Ipv6 Teredo And My Firewall

[anauj0101]

I run IPCOP for my main firewall. It only supports IPv4, is there any way for IPv6 to pass my firewall without tunneling through IPv4 without using Teredo? I guess what I am asking is if I block Teredo's tunneling port for IPv6 udp/3544, am I completely safe from IPv6 based attacks on computers inside my network? Such as the attack in this episode Hak5 IPv6 Metasploit

[Sparda]

Well, it's not just IPv6 that's the problem, it's tunneling of any sort that is the underlying problem. Teredo makes it easy because the service requires no effort for the attacker to maintain, and it's easy to setup. It is possible to tunnel traffic for the HTTP protocol even though HTTP and SOCKS proxies. If you want to block tunneling out right, you have a major uphill battle in front of you. Alternatively you can just go for the low hanging fruit.

[Infiltrator]

Theoretically speaking, I can't see why you can't prevent IPv6 attacks, if your system is operating on IPv4 addresses only. It's sounds possible to dwarf ipv6 based attacks, but I haven't seen any real world test yet to prove this theory, so I guess its a matter of trial and error.

[anauj0101]

Thanks, when I asked this similar question on the IPCOP forum and I was flamed by the moderators and was told there was no problem, that an IPv6 attack was not even possible! I have been using IPCOP for years and love what it has done for me. However if the people running the show do nothing but flame the people who use their software with genuine questions, I think ill be switching firewalls.

[digip]

I would say what they told you is probably not 100% true. As demonstrated by Mubix on the episode, IPv6 in some instances flies right through firewalls and network hardware, even when they don't outright support IPv6. Like Sparda said, anything can be tunneled to an extent. The real trick is to 1, disable toredo on all your workstations as well as IPv6 networking. 2, setup your network so only specific IP ranges or devices can reach outside your network. In other words, have rules to only allow certain IP addresses or devices to make connections to the cloud at large. Routers themselves can even be set up with access lists to help prevent tampering, in the event someone was able to access the firewall and change settings, so it can be a two fold layer of protection. Just need to remember to edit in both places if you ever have to make new additions/allowances.

Edited January 7, 2011 by digip

[Iain]

Thanks, when I asked this similar question on the IPCOP forum and I was flamed by the moderators and was told there was no problem, that an IPv6 attack was not even possible! I have been using IPCOP for years and love what it has done for me. However if the people running the show do nothing but flame the people who use their software with genuine questions, I think ill be switching firewalls.

Why not post back on the forum with a selection of links to articles and videos (such as that in which Rob gave the demonstration) about the reality of the attack. If you're polite (I've no reason to think that you wouldn't be), they should thank you for your input and (perhaps) apologise for their earlier comments.

[Guest Deleted_Account]

Just to point out last night Comodo firewall updated and now supports ipv6 and ipv6 filtering. So it does add more protection if you want to use it.

[Infiltrator]

I found this PDF doco, quite interesting on IPV6 Security. Might be worth a reading.

http://www.6net.org/events/workshop-2003/marin.pdf

[Sparda]

Having a firewall/router that supports IPv6 does not prevent IPv6 from been tunneled over IPv4. When IPv6 is tunneled over IPv4, the router never sees any IPv6 traffic.

[Guest Deleted_Account]

Having a firewall/router that supports IPv6 does not prevent IPv6 from been tunneled over IPv4. When IPv6 is tunneled over IPv4, the router never sees any IPv6 traffic.

O_o Now that is some scary crap! I am looking into this more... and disabling torredo again... lol

[Sparda]

I would like to reiterate:

IPv6 is not the problem. The problem is tunneling. Toredo is just very convenient because the service is maintained by Microsoft and super easy to setup and install (for every one including attackers). However, there are many other tunneling service/tools that some one could use to the same effect. Hamachie, OpenVPN, SSH just to name a few. There are even tools which allow you to create a tunnel over HTTP and can even go through through SOCKS and HTTP proxies, so blocking all forms of tunneling is a very difficult thing to do.

[Guest Deleted_Account]

I would like to reiterate:

IPv6 is not the problem. The problem is tunneling. Toredo is just very convenient because the service is maintained by Microsoft and super easy to setup and install (for every one including attackers). However, there are many other tunneling service/tools that some one could use to the same effect. Hamachie, OpenVPN, SSH just to name a few. There are even tools which allow you to create a tunnel over HTTP and can even go through through SOCKS and HTTP proxies, so blocking all forms of tunneling is a very difficult thing to do.

Very True I have managed to set-up a clients network so that MOST tunneling wont work: Block obvious ports, IP's, and so one the normal stuff and then I blocked most of the programs and services from running on the computers. But this only stop the honest people I am sure someone out there will find a way/ something I missed but that goes for eveything. Tunneling is so hard to block manly because you cant really block port 80 and Policies only go as far as someone bringing their own ipod/tablet/computer/wifi enabled device. Plus if they really wanted to just bring in a MyFi or Driod device that can act as a hotspot no tunneling needed.

Edited January 13, 2011 by x942

[giacinto]

Hi

I need a little help with Teredo, so I'm bringing up the its security issues again... Please bear with me... :-)

I have 2 computers in a homegroup at home (Windows 7 Ultimate 64 bits and Windows 7 Home Basic 32 bits), behind a TP-Link TL-WR740N router (and ZoneAlarm Free 9.2.076.000 - IPV6 compliant).

Both computers have Teredo enabled (due to homegroup being used) and the same programs installed, but the Ultimate one is always running ("qualified"), whereas the Home basic one is mainly "dormant", unless, of course, I try to reach a website which "triggers" Ipv6 (e.g. "Test your IPv6").

Trying to figure out why the Ultimate computer had the Teredo connection always "qualified" led me to dig deep into the Teredo Tunneling issue, and I became somewhat scared of the security risks in using it.

I learned that, apart from opening a "hole" in the router and assigning a global IPv6 address to the computer, the traffic in the tunnel is really IPV6 encapsulated in a IPv4 packet, so the firewall won't be able to filter it properly, applying the desired security policy.

The safest thing to do is disable it, but I guess that's not possible (it would prevent the homegroup from running).

So, in my current configuration (nobody but my family has access to the machines), how much of a real threat is Teredo? Does Zonealarm help at all?

Looking forward to hearing your opinions!

Thanks in advance!

Giacinto