Obsession With Firewalls Could Hinder IPv6 278
DosIgriegas writes "The obsession with firewalls in IPv6 may result in some of the quirks of IPv4 reappearing. Ars Technica has an article looking at the topic in depth, exploring the technical challenges of securing the new protocol, and looking a the re-emergence of old problems in new guises. 'Ironically, what's required to make IPv6 work through a stateful firewall is almost identical to what's required to make IPv4 work though NAT. This means the IETF's efforts to keep IPv6 NAT-free in order to make protocols do their job without messy workarounds are defeated by the notion that everything should be firewalled.' If we decide to stick with firewalls in IPv6, we'll see many of the same hard-to-diagnose network problems that we have with IPv4."
Defective by design? (Score:5, Insightful)
So, they're saying the way to get security in IPv6 is to throw away the whole concept of firewalls and hope that the protocol won't leave us with out collective bums hanging out in the wind??
I can't see a widespread adoption of a protocol that wants to get rid of firewalls. Now, I guess it's entirely possible that the IPv6 would secure networks since I'm not really up to speed on it's details. But I'm going to need an awful lot of convincing before I put any machines onto a network without something physically between me and it.
Unless IPv6 is very different, the only way I'm going to be able to set up my own personal network (and secure it) is with NAT. I'll take 'hard to diagnose' over pwn3d any day.
This just sounds so wrong.
Cheers
Firewall != NAT (Score:5, Insightful)
Its ridiculous even having to rely on firewalls (Score:4, Insightful)
Its a nonsensical situation that operating systems in general cannot be relied upon for the security of their own network interfaces - after all it is down to the operating system to accept or reject user logins. In the same way it should be the operating system that sets policy about whether to accept or reject packets from arbitrary locations.
A firewall is roughly equivalent to a plaster on an open wound - it serves a useful purpose, but nobody should expect to walk around with an open wound on a long term basis.
There is little if anything that a firewall can do that an operating system can't.
I like my firewall, thanks (Score:5, Insightful)
The firmware on a firewall also has a much smaller amount of code to debug in order to make sure that it will function properly all the time. I would never assume that my Windows XP machine was properly patched with enough confidence to plug it straight into a cable modem all the time.
I am also not interested in having each computer in my home being identified and tracked individually, and I don't pirate software or download music. As such, even if the need for NAT is removed, I would still be highly interested in purchasing a device to block incoming connections and mask my IP address (maybe by swapping with other devices within my home on certain connections).
Privacy Concerns? (Score:4, Insightful)
Re:NAT needed? (Score:2, Insightful)
Re:Why firewall at all? (Score:2, Insightful)
Re:Defective by design? (Score:4, Insightful)
Actually, the article is saying that many protocols require connections to odd ports, and connections from random hosts (think bittorrent) so firewalling must be application-controlled.
It's similar to NAT in that both NAT and firewalling (of IPv4 or IPv6) require that you make and break rules on the firewall to allow traffic to get where it needs to go.
Of course, you could just firewall all privileged ports... But then you'd still be leaving things open for inward connections to trojans with a daemon.
Re:Defective by design? (Score:5, Insightful)
It's worth mentioning that there is little or no reason for most people to run these programs at work, with certain notable exceptions like FTP (Which should just be allowed to fucking die already) and Bittorrent (which can be configured to use a single port.)
It's not introducing a problem! This problem exists today with IPv4 whether you are using NAT or just firewalling!
What they're saying is that IPv6 is not going to fix a problem with the logistics of firewalling that is already with us today.
Re: Privacy Concerns? (Score:5, Insightful)
Much as a NAT-less world might be easier to build and debug, I think I'm happier if my network connection is like my electric connection.
One connection delivers: all electric energy / all bits
I can go up to a max of: 200 amps / 5 Mbps
I might still be billed: by energy used / by gigabytes sent
But I don't pay extra: for more outlets / for more devices
I cover all the costs: of the electric panel / of the router
Handing someone else the information to break the above model is not something I want to do.
Re:Defective by design? (Score:2, Insightful)
What would you suggest replacing FTP with? I do agree that the whole control/data port thing is just fucking weird, but passive FTP at least makes it sane again.
