think its wide adoption will greatly enhance end-user security, once people start figuring out how to work with it, and the Linksys and Netgear-type manufacturers start building inexpensive boxes to do the job.

      The main difference between v4 and v6 is that with v4, there's a clear demarcation between "LAN" and "WAN." With IPv6, this isn't quite as true; rather than thinking of security in terms of castle walls, you need to use a more fluid metaphor. Everything in your house is part of the "WAN," in terms of addressing, but parts of it may be more secure than others.
      • by Azghoul (25786)
        This was a really nice explanation. Thanks a lot.

        I'm a little confused about how someone would be able to go about building a DMZ using IPv6 - just connect it through a different switch and don't allow traffic to go from it to your "internal" machines?
        • Re: (Score:3, Informative)

          by Kadin2048 (468275) *
          I'm a little confused about how someone would be able to go about building a DMZ using IPv6 - just connect it through a different switch and don't allow traffic to go from it to your "internal" machines?

          Basically, it's just like an Ethernet VLAN, except it would be as part of a router, not a switch, because you're one level higher on the OSI model. (Ethernet is Layer 2, IP is Layer 3.) But fundamentally it's a similar idea; a subnet is really just a Layer 3 VLAN. (In actuality, I think on most networks ther
    • Re: (Score:3, Informative)

      by evilviper (135110)

      So, they're saying the way to get security in IPv6 is to throw away the whole concept of firewalls and hope that the protocol won't leave us with out collective bums hanging out in the wind??

      NO!

      Firewall != NAT

      NAT != Firewall

      Please move along.
  • Translation (Score:5, Informative)

    by Zarhan (415465) on Tuesday May 08, 2007 @11:29AM (#19037495)
    "Today we learned, that lots of people who have thought of NAT as a security mechanism, are getting a hit with cluebat when they find out that the IPv4 NAT also implements a stateful firewall as a byproduct. Since there is no NAT with IPv6, you only have to implement stateful firewall without address translation."

    Sigh.

    This is a non-issue.

    What IS an issue are the new IPv6-specific things related to security. You cannot do a network scan anymore since even a /64 is a huge address space to scan and so on. The presentation I watched at IETF Prague was quite interesting: http://www3.ietf.org/proceedings/07mar/slides/v6op s-1/sld1.htm [ietf.org]

    There are some implementation issues, such as anycast addresses and stuff like that you need to take into account.

    However, this "getting rid of connectivity issues due to no longer having to NAT" has NEVER been expected by anyone who knows even a bit about networking. Because we're not returning to an un-firewalled world.
    • However, this "getting rid of connectivity issues due to no longer having to NAT" has NEVER been expected by anyone who knows even a bit about networking. Because we're not returning to an un-firewalled world.

      Thanks for clarifying that. I had a similar thought looking at the summary. I may have forgotten nearly everything I knew about IPv6, but it seems to me that a router is a router is a router, even in v6. If your router checks the traffic (like a good firewall would do) and blocks unauthorized incoming

      • by LehiNephi (695428)
        Please forgive a question from a networking newbie. What if my ISP wishes to restrict the number of computers I connect to the internet at home? Some behind-the-times ISPs still don't allow you to use more than one machine over your connection. Currently, NAT is a very simple way to get around that restriction. Does the transition to IPv6 affect that in any way?

        Of course, if an ISP is decent enough to move to IPv6, they're probably smart enough to allow multiple addresses per account.
    • by Zarhan (415465)
      And I linked the wrong presentation. I meant this one:

      http://www3.ietf.org/proceedings/07mar/slides/v6op s-6/sld1.htm [ietf.org]

      "Observations of IPv6 firewall and IDS".

      Sorry about karmawhoring, but I'm at karmacap anyway.
    • Re:Translation (Score:5, Interesting)

      by Raphael (18701) <quinet&gamers,org> on Tuesday May 08, 2007 @12:27PM (#19038305) Homepage Journal

      However, this "getting rid of connectivity issues due to no longer having to NAT" has NEVER been expected by anyone who knows even a bit about networking. Because we're not returning to an un-firewalled world.

