Overblog Suivre ce blog
Editer l'article Administration Créer mon blog
19 août 2013 1 19 /08 /août /2013 14:45

We're going to fully test the IPv6 Firewall of an entry-level small business IPv6 Router : Cisco Small Business RV110W

Where the DLink DIR-626L is a very neat, 40$/€ full featured IPv6 Router, with NAS and media streamming functions, great for IPv6 learners and consummers, the Cisco Small Business RV110W belongs to another category :

Its price tag for a beginning : 80$/€.
Its features : RIPng, PPTP/IPSEC VPN Server, SNMPv3, ...
It belongs to the RV serie, which is professionnal-oriented, although its inner hardware is not at the same level as its greater sibblings ( RV220W, .. ).

We're going to fully test here its Ipv6 Firewall.

 

RV110W IPv6 Firewall first contact

 

 

The CISCO RV110W Firewall is very different from the DLink DIR-626L.
First, the firewall management is common to both IPv4 and IPv6, they are not managed in separate zones.

Here is the main management page :

 

S5a.gif

 

Here is the Access Rules tab :

 

S5b.gif

 


Secondly, it is very 'Service Oriented'. In the Service Management tab, we have a set of preset services ( HTTP, FTP, ... ) defined by name / protocol / ports. We can add some custome services ( Secure_POP and ICMP here ) :

 

S5c.gif

 

 

We then use these defined services in the Access Rules tab, granting or denying accesses :

 

S5d.gif

 

 

To diferenciate IPv4 and IPv6 traffic rules, IP Addresses or scopes need to be used in Access Rules.

 

 

RV110W IPv6 Firewall functionning in details

 

 

( Complete details about IPv6 Firewall Testing Methodology here )

 

 

The RV110W is a classic Statefull Firewall.

 

First, the default Outbound policy can be choosen between ' ALLOW ' and ' DENY '.

The default Inbound policy is ' DENY ' and can't be changed :

 

S5e.gif

 

Here are the results of the tests :

 

 

Outbound policy

 

The outbound policy behaves in a very logical and predictible way :

. If ' Default Outbound : Allow ' mode is used, all outgoing traffic is allowed, except if some specific deny out rules have been defined.
. If ' Default Outbound : Deny ' mode is used, all outgoing traffic is dropped, except is some specific allow out rules have been defined.

 

 

Inbound policy

 

The inbound policy, to my surprise, is quite confusing.
Nor is an ' allow in ' rule usefull or needed to allow incomming traffic ( a web server as an exemple ).
Curiously, all is needed and compulsory for incomming traffic is a port forwarding. Two questions arise to my mind then :
. A port forwarding rule to allow an IPv6 Incomming connection ? Or is it a Sheldon Cooper joke ?
. Why then tempting you with the option to create an 'allow in rule' if it is useless, unneeded, and without any effect ?

I'll try to investigate this and post more informations here later.

 

 

ICMPv6 Filtering

It seems that ICMPv6 Filtering triggers a great bug, openning the inbound firewall.

Here is a screenshot of the bug triggering config. First, we need to setup an ICMP service :

 

S5f.gif

 

We then use this ICMP service in a rule :

 

S5g.gif

 

The result : The Inbound IPv6 TCP Firewall gets wide open, letting any IPv6 TCP packet in.

This happens, wether the Default Outbound Mode is Allow or Deny, and wether the Connectiontype is Outbound or Inbound.

This pretty ends here the ICMPv6 testing part.

 

Ingress / Egress Filtering :

 ( more infos about Ingress / Egress filtering here )

 

There is no IPv6 Ingress or Egress Filtering performed by the RV110W.

 

 

Logging

 

IPv6 dropped packets are logged both in the RV110W logs or to an external Syslog Server.

The RV110W logging option allow to setup different logging levels for internal log and Syslog Server.

 

 

 

Final thoughts

 

While integrating the IPv4 and IPv6 sides of the firewall kinds of brightens up the firewall management, it is to a cost of idependence lost for this functions. Beside that, the IPv6 Integration is very complete, with IPv6 packets logging.

Still, two quirks ( Inboud rules / IPv6 port forwarding and ICMPv6 ) need more study, before the picture can be complete.

 

 

Partager cet article

Repost 0
Published by computer outlines - dans IPv6
commenter cet article

commentaires

Présentation

  • : Computer Outlines Blog
  • : Blog mainly focused over IPv6, Windows Server, and Networking in general.
  • Contact

Recherche

Liens