Somehow I get the feeling you're going to say "WebDAV".
Firewall but without a NAT? (Score:2, Insightful)
but wouldn't it be possible to still have a Firewall but without a NAT?
i.e. instead of devices pretending to be just the one IP address that's been assigned to the router via NAT, they instead each have they're own addresses
However all communication still physically goes through the router / firewall / same device to filter out any incoming dodgy packets via SPI, or put limits on incoming communications (port filtering for given IP ranges for internal devices) to make sure that access is only granted when requested instead of by default
Re:Transmission (Score:5, Insightful)
A Firewall is still the right route in some cases (Score:3, Insightful)
That being said I totally agree that OS's need to be more secure but thats just part of the equation to proper network security.
Re:Its ridiculous even having to rely on firewalls (Score:5, Insightful)
Its a nonsensical situation that operating systems in general cannot be relied upon for the security of their own network interfaces - after all it is down to the operating system to accept or reject user logins. In the same way it should be the operating system that sets policy about whether to accept or reject packets from arbitrary locations.
In general the software firewalls that come with Operating Systems are quite reliable and can be trusted.
What can't be trusted is that all the firewalls on every machine are configured properly. It's FAR easier to administrate one firewall than it is to administrate 10 or 100 different workstations/servers.
Re:NAT needed? (Score:5, Insightful)
Sort of. By definition, a stateful firewall probably has the capability of performing NAT, but there's no reason why you'd want to, if you have enough external addresses for everything on your network.
I don't think that NAT is "disallowed at the protocol level," as much as just rendered unnecessary. You could still build an IPv6 NAT box, if you really wanted to, but it would be a bit stupid. It's like building a box that hides two Ethernet cards behind one MAC address -- sure, you could do it, but since they both already have unique identifiers, why would you want to? There's no shortage. (Okay, that may not be the best comparison in the world, but you get the idea.)
NAT is driven by a shortage of routable IP addresses. With v6, there's no longer a shortage. However, people are still going to want the security offered by stateful firewalls (NAT, in its most trivial 1:1 implementations, doesn't offer any security -- it's all in the firewall anyway), which if configured incorrectly or overzealously, could create almost as many problems themselves as NAT does currently.
However, I still think that IPv6 is a big improvement. Why? Because with v6, you have the option of not using the stateful firewall, on devices that are hindered by it, while still retaining the ability to use one and mimic IPv4 security behavior. With IPv4, unless you are wealthy enough to afford a static IP for everything in your house, you don't even have the option of exposing more than one device (per port) to the public Internet.
To me, this demonstrates that there's really no downside (besides the obvious implementation cost) to IPv6. People who just want nothing to change, can basically have nothing change. Their IPv6+Firewall network will behave just like an IPv4 one, but people who want to use the capabilities of IPv6 (for example, VoIP using SIP) will be able to, by reconfiguring their firewalls to be a bit smarter about incoming traffic.
Re:stateless firewalls (Score:4, Insightful)
SIP, H323, and a bunch of other protocols that are starting to be used regularly as business needs, dynamically allocate ports. You won't know what ports you'll need to allow through the firewall, since they'll be different for every connection. The only way this works is if your stateful firewall understands enough of the protocol to learn which ports it's expecting to see a response on. (In the case of H323, the response may even come from a totally different IP.)
This is precisely the problem that will continue to be the case in IPv6.
IPv6 Needed? (Score:5, Insightful)
``Running out of IP numbers'' is like ``running out of oil'': it'll happen, but crying wolf didn't help the cause. It's claimed IPv6 is Big In Japan but, like popular beat combos, that means ``dead elsewhere''. And I"m sit in a hotel room in Tokyo happily IPv6-free, and i've just come from a building owned by one of the largest IT companies in Japan which was entirely IPv4.
IPv6 has been ``next year'' for the last ten years. It's still no-where. What'sdriving it now that wasn't driving it five years ago?
ian
Re:NAT needed? (Score:1, Insightful)
When people talk about using NAT, 99% of the time they don't mean a 1:1 NAT, but a NAPT as found in home routers and configurable in many midsize routers and PC operating systems.
