• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Sensible firewalling for "consumer" routers

Started by Dragon2611, February 08, 2011, 06:14:14 PM

Previous topic - Next topic

Dragon2611

Just wondering what people think the sensible defaults should be on a consumer router.

It's kind of worrying to me that we could start seeing residential "broadband routers" with IPv6 support but no packet filtering support for IPv6.

For me a sensible default would be to have a firewall configured to disallow most unsolicited inbound traffic.

Of course it should have a nice friendly UI that makes it easy to add exceptions or turn it off completely, but my concern would be if something like this isn't present in the router people will be plugging in their new IPv6 enabled router and not doing anything to secure their network.

A bit like these days most wi-fi routers now come with some kind of encryption set out of the box because people were not relising they needed to secure their wireless networks




antillie

I am with you on this. With the death of NAT having a stateful firewall on your internet connection is even more important than before. (Not that NAT ever provided any actual security anyway.) I would be pretty surprised if any of the major consumer router vendors released an IPv6 capable router without some kinda of built in stateful IPv6 firewall.

I think a reasonable default would be to allow all inbound ICMPv6 traffic and block all other unsolicited inbound traffic. I actually use this rule set on my own IPv6 firewall. As you said a nice pretty GUI to add exceptions for certain ports and/or IPs would be critical. There are plenty of business grade routers and firewalls that do this but the consumer market is pretty dry. Hopefully this will change over the next year or so.

UltraZero

Hmm..
Security is always an issue.

Given.  With the amount of connections out there, what are the chances 1 individual will get hit.

I say this simply because with a home connection, most DSL users are getting an IP address allocated to them dynamically and therefore their ip is being pulled from a fastly large pool of numbers.

Example:  Fred's phone number is 123-343-1111 today.  You know the number and you can dial the number. tomorrow, fred changes his number.   What are the chances of you finding that number again??  

I suppose if you were sneeky enough to capture a ping or traceroute  to a particular individual and saw where his or hops were and you figured out the last hop before that location  you were trying to get to, maybe there is a way to somehow route an arp from there.  (Not a hacker so I don't know)  anyway, even if  you could get that far,  you still have to figure out which ip address belongs to which system.  Then by the time you did that, the address could change.  

A lot of work for nothing just to be able to knock on you router/firewall.

Next. Say you had a static IP??  Many people do.  Now.  I'm not too sure what people consider firewalls,but, I have never actually examined my connection from my wifi to my router to see what is being blocked.  (I suppose I could put wireshark on a hub and the connection to my wifi router on it to be able to sniff what is going on.  

I don't think many home users really care.  Most don't want to know what is blocked and what is not.  

Most don't really care if you drive to their house and hack into their wifi so long as you don't touch their personal pcs.

I generally don't have much on my machines.  I have software to protect from viruses/spyware/etc, but, not
something to protect against a hacker.  (other than the access lists on my cisco router.)

That being said, I am getting a Cisco firewall to play with.  I don't think it can handle IPv6 (still looking into that. Kinda think it will)  

I just got off the phone today (funny this conversation came up) with Dlink.  I am looking for a modem (IPv6) compatible for my tunnel test. I've got connection issues of my own.  I wanted to see if they had anything IPv6 aware.  They told me the have nothing at the moment and nothing is announced.

Hmmm.  Go figure.  Don't be ahead of the game, wait for the wave to smash you into the ground so you can pick you wet self up and scramble to get on the ball to get ready for IPv6..

Now isn't that really stupid on their part..

So.. In a nut shell. I would think Cisco (Linksys is IPv6 aware) I have not checked.  I will actually start looking into that tonight.  

Several other companies out there have modems/routers that I think might be.  Still checking though..

The security in some of these systems is a joke.   I don't understand why for the price, some of these companies don't push for virus protection on the routers and online updates.

If you want, I'll post what I see as far as what I can find that is being blocked by my dlink.


UltraZero

I could be wrong, but, since a provider like ATT hasn't done anything about IPv6, customers/consumers won't be able to do much until ATT gets off their butts and get moving with an IPv6 implementation.   Until the push happens, I don't think you will see IPv6 hardware until 2012. 

ATT needs to make us feel good about their slow Uverse firist.  Japan has faster connections to the cell phone than we have to our homes.  They have 100 meg to the home..

We create the technology and we see the benefits of it last.  Go figure..

Dragon2611

Quote from: UltraZero on February 08, 2011, 07:06:13 PM
Hmm..
Security is always an issue.

Given.  With the amount of connections out there, what are the chances 1 individual will get hit.

I say this simply because with a home connection, most DSL users are getting an IP address allocated to them dynamically and therefore their ip is being pulled from a fastly large pool of numbers.

Doesn't need to be a targeted attack, infact it's probably more common to be probed at random than have someone target you directly for an attack (Unless you happen to have upset someone online.)

Zombies/bots scan large IP ranges looking for open ports.