      There are also some features of NAT that I would like to keep even when using IPv6, the main one being the ability to hide the topology of my networks from the outside world. So in a way, I do want to have some connectivity issues.

      For example, I currently maintain a firewall and NAT box that has a pool of several public IP addresses (Internet access) on one of its interfaces, and 3 additional network cards connected to different networks. Each of these 3 networks contains a number of machines and some servers for various protocols that are mapped to some of the public IP addresses. One of these private networks is rather open (with protocols such as NIS and NFS used by most hosts) and another one is rather secure (no host trusts any other host on the same subnet). I do not want to allow an external attacker to guess on which network a given server could be. Maybe this extra level of security through obscurity is not really necessary, but I want to maximize my chances in case of an attack (e.g., zero-day exploits). Some services that I mapped to an external IP address and port may go to a server on one network, while the same IP address but a different port may go to a different network. I do not want to reveal too much information about the topology of my networks, that's why I like NAT.

      NAT causes some connectivity issues, but I consider some of them as features, not problems. Oh, and I know that some people claim that the network hiding brought by NAT is just some false security and that IPv6 with its much larger address space will also make it difficult to scan hosts on a network. But that's not the point here: hiding the topology is just one of the many layers of security that I use, and the larger address space of IPv6 will not prevent some information from being disclosed in routing table updates, etc.

      • Does NAT really offer that much better security than a Dark-Net [wikipedia.org] implementation? I mean, if you simply don't allow any incoming connections to the "dark" area of your network, then the only thing that the Internet as a whole can divine is that some computers from inside the Dark Net are accessing resource X using their own IPv6 IP. Since every computer on your network is unlikely to access the same addresses, this gives potential attackers nothing more than a glimpse of a few computers behind the firewall. C
        • I think the GP is acknowledging that it doesn't offer much, but it's not clear that it won't protect you at all. I agree that good security is layered, and right now NAT allows a layer of obscurity by not allowing others to discern where traffic is coming from or where it's going.

        • Re: (Score:3, Insightful)

          by Raphael (18701)

          Does NAT really offer that much better security than a Dark-Net implementation?

          They do not really address the same issues. First, this is not only NAT that provides the added security, but the fact that I use several disjoint networks behind the NAT box (think about DMZ + private network, except that I have more than one DMZ) and also the fact that there is no easy way for an attacker to guess the mapping between public IP addresses and private addresses in one of these subnets.

          As I wrote in my previou

    • Yeah because 64+ bit email addresses have been a hugeeee help in combating spam.

      I see it as a hopeless cause. If there is an easy way to access a device, there is an easy way to find a device. Unless of course you put a password on the DNS redirect.

      Sure your Xbox might not have a DNS because all of the interfacing is under the table but how long until your nice static IP address is on the "black market" just like a credit card #?
  • Yippee! I love NAT!

    I still want IPv6, but I really do love my NAT. It is like loving microsoft...I like products that generate their own tech support.

  • by Timesprout (579035) on Tuesday May 08, 2007 @11:33AM (#19037541)
    I hereby announce I am giving up my obsession with firewalls and reverting to my earlier obsession with Halle Berry.
    • Re: (Score:2, Informative)

      by jddj (1085169)
      Sorry - after IPv6 is fully rolled out, Halle Berry is deprecated in favor of Kirsten Dunst...
    • good luck with your new crush. if you're looking to sell all your old pin-up posters of firewalls i'm sure that there is a market for that sort of thing on this very site
  • Firewall != NAT (Score:5, Insightful)

    by 0racle (667029) on Tuesday May 08, 2007 @11:35AM (#19037569)
    You can have a firewall that does not use NAT. Both sides are publicly addressable but there is still a security device between you and the outside world.
    • by dubbreak (623656)

      You can have a firewall that does not use NAT.


