Re: IPv6 and DNS
Hi,
Rick Thomas wrote:
+) It can be nice to be able to bypass the ISP-imposed NAT. You can SSH
directly into your home server without messing around with port
mapping. This has a security downside, of course, but the convenience
is nice.
Yes, but that can be a huge negative too. Any machine that can be
gotten to directly .... must have a good firewall installed and if any
service is compromised, then there is a potential inside attack point
for your network.
... or .... is it the following ok?
Firewalling, ala IPCop's port forwarding setup.
That is, we have a firewall in IPCop (or similar) and outside access to
ANY internal machine is still restricted by what is port forwarded? If
yes, then I am sure that would be fine. But if it is no, then I can see
some potentially huge vulnerabilities opening up for those using IPv6.
Some services belong in a DMZ, but even then you have to be concerned
with what risk ANY compromised service can bring to other services /
machines in the DMZ.
Many using 3G USB modems are opening themselves up to abuse if (by
default) having their machines directly connected to the Internet. Any
machine that is directly accessible via the Internet _must_ have
suitable security, ie a restrictive firewall at least. I can just
imagine all the Windows laptops (well, not just Windows, but hey),
becoming owned just because they are using a 3G USB modem directly on
their machine without a firewall -- this will be amplified for those on
ANY network that has open slather via IPv6 addressing.
--
Kind Regards
AndrewM
Andrew McGlashan
Broadband Solutions now including VoIP
Reply to: