8

The router that my ISP has delivered contains an IPv6 firewall. The only configuration option is whether it is on or off. Apparently, this firewall simply denies all incoming connections.

I understand this is to prevent exposing all hosts and all their open ports to the entire internet.

If I want to receive incoming IPv6 connection then I will need to disable this firewall.

Is it dangerous to disable it? I wonder if devices such as PCs and mobile devices are secure enough to be exposed to the internet. They certainly are supposed to be secure but are they secure in a practical sense?

boot4life
  • 201
  • 1
  • 2
  • 4
  • 1
    You could remove IPv6 from your question entirely and ask if PCs can stand being exposed directly to the Internet. It would not change the question. – schroeder Jul 11 '18 at 16:27
  • Related: [“There's a firewall on the router into the building so you can turn the one on your computer off”](https://security.stackexchange.com/q/11984/11291) – Michael Hampton Jul 11 '18 at 16:35
  • @schroeder that is a good point. Although I do wonder if it makes a difference because IPv6 addresses are less guessable. – boot4life Jul 11 '18 at 16:37

2 Answers2

6

Yes, it is dangerous to disable a firewall with out any compensating controls or replacement filtering. It is true that an internet IP address indexer for IPv6 has much more to cover, but it does happen. Sans has articles on this.

One of the issues here is that IPv6 allows for a direct attack on an internal device. NAT is not used (at least that is the intention of ipv6) so an attacker doesn't discover the router first, it is trying to send messages directly to the device internally.

Although there is less attention placed on attacking ipv6, it definitely is happening. In my day job we look for ipv6 on internal networks that are ipv4 based as signs of a breech.

A suggestion for an answer to the question of "if I turn off full blocking of ipv6 because I want to use it, what then?" would be to run through a pfsense box. Here is an article. https://blog.joelj.org/setting-up-pfsense-with-ipv6/ This would allow only devices and services that you want exposed to the internet open, instead of all devices on your network, some that may have vulnerabilities or mis-configurations.

bashCypher
  • 1,839
  • 11
  • 21
2

My opinion is that it is not dangerous to disable the firewall. But still, it is a bit unwise.

I have had since year 2014 (if I recall right) directly connected IPv6 without any firewall at all, but there have never been any attempts using IPv6, even if the primary devices sit in the addresses ::1 and ::10. With IPv4 it happens all the time, trying SSH, trying HTTP vulnerabilities, trying common usernames and passwords etc. I use fail2ban, and additionally I route a bunch of large /12 ... /16 IPv4 blocks to /dev/null because they are useless for me. Without those the number of log rows from IPv4 attempts would be well above 100.000 per day. But as said, never anything with IPv6.

I am not saying that IPv6 attempts will not come. But I consider IPv6 much harder for hacking because of the trillion-size address space.

If I would need myself to break into a /64 IPv6 subnet, I do not know where to start from. Perhaps I should first use some other means (fake phone call about support?) to find what equipment is in that destination, to be able to guess ranges of MAC addresses and the calculated IPv6 addresses, instead of shooting randomly the 2^64 block. Or concentrate on such vendor MAC addresses where the vendor is known to have certain vulnerabilities.

v6-engine
  • 21
  • 1