On 7/5/16, Naslund, Steve <SNaslund@medline.com> wrote:
Hard to know where to begin with this one, but let me take a shot at it.
1. My top priority would be to get into that Palo Alto firewall. Get Palo Alto on the phone and figure out password recovery with them. Since you don’t have the password it is possible that firewall is compromised. Do not be surprised if you have to jump through some hoops with Palo Alto to prove that you own it and what has happened. Remember their job is to keep people out of your network. They are probably also going to want you to be current on support. If you have to pay to get current on support, do it. You need that help right now badly.
You could ask Palo Alto how to block the v6 while you are at it or even better set up a rules that mirror your v4 protection. I cannot stress enough how big a security issue it is to not have access to your firewall and not know who does.
2. There are lots of ways to shut off ipv6 but my suggestion would be to just secure the Palo Alto firewall,
Right. But how long is it going to take to secure the Palo Alto firewall? If the central Cisco Catalyst really is an IPv6 router, doing a conf t ipv6 access-list denyIPv6 deny ipv6 any any interface [whatever connects to the ISP] ipv6 traffic-filter denyIPv6 in ipv6 traffic-filter denyIPv6 out end would be a quick fix for the firewall not doing any ipv6 filtering. It could also break ipv6 enabled web sites or even internal connectivity, so it'd be better to get someone on the phone w/ Cisco tech support and have Cisco figure out the best way to block IPv6 for you.
... to say that any legitimate service should have a ipv4 address is not quite true now and will definitely not be true in the near future.
True. But they're in "stop the bleeding" mode and disabling ipv6 is just a temp work-around until the firewall is fixed. Regards, Lee
3. Just about any kind of firewall or router CPE device can block or firewall ipv4 and ipv6 as long as its firmware is fairly recent. However, you would most likely have to replace the Palo Alto with it. You DO NOT WANT THEM BOTH INLINE! Most likely they are both configured to do ipv4 NAT out of the box and that will not work correctly to have them both inline together. While it is possible to set up that sort of thing to work correctly, it’s a bad idea and pretty advanced configuration for a temporary network admin. The interaction of one firewall fronting another can be very difficult to troubleshoot without a deep understanding of what is going on. Referring back to item 1, you are probably going to need to get the configuration of the current firewall if you seek to replace it (there will be rules in the Palo Alto that you would want to replicate if you are going to replace it).
4. Cisco Catalyst as the router.....there could be a lot of things going on in there. The Catalyst is primarily a switch with routing functionality. It can definitely block ipv6 if configured to do so but we would need to know a lot more about its current configuration to give you the best way to do that. It could just be a service providers switch on your premise in which case you can't do much with it. Again, much easier to accomplish Item 1 with Palo Alto and let your firewall do what it is supposed to do.
Steven Naslund Chicago IL
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Edgar Carver Sent: Friday, July 01, 2016 9:29 PM To: nanog@nanog.org Subject: NAT firewall for IPv6?
Hello NANOG community. I was directed here by our network administrator since she is on vacation. Luckily, I minored in Computer Science so I have some familiarity.
We have a small satellite campus of around 170 devices that share one external IPv4 and IPv6 address via NAT for internet traffic. Internal traffic is over an MPLS.
We're having problems where viruses are getting through Firefox, and we think it's because our Palo Alto firewall is set to bypass filtering for IPv6. Unfortunately, the network admin couldn't give me the password since a local consultant set it up, and it seems they went out of business. I need to think outside the box.
Is there some kind of NAT-based IPv6 firewall I can setup on the router that can help block viruses? I figure that's the right place to start since all the traffic gets funneled there. We have a Cisco Catalyst as a router. Or, ideally, is there an easy way to turn off IPv6 completely? I really don't see a need for it, any legitimate service should have an IPv4 address.
I'd really appreciate your advice. I plan to drive out there tomorrow, where I can get the exact model numbers and stuff.
Regards, Dr. Edgar Carver