[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] CP FW-1 and ... IPv6?
Dear Raymond, About the IPv6: it is a very cool stuff :) To use it w/ CHKP, you have to get an extra license from CHKP. The specified link: this problem is a well known problem. The Netfilter6 already filter these covert channels. (This advisory came out an mp3 streaming anouncement.) There are 3 covert channels. The Hop-by-Hop and the 2 Dst-opts. The 1st HbH and Dst can be filtered, but the 2nd cannot be. This is not the '-p' flag to the ping. In this case the payload will be set into the payload of the IPv6-ICMP packets, but that is not the right space. You can set these extensions before the protocol headers, into the main header-chain. Deploying IPv6: - you should enable some special addresses in your network to handle the ND/NA and RA/RD packets. - you should use IPSec in transport mode to avoid the malicious NA/RA packets. (These packets could reconfigure your entire network w/ one packet.) Üdvözlettel/Best regards, -- András Kis-Szabó Security Product Manager DNS Hungary Ltd. phone: +36 (1) 457 9956 fax: +36 (1) 457 9953 mobile: +36 (20) 519 1854 web: http://www.dns-hungary.hu/ I am keenly interested in hearing other folks' thoughts on IPv6 -- a pretty broad topic, I know, I know! However, for starters, the link below seems hyper in the non-http-way, to me, given the "-p" flag in ping, for specifying payload isn't newsworthy (is it?) Also, FW-1 seems to pass IP_Proto=41 by default, in a lab with nothing but an any any drop rule... Whatever you may think about the need to deploy IPv6, if you have thought you might like to (and I guess you have at least an interest in CP products, since you're reading this list [with two possible exceptions]) I am interested in hearing your thoughts. Feel free to share them directly to me if you like, and I can summarize to the individual folks who reply. Or something. http://www.checkpoint.com/securitycenter/advisories/2003/cpai-2003-22.html BTW, maybe you should go grab your NG license, while they are still giving them away (or, wait a while, and maybe I'll want to give _mine_ away! kidding. get back to work...) ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|