I set up an IIS domain for a student project which was Contoso00.com.  All went well and the border-network firewalls held up well, until the day before Easter.

What the border firewall appliances cannot do, is control IPv6.  To my knowledge, there are less than 20 hardware firewalls which can mitigate IPv6, so at this point, it's all or nothing at all: either you allow all IPv6 IP's or you allow none of them.  ARIN (the American Registry for Internet Numbers - ARIN.net) would have everyone adopt IPv6 and DNS Sec.  I'm all in favor of DNS Sec too because it would all but eliminate IP spoofing, DNS poisoning and IP/DNS hijacking (OK, DNS Sec was hacked just the other day by the Anti-sec movement, but someday it will work...).  I'll adopt that if you can show me one sub- $1000.00 SOHO router that can support a X.500 certificate and then show me the ISP who will issue the certificate (because the certificate has to be issued by the owner of the IP range)

Anyway, I updated the Agnitum Outpost Security Suite Pro on every workstation, which is not a cheap endeavor, and that update opened the gateway flood to IPv6, where before I had locked out all IPv6.  That opened Pandor's box, I think, and the next thing I know, the mouse pointer on the virtual Windows Server 2003 is moving all by itself and I'm watching someone examining my IP block list remotely.  (Yes I did have IP port 3389 blocked on the border network routers!).

I pulled the network cable and moved the domain up to my servers in Chicago and just let the 24x7 team deal with the hackers.  So I guess the problem is solved, momentarily, while I rebuild the virtual server but I thought you should be aware, since the Agnitum community is unlikely to publish this on their forum.

Your local clueless MSCE will tell you that all you have to do is disable IPv6 on each network adapter in Windows.  Yeah, you do that.  Then ping ::1 and see if it responds.  Surprise!  Now that is just a loop-back, akin to 127.x.x.x, so that's not entirely a good test but that's not the extent of it.  If you examine even Windows firewall, you'll still see IPv6 traffic even after you diable it on your network interface. 

You can go one step further and use some creative thinking to block all IPv6 on Windows firewall.  That actually works pretty well, however, there are two problems with that.
1. Windows firewall is designed to be able to be shut down by third-party software.
2. Windows firewall isn't completely forthcoming in what it's not blocking (solely from my personal observations).

By now, the person you know, who has next to zip for experience on the Web but somehow managed to get a MSCE and CCNA, is shaking their little bald heads and muttering "No.  No.  No."   They're entitled to their opinions.  They NOT entitled to open the flood gates of IPv6 on my network with those opinions, however.  I think you'll find a lot of the industry in agreement with me on that one, solely based on the degree of IPv6 adoption.

The problem with IPv6 is that most IPv6 router / firewalls are software based, by that, I don't mean the firewall that protects your home PC, so much as a computer which is configured to act as a router / firewall for the rest of your network.  That means that you have to purchase, configure and dedicate a computer act as a firewall / router and then purchase the firewall / router software and update subscription, in addition to whatever operating system requirements they might have (see Snork.org, for instance).  What you've just done is to add the vulnerability of that operating system and that hardware to the mix.  You've spent a lot of money doing it.  Moreover, if you're going to rely on a computer as your router / firewall, I personally would require a hardware fail-over or cluster which involves yet a 2nd computer and a 2nd set of software licenses. 



There are some router / firewall appliances emerging but I have yet to see one that is sub- $1000.00 with the possible exception of the Cisco 800 series, by virtue of IOS and you'd really have to ask Cisco about that because I can't make heads or tails of the Cisco Web site.

Now, Google the term "firewall overrun".  You'll find this kind of attack common, if the firewall you have is even capable of detecting it.  I'm finding that a lot of firewall appliances employ slow processors and a firmware-based Unix operating system that can easily be over-run.  Hopefully, they block all network traffic while they're on "vacation".  Stories of software firewalls, of all stripes,  being over-run pop up on the Internet from time to time.  That's just referring to a buffer overrun.  Most of the successful hacks I've read about involved overrunning a Unix stack or heap (a list of goto's and returns).  However, in defense of software firewalls, hardware firewalls are just a processor running a firmware based operating system, which may still be Unix/Linux (see OpenWrt www.openwrt.org, timesys www.timesys.com).  (OK, it could be IOS.  Thank you Cisco types.)

Anyway, if there are any AFFORDABLE SOHO IPv6 routers (no I do not consider over $1000 affordable) I'd like to find out about them.

CYa....


John