That and there will be things like VOIP phones, Printers.etc on the network which probably haven't been changed from their default passwords.


antillie

Indeed, and if Johnny black hat gets into your box and installs a program that phone's home to a central control server then he can find you no matter how often your address changes. Botnets work like this right now on IPv4, I imagine that they will keep at in IPv6.

All recent (software based) Cisco routers and firewalls support IPv6 filtering. Even some of the older models do. Hardware ASIC based models are another matter though. This is outlined pretty well in this thread. And of course Linux and its fifty million flavors can do IPv6 firewall duties as well via ip6tables. Vyatta comes to mind here. Same with BSD and pfSense.

Hopefully vendors like Linksys and DLink will start to add IPv6 connectivity and filtering to their newer routers as they are released. Firmware updates to add IPv6 support to existing models would be very nice too. Of course you can always throw DDWRT on a suitable router and go to town if your the type that enjoys voiding warranties.

donbushway

Quote from: antillie on February 08, 2011, 07:30:25 PM
Of course you can always throw DDWRT on a suitable router and go to town if your the type that enjoys voiding warranties.

Not if it is a Netgear WNR3500L they promote changing the firmware.

cconn

#7
Quote from: UltraZero on February 08, 2011, 07:06:13 PM

I just got off the phone today (funny this conversation came up) with Dlink.  I am looking for a modem (IPv6) compatible for my tunnel test. I've got connection issues of my own.  I wanted to see if they had anything IPv6 aware.  They told me the have nothing at the moment and nothing is announced.

Hmmm.  Go figure.  Don't be ahead of the game, wait for the wave to smash you into the ground so you can pick you wet self up and scramble to get on the ball to get ready for IPv6..

Now isn't that really stupid on their part..

So.. In a nut shell. I would think Cisco (Linksys is IPv6 aware) I have not checked.  I will actually start looking into that tonight.  



I don't know what salesdroid you were speaking with, but D-Link actually has IPv6 clearly in its business plan.  The DIR-825 (which I admit I have not yet tried personally) is supposed to be IPv6 phase2-certified (whatever that means), and as for the DIR-615, I am personally involved in some beta trials to hammer out their DHCP-PD implementation, which is nearly complete as far as I am able to see.    D-Link is not ignoring IPv6.  So perhaps you asked them if they had a IPv6-capable modem/router, which they likely don't yet.  However their router line is well on its way.

As for Linksys, they sadly are not IPv6-anything right now;

http://www.networkworld.com/news/2011/020811-cisco-linksys-ipv6.html

Cisco routers work, with one annoying issue with DHCP-PD over PPPoE (router doesn't try to renew/refresh its lease if the WAN connection goes down, without a kludgy workaround).  When it comes to the rest, Cisco IOS is my preferred environment to route/tunnel/tinker with IPv6.

UltraZero

I agree about the little programs that can phone  home.
Can the programs deal with changing IP addresses??

As to the phone call to Dlink, I have had problems with their products.  The usually last to the warranty period or a little after.  After that, buy a new one.  I'm on my 3rd and last dlink if I can help it.  Linksys or some other brand that at least gives customers more flexibility. 

The phone call was about the consumer and business line.  I thought I'd cover both sides and after talking to the customer service rep who got referral information, still told me there wasn't any products able to handle IPv6. 

I'm not saying this is true, but, given I only saw I think 2 units on their website that referenced modem only and I didn't see anything re IPv6.


UltraZero

 ???


Isn't that a swift kick in the rear.

I was told they had no plans til 2012..

And you wonder why some companies can't keep customers.

Go figure.  Don't tell the customer service staff about the products you are carrying until they are already sold.

Nice one D-link.

snarked

D-link is one of the worst companies.  They will sell multiple products under one product ID number with hardware which is incompatible across different versions of that product ID.  For example, their discontinued adapter, DWL-520, was first a prism 2 chipset (Linux compatible), then a broadcom chipset (initially, no Linux driver - until someone hacked the Windows firmware driver to load, etc....).  Repeat the misery for the 520+ (when the "802.11b+" 22MHz speed came out -- just before "802.11g").

Never be the first to buy a D-Link.  Even with reviews, it's a risk in that they'll change the internals at any time.

UltraZero

I swore I would not buy another dlink.  Well, I could shoot myself in the foot.  I bought a dlink dsl modem trying to get around my dsl modem issues.  Well, i have spent most of the day trying to configure it, and I can't even get the stupid thing to connect to my router without having to reconfigure it for bridge mode. 

Man, I thought this was going to be fairly a no brainer.  I should be able to throw this thing on the net, give it an ip address, dsl parameters and boom. it should show up, in stead, it is giving my route an ip address, but, I can't use it.  if I unplug my net and plug in my PC, I can use it.  the other modem would accept both, but, I could not create the tunnel.

I hope I can take this thing back. I need to buy a Motorola Cable modem. 

My experience with Dlink is it works generally out of the box.  I lasts til the warranty runs out and then it fails.