      Quite true, however most consumers would think of their home router as a firewall (the majority of which do NAT). You have to write to your audience (and although I did not read the article in true slashdot style) I would assume it is aimed at more than just geeks if they are simplifying NAT as a "firewall".
      • But most consumer routers have to do NAT for reasons other than security, but because of the limited externally-exposed IP address range most consumers have.

        Wasn't one of the whole points of IPv6 to expand the address space to alleviate this problem? Doesn't it do it quite effectively? My understanding was that the answer to both is yes, which suggests that consumer routers in an IPv6 world ought to be able to act as firewalls for security, without doing NAT.

  • by The One KEA (707661) on Tuesday May 08, 2007 @11:35AM (#19037577) Journal
    Linux has already gone down this path - the old IP connection tracking code in the Linux iptables packet filter has already been reworked into a more general layer-3 connection tracking mechanism, with separate 'drivers' for tracking the IPv4 and IPv6 protocols and separate 'plugins' that can handle specialized protocols (FTP, IRC, H.323, PPTP and so on).

    I suspect that commercial firewalls will probably follow suit.
  • by SkunkPussy (85271) on Tuesday May 08, 2007 @11:36AM (#19037581) Journal
    Is it a good idea to expect that whenever and wherever a mobile computing device connects to a network, there will be a properly configured firewall ready to protect it, or should computers and other networked devices be able to function securely without an external firewall to protect them?

    Its a nonsensical situation that operating systems in general cannot be relied upon for the security of their own network interfaces - after all it is down to the operating system to accept or reject user logins. In the same way it should be the operating system that sets policy about whether to accept or reject packets from arbitrary locations.

    A firewall is roughly equivalent to a plaster on an open wound - it serves a useful purpose, but nobody should expect to walk around with an open wound on a long term basis.

    There is little if anything that a firewall can do that an operating system can't.
    • Re: (Score:2, Informative)

      by RockRampantly (976282)

      Its a nonsensical situation that operating systems in general cannot be relied upon for the security of their own network interfaces - after all it is down to the operating system to accept or reject user logins. In the same way it should be the operating system that sets policy about whether to accept or reject packets from arbitrary locations. A firewall is roughly equivalent to a plaster on an open wound - it serves a useful purpose, but nobody should expect to walk around with an open wound on a long term basis.

      While I agree with you that a firewall protecting a single IP is rather useless - the OS should take care of itself - a firewall is definitely useful when protecting a group of machines. It can be used to create a relatively trusted network without having to worry about interference caused by rogue packets from the outside.

    • For a lot of settings (Corporate,home etc.) allowing random access into your network doesn't serve any purposes. If you need to provide services you can serve them through the firewall or you can make a DMZ outside the firewall but there is no need to allow random access to your network.

      That being said I totally agree that OS's need to be more secure but thats just part of the equation to proper network security.
    • by Vellmont (569020) on Tuesday May 08, 2007 @12:13PM (#19038127)

      Its a nonsensical situation that operating systems in general cannot be relied upon for the security of their own network interfaces - after all it is down to the operating system to accept or reject user logins. In the same way it should be the operating system that sets policy about whether to accept or reject packets from arbitrary locations.

      In general the software firewalls that come with Operating Systems are quite reliable and can be trusted.

      What can't be trusted is that all the firewalls on every machine are configured properly. It's FAR easier to administrate one firewall than it is to administrate 10 or 100 different workstations/servers.
    • Let me translate what you said.

      "In an ideal world, we would not need so many layers of security! The world should be ideal, damn-it!"

      My response to you is that we don't live in an ideal world, and in the REAL world, defense in depth has proven to be an incredibly useful security model.

      You can keep ranting against reality if you like, but you won't change anything.
    • by Syberghost (10557)
      There is little if anything that a firewall can do that an operating system can't.

      Assuming you weren't stripping NAT out of the equation (and if you were, you were horribly offtopic or disingenuous or both), an operating system can't keep your ISP from being able to invade your privacy and charge you per-device unless it's been configured to act as a NAT firewall. (Silly semanatic arguments as to NAPT/NAT aside.)
  • by Carrion Creeper (673888) on Tuesday May 08, 2007 @11:37AM (#19037617)
    I would say I personally am not obsessed with firewalls per se, I'm obsessed with privacy and security.