Such a NAPT does offer security because it disallows all uninvited incoming connections and thus shields "services" running on systems inside of the NAPT from access from the Internet.
Re:Defective by design? (Score:3, Insightful)
No. That's not true at all. You're just being a dick for the sake of it, and you probably know it.
I'm asking for clarification of how things work relative to my own understanding. I'm not wedded to NAT based on anything -- I'm asking based on my understanding of how it works, and the fact that I'm aware that I have an incomplete understanding.
And I can't wait until some of the younger people around here stop being condescending dickheads just to sound cool and think they know it all. You're free to make your own assumptions about people, but, please, try not to drag the level of discourse around here any lower than it already tends to be.
I don't have an irrational fear of change, or learning something new. I'm trying to figure out what the article is saying -- the initial reference to being "obsessed with firewalls" to me sounds like people are advocating the wholesale removal of firewalls, or that we should be leaving firewall rules up to applications. That sounds bizarre to me.
I am not a security pro, I'm trying to further my understanding of how IPv6 affects this landscape -- IPv6 has been 'just around the corner' for widespread adoption about as long as Linux has been 'almost ready for the desktop'. As such, I've taken to ignoring it since it doesn't seem to be going anywhere at any pace that I can tell except in academia.
The stuff in the summary just seemed a little odd, and I asked a question hoping that someone could shed a little light, and maybe enlighten a few people. But, hey, if you want to reduce the whole thing to childishness, then neener neener to you too!
Cheers
Re:NAT needed? (Score:5, Insightful)
If someone installs a firewall and say "please block port 123" I can't help but ask "Why did you open port 123 in the first place, then build a wall in front of it?" The fact that these firewalls exist just shows how stupidly the operating-systems UI is that it is so complicated to determine what apps are listening on the network, and what apps aren't.
Blocking outgoing apps is a completely different issue, and software firewall might make sense for that, if you don't trust the applications on your machine (which is a sad state of affairs anyway)
Broken protocols (Score:5, Insightful)
A protocol [wikipedia.org] that requires a firewall [wikipedia.org] to be stateful just to allow it to pass, I would call broken. And yes, I have for years called FTP [wikipedia.org] a broken protocol (acknowledging that this observation is hindsight). I'm not talking about statefulness for NAT [wikipedia.org] purposes, but rather, statefulness to track permissions on related communications (e.g. the DATA connection in FTP). FTP was designed in the day when no one expected blocking of arbitrary ports [wikipedia.org]. But this is something we will be doing apparently forever.
Let's fix the broken protocols and move forward. While we can use HTTP [wikipedia.org] for many file transfer needs, a new protocol that conducts everything over a single TCP [wikipedia.org] connection or a single SCTP [wikipedia.org] session is where we need to go. Then a firewall can be simple in operation and probably more secure as a result.
Gaaaah! (Score:3, Insightful)
I spend a fair bit of time tracing down network-related application issues, and let me tell you, NAT and firewalling are the work of the devil. Look, I'm all for a Linksys in front of your home Windows box, but please please, can't we kill this nonsense off once and for all?
No?
(pounds head on desk)
Security by obscurity doesn't work (Score:5, Insightful)
We live in an age where far larger combinations of bits -- e.g., email addresses or name/password combinations -- are sniffed, phished, compiled into lists and sold, etc. What on Earth makes people think that a fixed IPv6 address would be more secure? No, honestly, what's so special about an 8 byte IPv6 address that makes it un-sniffable?
The notion that your machine is only findable by raw brute-force scanning is pretty laughable. Yes, it's one of the easiest and most non-brainer methods, but it's not the only one.
As a counter-example, look at how email viruses work. Because they _do_ work without scanning and without looking for you speciffically. They just go through more hops, each hop sending itself further to everyone in your address book.
Guess what? The exact same can be trivially adapted to an IPv6 worm. Each pwned machine just continuously looks for incoming and outgoing connections, and tries to spread to those too.
Or how about lists of static addresses, the same as the lists of email addresses that spammers buy and sell. Only unlike email addresses, if you're unfirewalled, you can't keep yours secret. You _have_ to tell each visited site your address every time you connect to it, so it knows where to send the response packets.
