RE: IPV6 and security? (UNCLASSIFIED)
by Beavers, Randall D. CTR (US)
Classification: UNCLASSIFIED
Caveats: NONE
If I get a penny for my thoughts, then I put in my two cents...where
does that other penny go?
On Tue, Mar 25, 2014 at 3:22 PM, Steve Grubb <sgrubb(a)redhat.com> wrote:
The view taking in hardening systems is if you don't need
something, turn it
off so that you don't have inadvertent security
problems. Paraphrasing the
RHEL5 SNAC guide, it says if you need IPv6, here are the
hardening steps. If
you do not, then turn it off. That is the prudent thing to do in
all cases.
An additional thought that we've done on past programs is:
Maybe not only "turn off" IPv6, but I've gone through the effort of
following the STIGs to set all of the security configurations, AND turn
it off. Why you ask? Because if IPv6 is "turned on" by malicious or
inadvertent activity later, then it is already STIG-compliant, thereby
provide some level of security. If one simply turns it off, it still
"may" leave the system somewhat vulnerable IMHO.
v/r,
Randy Beavers, GSLC, CISSP
System Security Engineer
Multi-Mission Launcher
256-842-5426 office
256-289-6054 cell
randall.d.beavers.ctr(a)mail.mil
randall.d.beavers.ctr(a)mail.smil.mil
-----Original Message-----
From: scap-security-guide-bounces(a)lists.fedorahosted.org
[mailto:scap-security-guide-bounces@lists.fedorahosted.org] On Behalf Of
Andrew Gilmore
Sent: Tuesday, March 25, 2014 4:33 PM
To: SCAP Security Guide
Subject: Re: IPV6 and security?
Thanks for the info!
On Tue, Mar 25, 2014 at 3:22 PM, Steve Grubb <sgrubb(a)redhat.com> wrote:
The view taking in hardening systems is if you don't need
something, turn it
off so that you don't have inadvertent security problems.
Paraphrasing the
RHEL5 SNAC guide, it says if you need IPv6, here are the
hardening steps. If
you do not, then turn it off. That is the prudent thing to do in
all cases.
Definitely, and for the last 12 years, all I've heard is we don't need
IPV6, turn it off.
Put another way, its not that IPv6 is insecure...its very well
tested. Its
that if you don't need it or use it and a security bulletin
comes along for
it, its easy to dismiss because you didn't intend to use it.
This was part of my real question, I guess. Much of what I had heard
about IPV6 focused on the relative maturity of the stack, compared to
IPV4, and suggested that some of the same types of critical
vulnerabilities that we saw in the 90s may be lurking in this stack.
It's good to hear your confidence in the tech.
I'd put this back on the OP. Who said it _is_ insecure?
I implied that there were concerns, but that was an uninformed position.
This may have been fostered in other benchmarks I've been involved in,
but I'd have to go re-read them to make sure I wasn't reading it in.
Thanks!
Andrew
Classification: UNCLASSIFIED
Caveats: NONE