    The firmware on a firewall also has a much smaller amount of code to debug in order to make sure that it will function properly all the time. I would never assume that my Windows XP machine was properly patched with enough confidence to plug it straight into a cable modem all the time.

    I am also not interested in having each computer in my home being identified and tracked individually, and I don't pirate software or download music. As such, even if the need for NAT is removed, I would still be highly interested in purchasing a device to block incoming connections and mask my IP address (maybe by swapping with other devices within my home on certain connections).
    • IPv6 offers that. (Score:4, Informative)

      by Kadin2048 (468275) * <slashdot DOT kadin AT xoxy DOT net> on Tuesday May 08, 2007 @01:22PM (#19039089) Homepage Journal
      You wouldn't need to. IPv6 has the capability of having temporary addresses, where the client machine basically generates the last few bits (actually quite a few) of the address randomly. You can swap these addresses as frequently as you'd like (well, it will probably do Bad Things to the upstream routers if you change them too quickly, and it might be considered abusive at some point) in order to retain a level of anonymity that's greater than or equal to what you have with IPv4+NAT right now. (It's still not true anonymity, and isn't a replacement for systems like Tor, but it would make it close to impossible to figure out which device on your LAN the traffic is coming from, without compromising your LAN's router itself.)

      You might want to read this document from the IETF regarding privacy and IPv6. Ensuring privacy, or at least not eliminating it, was a major concern of theirs during the design of v6, and I think you'll find that your privacy is protected just as well or better than it is under IPv4 (which is to say, not really all that well, but if it gives you a warm fuzzy feeling to think so, enjoy).
      http://playground.sun.com/ipv6/specs/ipv6-address- privacy.html [sun.com]

      Therefore, in the future IPv6-based Internet, we expect many devices to have two kinds of IP addresses:

              * Unique, stable addresses, assigned in any of several possible ways (e.g., by manual configuration, by an address server like DHCP, or by auto-configuration using embedded, factory-assigned LAN addresses), for the purpose of being a target, and for use when initiating communication to other, trusted targets, such as targets within the same home or enterprise.

              * Temporary, transient addresses, such as those containing a random number in place of a factory-assigned serial number, for use when initiating communication to less trusted targets, such as public web servers.

      The choice of which kind of address to use when initiating communication is somewhat analogous to the choice that must be made when placing a telephone call in the presence of the "Caller ID" feature, i.e., whether or not to reveal the calling party's number to the called party. IPv6 addresses offer both choices.
  • Privacy Concerns? (Score:4, Insightful)

    by WiseWeasel (92224) on Tuesday May 08, 2007 @11:38AM (#19037627)
    It seems strange that people are arguing about getting rid of NAT devices and having unique IPs for every device without bringing up the privacy implications. It seems that having unique addresses for every device is a small step away from being able to track and monitor every device on the net. Without the ability to proxy or perform NAT services, every device would be exposed to the net, and would leave a reliable trail of activity. It seems that this would encourage governments to think that they can control and enforce the web, and deal a pretty strong blow to the level of anonymity granted by the current network topology. I just hope that if this does come to pass, that there will be solutions to mitigate this risk, to help obfuscate individual activity on the net. This hazard to troubleshooting network issues, as described in the summary, might be an important factor in ensuring privacy and a certain degree of anonymity on the web.
    • by FreezerJam (138643) <smith.vex@net> on Tuesday May 08, 2007 @12:00PM (#19037927)
      Not to mention your average consumer ISP, which, like a cable company, would love to start charging "per outlet".

      Much as a NAT-less world might be easier to build and debug, I think I'm happier if my network connection is like my electric connection.