So basically it's the setup for the easiest kind of phishing imaginable. It's like automatically giving your email address to every site you ever visited, except this time it's your IPv6 address. Someone just has to create or pwn a popular site, and just record all the IP's that connect to it. Voila, that's a nice list to sell to the hackers. No more brute force scanning needed.
We already have major corporations whose computers are spam bots. What makes you think none will host IP recording bots? How do you know none of the ecommerce sites or forums you visit could be pwned to record all those static IPv6 addresses?
Or it just takes one bored intern working at a major ISP to run a sniffer and get a huge list of all static IPv6 addresses that sent or received anything through their pipe. Remember, idiots exist everywhere. One guy sold the whole list of AOL addresses to spammers, for example. So are you _sure_ noone will sell the list of allocated/known IPv6 addresses?
And since it's static addresses (after all, the whole idea is to get rid of NAT, right? No more dynamic addresses and remapping, right?), you know that each address logged will be available for a long long time thereafter.
Basically let's stop using the whole "we're secure by obscurity" concept to rest already. If there are other security mechanisms in place, fine, I want to hear about them. But "noone will find your IPv6 address" is _not_ security. If you want to talk security, you start from the most paranoid scenarios imaginable, not from wishful thinking.
Re:NAT needed? (Score:3, Insightful)
Still doesn't mean I wouldn't want a NAT to offer a centralized location to manage my network. Right now I've got a NAT router forwarding most ports on my IP to my Mac Mini server (which has its own firewall), and a few gaming ports to my Powerbook. Managing a firewall in a single location would be a lot easier than managing a firewall on multiple devices.
And how will IPv6 affect broadband? Right now I'm only allowed one dynamic IP. Would all broadband providers be forced to monitor individual IPs across their network?
Broken Protocols (Score:3, Insightful)
For example, compare IPSec with OpenVPN [osreviews.net]: the former requires various UDP ports plus a completely new IP protocol, while the latter runs over a single UDP port. Now guess which one is much easier to get through a firewall.
Re:Translation (Score:3, Insightful)
They do not really address the same issues. First, this is not only NAT that provides the added security, but the fact that I use several disjoint networks behind the NAT box (think about DMZ + private network, except that I have more than one DMZ) and also the fact that there is no easy way for an attacker to guess the mapping between public IP addresses and private addresses in one of these subnets.
As I wrote in my previous comment, these networks contain several servers. Most of these servers are public and are intended to be accessible by almost anybody, so darknets are not really appropriate in this case.
The kind of scenario that I am trying to prevent or make more difficult by using NAT is the following: some of these servers have "interesting" contents on them and could be juicy targets for some attackers (no, I'm not talking about pr0n here but about some company internal information). These servers are usually well protected and have only one or just a couple of services exposed to the outside world (e.g., HTTP). But other servers may not be so well protected because they run experimental code for public testing or demonstrations, or simply because they run a larger number of services that may be vulnerable to zero-day exploits. If one of these "weaker" servers is compromised, I do not want it to be used as an intermediate step to launch an attack on other servers on the same network (behind the firewall). That's why I like NAT: it allows me to run the servers in different networks with different security policies and it also hides their private IP addresses. Both of these features add a small amount of security to the network. Maybe not much, but hopefully enough to prevent some attacks or delay them until IDS and counter-measures can be used effectively.
Re:Defective by design? (Score:3, Insightful)
v6 adresses, as a general rule, arent doled out. You get a routed
Re:One word: (Score:3, Insightful)
huh? That answer makes no sense, that's like saying you can only have one ftp client at a time connecting through a public IP address. I routinely have not 2 but 10 SIP phones communicating over the Internet back into my home office without a problem. You have your control port and then you have your dynamic port which is opened to accomodate the data transferring back and forth.
I'm not sure which SIP phones you're talking about that don't support NAT traversal. You might have had a point with H.323 but thankfully that is dying.
As far as the number of lines, thats limited by the number of ports that can be opened. The only advantage to IPv6 in this sense is that I could service more lines over the Internet by associating additional external address with my servers, but if I have that many remote users they are probably at a temporary site which would then have a PBX on-site they could connect to.
