Do you recommend disabling IPv6?

I've read the book Mac Security Bible and it recommends disabling IPv6 for security purposes. Can it cause problems with Mac OSX or NIS  for Mac?

 

Cheers,

I've read the book Mac Security Bible and it recommends disabling IPv6 for security purposes. Can it cause problems with Mac OSX or NIS  for Mac?

 

Cheers,

Norton Internet Security for Mac fully supports IPv6. All IPv6 traffic is monitored by the firewall, Vulnerability Protection and Application Blocking.  DeepSight Community does not have any IPv6 addresses in its block list, but there is nothing preventing us from doing so.

 

We don't recommend turning off IPv6. The little IPv6 traffic that exists is no more or less likely to be harmful than IPv4 traffic, and all Norton products can monitor IPv6 traffic and protect IPv6 based threats. 

 

Ryan

 

 


 DeepSight Community does not have any IPv6 addresses in its block list, but there is nothing preventing us from doing so.

 

Ryan

 


So given a list of IPv4 addresses to block NIS can block the equivalent IPv6 address??? I refer to 6to4 or tunnels.

 

The following KB article might help you.

 

http://www.symantec.com/norton/support/kb/web_view.jsp?wv_type=public_web&docurl=20081215105429EN

 

-Vinod

 


pore_vinod wrote:

The following KB article might help you.

 

http://www.symantec.com/norton/support/kb/web_view.jsp?wv_type=public_web&docurl=20081215105429EN

 

-Vinod


 

Thanks pore_vinod, but that's not quite what I had in mind. Like Ryan says, it's hard to find a list of IPv6 bad guys, but there's plenty of lists of IPv4 addresses that one might wish to block. Most (all?) IPv6 addresses can be converted one way or another into public IPv4 addresses (which if found to be blocked would then result in the IPv6 address being blocked),  and that's

 the kind of IPv6 support I'm looking for.  PG2 claims to have this capability, however, it does not work properly in my experience.

Because of how the kernel extension for the firewall works, it should (repeat: should) receive the encapsulated IPv6 packet twice: before the tunnel and after the tunnel. Therefore, we protect both "packets"; the IPv4 packet containing the IPv6 packet and the encapsulated IPv6 packet.  Therefore, any IPv4 attackers in the DeepSight IP list will be found if they are using IPv4 or IPv6 (although at the moment there are no IPv6 attackers in the list). 

 

I have to tread lightly here because I am not 100% certain we tested this scenario. I will have to ask our QA people what kind of IPv6 testing, especially wrt. to tunneling, they did. However, I can say that we did test this with VPNs, and VPNs work very similarly (the packet is seen twice by the firewall, before and after the tunnel). 

 


ryan_mcgann wrote:

Because of how the kernel extension for the firewall works, it should (repeat: should) receive the encapsulated IPv6 packet twice: before the tunnel and after the tunnel. Therefore, we protect both "packets"; the IPv4 packet containing the IPv6 packet and the encapsulated IPv6 packet.  Therefore, any IPv4 attackers in the DeepSight IP list will be found if they are using IPv4 or IPv6 (although at the moment there are no IPv6 attackers in the list). 

 

I have to tread lightly here because I am not 100% certain we tested this scenario. I will have to ask our QA people what kind of IPv6 testing, especially wrt. to tunneling, they did. However, I can say that we did test this with VPNs, and VPNs work very similarly (the packet is seen twice by the firewall, before and after the tunnel). 


Many thanks for your reply, Ryan. I await your information regarding testing and reliability. Can the user add as many blocklists (IPv4 or IPv6) as he/she wishes to the Norton Firewall. Is there any support for auto update of lists other than DeepSight? Does Norton Firewall support port specific blocking--that is allow, say port 80/443 only for a given list, but block a user-defined range of local ports? Is Norton Firewall available as a standalone product?

 

 

Sorry about all the questions, but it seems to me that a firewall that could do all of the above efficiently would be in great demand. :smileyhappy:

Can the user add as many blocklists (IPv4 or IPv6) as he/she wishes to the Norton Firewall.

Is there any support for auto update of lists other than DeepSight?

Not really. Legally we cannot download other people's content, as we don't own it nor do we pay for the bandwidth to do so. In fact most blocklists out there specifically prohibit consumer users from using any commercial application to download the list. However it would be trivial to write something that uses launchd to launch a script once a day, download your favorite blocklist, and insert it into Norton Firewall using the command line interface.

Keep in mind performance will begin to be a problem after a while. IPv6 addresses are not cheap; you can easily create a block list that eats up all your kernel memory. 

 

Does Norton Firewall support port specific blocking--that is allow, say port 80/443 only for a given list, but block a user-defined range of local ports?

Yes. You can allow a specific IP address to access any port, a range of ports, only a specific port, a single application on your Mac or a any application on your Mac. 

 

Is Norton Firewall available as a standalone product?

Not for consumers. However since Norton Internet Security is only $20 more than Norton AntiVirus, there's not much point in doing so. 

Many thanks, Ryan, for the detailed reply. As you may have guessed, I am mainly interested in the ability of NIS Firewall to pick out the IPv4 address from udp6 packets, cross-reference that to a IPv4 blocklist, and consequently block the udp6 packet if the encapsulated IPv4 address is found to be on that blocklist.

 

If you can get further info on whether this has been tested, I would be highly interested.

 

Thanks,

x190av

 

P.S.

 

"Is Norton Firewall available as a standalone product?

Not for consumers. However since Norton Internet Security is only $20 more than Norton AntiVirus, there's not much point in doing so."

 

Can the Firewall be installed separately, without installing NAV?

No, NAV is installed as part of NIS.  You can disablle the automatic scanning features of NAV after installation, if you prefer.

You can also uninstall just NAV after you have installed NIS. This is the only way to perform a custom installation.