      One connection delivers: all electric energy / all bits
      I can go up to a max of: 200 amps / 5 Mbps
      I might still be billed: by energy used / by gigabytes sent
      But I don't pay extra: for more outlets / for more devices
      I cover all the costs: of the electric panel / of the router

      Handing someone else the information to break the above model is not something I want to do.
    • People who want anonymity can buy anonymizing services. If there is enough demand, it might be offered by consumer ISPs directly.
  • 128 bits (Score:5, Funny)

    by CrtxReavr (62039) <crtxreavr.trioptimum@com> on Tuesday May 08, 2007 @11:41AM (#19037653)
    Since we have the attention of the IPv6 crowd, everyone should add this record to your forward zones:

    aacs IN AAAA 09f9:1102:9d74:e35b:d841:56c5:6356:88c0

    -CR
  • The more things change the more they stay the same. The human race is suffering from new forms of the same problems it has had for thousands of years, you can't expect communication protocols to do too much better.
  • stateless firewalls (Score:5, Informative)

    by greenrom (576281) on Tuesday May 08, 2007 @11:57AM (#19037887)
    You can have a firewall without using NAT. Being able to assign every device a routable address means that you can implement a stateless firewall instead of a stateful firewall. For most purposes, a simple firewall that filtered incomming TCP connection requests and UDP packets on all ports except those specifically allowed would suffice. This has the advantage that the firewall wouldn't need to track the state of TCP connections, and would eliminate problems like firewalls deciding a connection has been idle too long and closing it.

    For the home user, being able to assign a routable IP to every PC has other advantages. Do you have multiple PCs with Remote Desktop running that you want to access remotely? NAT makes this difficult since all the PCs share the same IP address and need to listen for connection requests on the same port. Assigning every machine a routable address makes this problem go away. Don't like that example? The same applies to a web server, or SIP phone, or Bittorrent, or a myriad of other applications.
    • by gclef (96311) on Tuesday May 08, 2007 @12:30PM (#19038369)
      Just for fun, try running SIP or H323 through a stateless firewall sometime. Since you're advocating stateless firewalls, I can tell you've never tried....it doesn't work.

      SIP, H323, and a bunch of other protocols that are starting to be used regularly as business needs, dynamically allocate ports. You won't know what ports you'll need to allow through the firewall, since they'll be different for every connection. The only way this works is if your stateful firewall understands enough of the protocol to learn which ports it's expecting to see a response on. (In the case of H323, the response may even come from a totally different IP.)

      This is precisely the problem that will continue to be the case in IPv6.
      • by greenrom (576281)
        The SIP part of it can use a single port. RTP ports are dynamically allocated, but most phones will use a fixed port range or let you specify one. So basically, that means opening up port 5060 for SIP and lets say something like 8000 - 9000 for RTP. The alternative would be to have a stateful firewall as you suggest that parses the SDP out of the SIP invite to figure out which UDP ports to open for the RTP streams and then watch for the BYE packet to close them. I don't know of any home routers that can
      • Re: (Score:3, Informative)

        by kalugen (531230)

        This is totally correct, but there are also other problems with stateless firewalls...

        Let me explain what a stateful firewall does (not to you obviously, but I'm reading comments from lots of people that do not seem to fully understand the issue).

        A stateful firewall can filter traffic not by just "blocking" some protocols or addresses/ports.

        It can police traffic using the abstraction of "connections": you are able to tell it "allow NEW connections to this service, but not to that. And please let co

  • My brain hurts... (Score:4, Interesting)

    by evilviper (135110) on Tuesday May 08, 2007 @11:57AM (#19037889) Journal
    This seems to be the kindergarten introduction to firewalls, written by someone who is feeling around in the dark, and doesn't really know what he's talking about...

    So what's the point of the pages full of irrelevant details about how Vista and ZoneAlarm works?

    Stateful firewalls require you to explicitly allow incoming connections certain ports, even with IPv6. That's it. Nothing else there.

    What he completely misses is that this is worlds better than NAT, which also requires assigning a unique port on the single IP address... You're screwed if you want more than one machine to access the same service, which doesn't allow you to use a non-default port.