I think the real answer is that nothing is really driving IPv6 deployment since most companies don't want their internal computers to have external addresses. Securing it would not be trivial although a lot of methods that are employed for securing servers with external addressing could be deployed for workstations but that is a few orders of magnitude harder to setup.
Re:IPv6 Needed? (Score:4, Insightful)
The decrease in packet-per-second switching performance is severe and has been a critical road block to IPv6 adoption. Basically the IETF didn't have a clue about the consequences of adopting 128b addresses. Which each passing year silicon technology roughly follows Moore's law and is gradually getting ahead of the game (b.c. traffic isn't growing exponentially).
So five years ago IPv6 was completely ridiculous. In a few years the technology will catch-up and real IPv6 deployments can begin.
Anyways, there is no real shortage of IP space. There are only some gross mis-allocations: e.g., not very large companies which now control multiple class a blocks.
It is amazing that this article now attempts to spin firewalls as an obsession. Firewalls are in fact a core aspect of security unless you are able to carefully audit every device, every service, etc. People with dreams of their freezers having public IPs don't seem to get this: doing so would mean security auditing your freezers embedded OS!?!. Its crazy.
Also some people seem to be thinking that protocols requiring stateful firewalls are broken. This is false. Protocols that require the firewall to inspect the application layer contents are broken. But TCP is a stateful protocol, consequently firewalls should implement stateful behavior.
The real risks (if any) (Score:4, Insightful)
NATing firewalls serve two security purposes and several non security purposes.
The non-security purposes are to multiplex routable IPs so that we don't have to have a public address for each network capable device. That's critical in IPv4, but irrelevant for IPv6 in the forseable future.
The other is so that we can arbitrarily assign IPs to LAN devices (often with DHCP) and be happy. Auto-configuration in IPv6 renders that irrelevant as well.
Now to the security purposes. First and foremost, they provide a default condition where incoming connections are summarily blocked while outgoing are permitted (after NATing). UDP is often configured similarly so that an outbound UDP packet opens a hole for replys to come in through (also after NATing). There is absolutely nothing in IPv6 to prevent the same rules from being configured minus NAT. As a side benefit, without UDP NAT randomizing the port number, two machines behind different firewalls may request a hole by sending UDP packets out iff the firewall is configured to permit it.
The second purpose is to obscure the structure of the LAN behind the firewall including the number of machines on the LAN. It is notable that with IPv6 autoconfig it is entirely possible to find out how many devices are behind the firewall and who made the network devices.
The real question is how valuable is obscuring the addresses of the machines on the LAN and how strongly does NAT guard against leaking that information.
My guess is that NAT doesn't really do a lot there. If the firewall is well configured, most attacks behind it will be the result of users getting viruses and trojans from email and web browsing. A well crafted trojan can easily phone home using an outbound (permitted by NAT) connection and tell the attacker all about what's behind the firewall anyway. The trojan can then act as a socks proxy and allow the attacker to effectively have a machine inside the firewall anyway.
In short, there's no reason for NAT at all in IPv6. Any real security benefits to NAT are side effects of it's primary purpose and easily enough implemented properly as security rules to provide security. Network security SHOULD be a process of adding deliberate and considered rules to a firewall. It should NOT be an ill-considered side effect of solving an entirely different class of problem.
The real question is how much do those firewall rules spoil the idea of everything having a routable address. My opinion is not all that much. A firewall is simply a sort of rules server device that offloads filtering (ideally as a first line of defense backed up on the machine being protected) and centralizes policy, even in the face of mis-configured machines. Those rules would (hopefully) still be there without the firewall (who wants random people sshing or VNCing to their desktop machine), so the effect is more or less nil as far as routability goes. After all, even servers running without a firewall are often configured with hosts.(allow|deny).
Re:Transmission (Score:2, Insightful)
Wrong. Microsoft based operating systems are vulnerable. Those operating systems are the only operating systems in existance that have ports that can not be shut down or limited to loopback addresses only.
Regardless, I am not certain how they equate controlling traffic with using NAT. They are each distinct concepts. A firewall does not necessarily imply NAT and NAT does not necessarily imply a firewall.
strike