My how the world has changed! On 7/1/2016 21:28, Edgar Carver wrote:
Hello NANOG community. I was directed here by our network administrator since she is on vacation.
I am Old School, I guess. In my day Step One would be "Fire the administrator." The job is by nature a 24 X 7 X 52 job and "On Call" the rest of the time. "Vacation" is never a reason to leave your assignment insecure. "NAT-based firewall"? Really? How long has the consultant been out of business? Luckily, I minored in Computer Science so I have
some familiarity.
We have a small satellite campus of around 170 devices that share one external IPv4 and IPv6 address via NAT for internet traffic. Internal traffic is over an MPLS.
We're having problems where viruses are getting through Firefox, and we think it's because our Palo Alto firewall is set to bypass filtering for IPv6. Unfortunately, the network admin couldn't give me the password since a local consultant set it up, and it seems they went out of business. I need to think outside the box.
Is there some kind of NAT-based IPv6 firewall I can setup on the router that can help block viruses? I figure that's the right place to start since all the traffic gets funneled there. We have a Cisco Catalyst as a router. Or, ideally, is there an easy way to turn off IPv6 completely? I really don't see a need for it, any legitimate service should have an IPv4 address.
I'd really appreciate your advice. I plan to drive out there tomorrow, where I can get the exact model numbers and stuff.
Regards, Dr. Edgar Carver
-- "Everybody is a genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is stupid." --Albert Einstein From Larry's Cox account.