    Want two web servers running (on port 80)? Want two machines to be able to receive VoIP calls? Want multiple machines to be able to play some online game? Too bad. It's only with the multiple addresses IPv6 offers that it's really possible.
  • maybe I'm missing something here as I admit I'm not fully aware of the low level details of network implementation
    but wouldn't it be possible to still have a Firewall but without a NAT?

    i.e. instead of devices pretending to be just the one IP address that's been assigned to the router via NAT, they instead each have they're own addresses
    However all communication still physically goes through the router / firewall / same device to filter out any incoming dodgy packets via SPI, or put limits on incoming co
  • by spywhere (824072) on Tuesday May 08, 2007 @12:35PM (#19038421)
    The media -- and the consumer anti-virus manufacturers -- feed our "obsession with firewalls," and I see it every day in the home-user world.
    Computers sitting behind a NAT router, which is pretty much all the firewall most machines need, come factory-loaded with Norton Internet Security or McAfee Security Center. This makes it nearly impossible for the average home user to share files and printers, and (especially with Norton) makes it very likely that they will answer some of the hundreds of pop-up questions wrong and break something they want:

    "MSIMN.exe is trying to access the Internet!
    What do you want to do:
    1. Permanently block it?
    2. Dial 911?
    3. Buy even more Norton crapware?


    I try to explain to my customers that they want a hardware firewall (the router) and don't really need a software firewall other than the one-way jobbie that ships inside Windoze.
    OTOH, one customer this morning still has an XP SP1 machine plugged directly into her cable modem... guess what happened to her machine?

    Oh, well, I get paid to fix these kind of problems, so I guess I don't mind. God forbid they ever get it right!
    • by 0123456 (636235)
      "I try to explain to my customers that they want a hardware firewall (the router) and don't really need a software firewall other than the one-way jobbie that ships inside Windoze."

      I disagree. I most definitely want to know when some random program decides it's going to connect to the Internet and send information from my machine to some random server.

      The problem is that so much cruddy software these days decides it wants to connect to the Internet for no good reason, even when I manually disable 'auto upda
  • by suggsjc (726146)
    They should have used IPv5 as a practice round to get all the bugs out...
  • Gaaaah! (Score:3, Insightful)

    by mikeee (137160) on Tuesday May 08, 2007 @12:54PM (#19038693)
    The problem with NAT and firewalling, both, is that they're broken by design. They're attempts to add features to the protocol/application/OS layer that are implemented at the network layer. It doesn't have the necessary information to do the job properly! So we end up with godawful mostly-kinda-works klugdes like timeouts on idle TCP connections, etc....

    I spend a fair bit of time tracing down network-related application issues, and let me tell you, NAT and firewalling are the work of the devil. Look, I'm all for a Linksys in front of your home Windows box, but please please, can't we kill this nonsense off once and for all?

    No?

    (pounds head on desk)
  • NAT is bad (Score:4, Interesting)

    by nsayer (86181) * <nsayer@kfCOWu.com minus herbivore> on Tuesday May 08, 2007 @12:58PM (#19038751) Homepage
    If you take the firewall out of the equation, there is still one bit of evil left with NAT - applications that may want to set up and announce a listening port don't know what the correct IP address is. Often times they have to resort to bizarre workarounds, like asking a known external service what their own address is. Very byzantine. If nothing else, moving to IPv6 removes that headache. And if you have two machines behind a 1:n NAT that want to open up port 80, you're hosed. Without NAT, that's not a problem anymore. You'll have to tell your firewall that connections to port 80 on those machines are OK, but that's nothing more than what you would have had to do to your NAT box anyway (except that one of them would have to be port 81 or 8080 or some such nonsense).

    I can't wait for the home networking routers that are so popular to implement 6to4. There's no reason they can't do that right now. Even if it were off by default, having it there would give people more options at little or no cost to the manufacturers. All of the major OSes out there shipping today support IPv6 natively.
  • Broken Protocols (Score:3, Insightful)

    by hweimer (709734) on Tuesday May 08, 2007 @01:23PM (#19039111) Homepage
    The problems don't come from having NAT or a stateful firewall, but from using poorly designed protocols. There is hardly a justification for using more than one TCP or UDP port, or dynamically assigned destination ports.

