ipv6

[Brian Densmore]

> -----Original Message-----
> From: Frank Wiles
> 
> On Fri, 19 Nov 2004 16:09:28 -0600
> "Brian Densmore" <DensmoreB at ctbsonline.com> wrote:
> 
> 
>   I can agree with the geek factor :) 
> 
>   Yes IPv6 does have some tighter security with regard to spoofing
>   addresses, but based on how I imagine you're setup it won't help
>   you. 
> 
>   For example, say you have a box firewall.domain.com that is your
>   firewall and two internal boxes secret1.domain.com and
>   secret2.domain.com.  Both secret1 and secret2 are probably
>   configured to allow certain outside access from the firewall to
>   them, probably SSH.  While IPv6 will keep a cracker from faking
>   secret2's IP to secret1, there is no need.  He already has control
>   of firewall.domain.com and doesn't need to do any spoofing. 
> 
Well actually, I took that into account and disallow ssh from the firewall.
So neither box is accessible once I connect to the firewall. So while I
can ssh from secret1 to secret2 and then from secret2 to firewall, firewall
can't connect to either secret1 or secret2. This makes for the minor
inconvenience of not being able to pull files from my LAN from work, it 
provides a little piece of mind. On that track, I'd also like to deny firewall
access to the local intranet. Now I'm not sure that is possible since
the firewall is also the gateway and passes traffic out over the same
ports I want to prevent the firewall user from accessing on the intranet.

If all else is pointless then I'll have to just do it for geek points. ;')

Brian