In reply to a post by camieabz:

I'd like to emphasize that IPv6 is not more secure

Not sure about that... aiui most of the security enhancements that can be grafted on to IPv4 (and hence it can't be taken for granted that they are present) are an inherent requirement of IPv6.

IPSec being the obvious example.

pg.31

Conclusion on last page

Not to mention that IPv6 and IPv4 will have to work side by side for a long time to come. Not sure if that's double the security or double the potential for security breaches.

Although IPv6 offers better security (larger address space and the use of encrypted communication), the protocol also raises new security challenges. Ultimately, the new protocol creates as many new security problems as it solves old ones. And if that is not enough, the transition from the old protocol stack to the new one may present even more challenges, something that will guarantee plenty of fun for security network professionals in the foreseeable future.

To be expected I suppose... but at least it was designed with security in mind, not just growed as an ad hoc system for geeks, so maybe the white hats will have some advantage over the black ones this time.

In reply to a post by billford:

Although IPv6 offers better security (larger address space and the use of encrypted communication), the protocol also raises new security challenges. Ultimately, the new protocol creates as many new security problems as it solves old ones. And if that is not enough, the transition from the old protocol stack to the new one may present even more challenges, something that will guarantee plenty of fun for security network professionals in the foreseeable future.

To be expected I suppose... but at least it was designed with security in mind, not just growed as an ad hoc system for geeks, so maybe the white hats will have some advantage over the black ones this time.

Perhaps, but doesn't IPv6 also encode the hardware MAC for the NIC into each machine's assigned IP address (in the second /64)?

> On top of that, a software firewall on the PC is a must.

Well I suppose if you have no idea of what services you are running on your PC then this might be true. But in that case you'd be better off not connecting to the Internet.

As for me, I have SSH accepting only certificate-based log-ins and a public web server. A firewall would serve no purpose in this scenario.

> Perhaps, but doesn't IPv6 also encode the hardware MAC for the NIC into
> each machine's assigned IP address (in the second /64)?

That's one way of doing it ( stateless auto-configuration ) but you can also assign arbitrary addresses by DHCPv6 or just set them manually to whatever clever hex mnemonic you like.

Are you the same Anon poster as the OP?

It's just that the last response makes you sound as if you're 'all techie' which doesn't go hand in hand with the original post

Obviously TBB will be able to tell if you are the same Anon if you have a static IP or are still on the same dynamic one

No it wasnot me,you were right when you said

It's just that the last response makes you sound as if you're 'all techie' which doesn't go hand in hand with the original post tongue

James

It's free to register on TBB and it helps everyone...

A firewall is a must on any internet connected network. Multiple firewalls are good for separating trusted network zones from untrusted ones, and even layering different levels of trust. But on a home network a router with built in firewall (and not just NAT) and a software firewall on each PC (windows firewall should be sufficient at this level of trust on a well managed network) should be a minimum.

A local firewall may not be needed on every device that resides within a trusted network zone, but that network zone must be protected by one firewall at the very least, and that firewall must let through as few services as possible, and be capable of deep packet inspection on those services it does let through to scan for potential viruses and other nasties. Very few consumer or SOHO routers have a good enough firewall to act as the only firewall protecting a trusted network.