    For example, compare IPSec with OpenVPN [osreviews.net]: the former requires various UDP ports plus a completely new IP protocol, while the latter runs over a single UDP port. Now guess which one is much easier to get through a firewall.

  • In todays world its not safe to connect to the outside world without one. I dont see 'safety' being an 'obsession'.

    Especially when 1/2 our house is run on an internal IP network. i DONT want someone managing to turn off my heat or something..
  • by sjames (1099) on Tuesday May 08, 2007 @06:12PM (#19044339) Homepage

    NATing firewalls serve two security purposes and several non security purposes.

    The non-security purposes are to multiplex routable IPs so that we don't have to have a public address for each network capable device. That's critical in IPv4, but irrelevant for IPv6 in the forseable future.

    The other is so that we can arbitrarily assign IPs to LAN devices (often with DHCP) and be happy. Auto-configuration in IPv6 renders that irrelevant as well.

    Now to the security purposes. First and foremost, they provide a default condition where incoming connections are summarily blocked while outgoing are permitted (after NATing). UDP is often configured similarly so that an outbound UDP packet opens a hole for replys to come in through (also after NATing). There is absolutely nothing in IPv6 to prevent the same rules from being configured minus NAT. As a side benefit, without UDP NAT randomizing the port number, two machines behind different firewalls may request a hole by sending UDP packets out iff the firewall is configured to permit it.

    The second purpose is to obscure the structure of the LAN behind the firewall including the number of machines on the LAN. It is notable that with IPv6 autoconfig it is entirely possible to find out how many devices are behind the firewall and who made the network devices.

    The real question is how valuable is obscuring the addresses of the machines on the LAN and how strongly does NAT guard against leaking that information.

    My guess is that NAT doesn't really do a lot there. If the firewall is well configured, most attacks behind it will be the result of users getting viruses and trojans from email and web browsing. A well crafted trojan can easily phone home using an outbound (permitted by NAT) connection and tell the attacker all about what's behind the firewall anyway. The trojan can then act as a socks proxy and allow the attacker to effectively have a machine inside the firewall anyway.

    In short, there's no reason for NAT at all in IPv6. Any real security benefits to NAT are side effects of it's primary purpose and easily enough implemented properly as security rules to provide security. Network security SHOULD be a process of adding deliberate and considered rules to a firewall. It should NOT be an ill-considered side effect of solving an entirely different class of problem.

    The real question is how much do those firewall rules spoil the idea of everything having a routable address. My opinion is not all that much. A firewall is simply a sort of rules server device that offloads filtering (ideally as a first line of defense backed up on the machine being protected) and centralizes policy, even in the face of mis-configured machines. Those rules would (hopefully) still be there without the firewall (who wants random people sshing or VNCing to their desktop machine), so the effect is more or less nil as far as routability goes. After all, even servers running without a firewall are often configured with hosts.(allow|deny).

  • by CTachyon (412849) <chronos.chronos-tachyon@net> on Wednesday May 09, 2007 @09:06AM (#19050565) Homepage

    The problems that the article describes — FTP, IM file transfers, etc. — have exactly the same problems under NATless IPv4 stateful firewalls. The Internet hasn't fallen over yet, therefore the problem is overblown.

    The solution in Linux has generally been application-specific kernel modules (ip_conntrack_ftp, ...) that tell the state engine (ip_conntrack) to expect related traffic. They might've finally added a user-mode interface since last time I looked, but that doesn't actually solve the problem since any user-mode program is still forced to sniff forwarded traffic for known applications.

    The more elegant solution would be for each application to indicate a related connection in a way that all stateful firewalls along the route could understand. Sort of like UPnP, except UPnP only talks to a single local NAT, not every firewall along the route. However, this more elegant solution hasn't yet been invented, for IPv4 or IPv6.

The superior man understands what is right; the inferior man understands what will sell. -- Confucius

Working...