Frank P. Dillion in Blog | February 14, 2019

Deal With ipv6 Firewall Protection

The firewall of your computer constitutes an integral and indispensable part of its security system. It acts as a barrier between a secure network and an external network. Hence, it prevents external malwares and other threats from penetrating the security cover of your system. A firewall can be a software system as well as a hardware device.

The design and security features of firewalls have undergone radical changes. IT companies today are undertaking exhaustive research activities in order to design systems which are capable of warding off even the most potent of malware.

About IPv6

Internet Protocol v6 is the latest version of IP that serves the function of providing a unique identification number to systems connected across the Internet.IPv6 is the improved and advanced version of its predecessor IPv4. The use of this system is still not that popular as only 4% of the user’s log-in using this system.

Features

IPv6 was invented by the Engineering Task Force in 1995. The system is equipped with the latest features that enable it to handle high user traffic. Some of these features are-

The IPv6 uses a 128-bit processor address which enhances the total number of possible addresses.
The addresses are expressed as 8-bit values separated by periods.
The IPv6 systems donEUR(TM)t need a DCHP server in order to function effectively.
IPv6 systems can have a link-local, site-local or a multicast address.

The standard size of a subnet is square of the size of the IPv4 address space. This results in lower space utilization as compared to IPv4. However, the system, as compared to IPv4 is more efficient in network management.S

Security Suggestions on the IPvn6 firewall:

The header chain structure of IPv6 allows more flexibility than IPv4. It is because the number of options has no limit that any packet might include.

Any system which is willing to obtain upper-layer information, like, TCP port numbers requires the entire process of IPv6 header chain. The existing protocol requirements allow a random number of extension headers. It includes numerous instances of the same extension header type and results in various firewalls like:

1. A firewall needs to analyze multiple extension headers to do deep packet inspection. It will result in reduced WAN performance, firewall avoidance, and DoS.

2. The extension headers combination and disintegration might avoid deep packet inspection.

As the current protocol requirements allow multiple numbers of extension headers, comprising of numerous instances of the same extension header type, so, a firewall must get ready to handle the packets gracefully which contains an extraordinarily massive number of IPv6 extension headers.

All this can be subjugated by attackers who can intentionally include some extension headers in their packets so that the firewalls use more resources during the process formation of the header chain structure.

Ultimately, it will result in the low performance of a firewall or a DoS of the firewall itself. Moreover, there are some poorly implemented firewalls which might fail to process the complete IPv6 header chain when they try to achieve a filtering policy. This will allow the attackers to influence the extension headers to avoid the corresponding firewall.

The IPv6 fragmentation can be influenced for various malicious purposes familiarly to its counterpart, i.e., IPv4.

For instance, to avoid a firewall’s filtering policy, an attacker might send some overlapping fragments to confuse how the destination host will reunite these fragments. The IPv6 network further intensifies this problem.

It is because the combination of various IPv6 extension headers and fragmentation may result in fragments which despite their standard packet size can even hide the necessary information. This information is required for implementing the filtering policies, such as TCP port numbers.

It is the first fragment of a packet which contains some IPv6 options in large number. The numbers are so large that the upper-layer of protocol header seems like it belongs to some other fragments.

Setting up the IPv6 firewall protection

It is worth mentioning here that IPv6 is only provided with the advanced networking pack for Windows XP. In order to set up IPv6 Internet Connection Firewall just use the below mentioned commands-

Show– Use this command to view the IPv6 ICF configuration.

Show global port– Global ports are configured on all network adapters. By using this command you can view these ports.

Show adapter– Click on this command in order to view the list of all adapters configured with IPv6. Adding the adapter name would enable you in viewing all the ports that are open. The different types of ports in this category are Effective port, open port and Ignored global port.

Show logging– Would help you in figuring out the logging options that are enabled, location of the log file and other logging configuration details.

Set global port– Enables you in configuring ports on adapters. You can use this command in order to open a specific port on network adapters in case you have a computer that acts as a web server. There are different commands like port#, name and protocol in order to help you in this regard.

Set adapter-There are different commands like icmp, type#, port#, name etc. that can help you in enabling/disabling IPv6 filtering.

Set logging– Helps you in specifying the location where the file is written to.

By following the above steps you can configure the IPv6 firewall successfully and without encountering any hassles.

Frank P. Dillion