On 2010-08-31 19:02, Jack Bates wrote:
Jeroen Massar wrote:
just remember that a lot of people have VPN software, connect from home to that VPN and do other weird setups (Skype for instance, BitTorrent) where there are possibilities to bypass your "firewall".
I agree. My concern here is that we are dealing with improper firewalls.
Then fix your firewall, next to those administrators. You seem to love managing things centrally, but you forget that if you do things the MS way: Active Directory / Domains, that Teredo&6to4 are automatically turned off unless you turn the policy switch on. MS thus takes care of this.
We are dealing with ignorance, and we have M$ enabling teredo by default (though not active until they install the appropriate app).
Creating what is essentially a public vpn through a firewall without the user being aware of it is insecure. For all the wonderful popups
No, Teredo & 6to4 (and ISATAP) are enabled per default on Vista/Win7 and also XP if you install IPv6, if the host has native it will use that, if is in non-RFC1918 space it will try 6to4, if it is in RFC1918 space it will try Teredo. This is great for getting IPv6 connectivity going. It is 'bad' for a corporate network. You can work around it two ways: enable native IPv6 or use active directory and voila the moment that a host is in the domain it does not do this automatically. If you do not administer the hosts then you don't have anything that you can do anyway as there will be software on those hosts which you will not like and which will easily pierce through your puny firewall. DNS tunnels near always work for that matter. that vista+
gives, it amazes me that teredo isn't one of them.
As there are no listening ports being opened and only outbound traffic is permitted, just the same as the IPv4 adapter, how is this 'dangerous' ? (unless the IPv6 stack is breakable)
6to4 doesn't suffer the same issues. Primarily because RFC1918 addressing can't be used in 6to4. This means that at a minimum, the router has to participate or the host behind it must be manually configured with a 6to4 address (for the proto 41 pass through to work). Neither is an automatic traversal of the router's policies without user knowledge.
If you have one person setting up ICS on their machine and they have enabled IPv6 voila the whole network gets IPv6, that thus does not solve your problem either. Or are you monitoring IPv6 RAs etc? I think you have to move to better analyzing & monitoring your network and more control over the hosts which participate in that network. Greets, Jeroen