Windows Vista NOT completely safe with CIS (IPv6).

I’ve just experienced IPv6 protocol.

My system is Windows XP Pro SP3. At default IPv6 is NOT installed in Windows XP. After installing IPv6, utorrent was flying.

From what I’ve read utorrent supports IPv6 since 1.8.x.

Windows Vista has IPv6 installed by default.

What I’m trying to say is people DO use IPv6, therefore Comodo needs to support IPv6.

I don’t know which applications do support IPv6, but as I said utorrent does and the difference is huge.

I’ve unistalled IPv6 protocol because Comodo does NOT support it.

But people that have Windows Vista as the OS and use Comodo are NOT completely safe because Comodo does NOT support IPv6.

Thats my conclusion.

Am I wrong?
Am I missing something?

geko

Its correct, IPv6 support is not there…

https://forums.comodo.com/beta_corner_cis/comodo_internet_security_3973525491_beta_released_closed-t37725.0.html;msg269603#msg269603

Egemen has said its planned for version 4… so I guess using IPv6 is probably not the best idea with CIS right now (but Iam not a network technician so I could be wrong…).

But personally I would leave IPv6 disabled/uninstalled… =O

I use Avira AV and now Comodo says that the update program wants to connect on protocol 41, and that protocol is IPV6. Is there finally support for it now?

If you have Vista, Windows Server 2008 or Windows 7 installed, IPV6 is enabled by default. As yet IPv6 filtering is not supported in CIS but, as mentioned above, it’s on the way.

IPv6 is a potential security risk, so unless you have a good reason to use it and an infrastructure that fully supports it, you might want to consider disabling it. Let’s consider what may be being exploited: Original Source

Rogue IPv6 traffic: Attackers realize that most network administrators aren’t monitoring IPv6 traffic or they can’t. Because existing firewalls, IDS, or network management tools aren’t IPv6-aware. Therefore, an attacker can send malicious traffic to any computer running IPv6 and it will get through.
IPv6 tunneling: Protocols such as Teredo and Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) encapsulate IPv6 packets inside IPv4 packets. The morphed packets can easily pass through IPv4 firewalls and network address translation (NAT) equipment, defeating perimeter defenses purposed to sense and drop IPv6 packets.
Rogue IPv6 equipment: Because IPv6 uses auto-configuration, an attacker can gain considerable control over computers running IPv6, simply by placing a rogue device capable of issuing IPv6 IP addresses on the network under attack. To make matters worse the device could have router attributes. Forcing all traffic to transit through it, allowing attackers to snoop, modify, or drop traffic at their whim.
Built-in ICMP and multicast: Unlike IPv4, IPv6 requires ICMP and multicast traffic. That fact will significantly change how administrators approach network security. Right now, blocking ICMP and multicast traffic on IPv4 networks is the accepted practice. That will no longer work and complicated filtering of ICMP and multicast packets will be required to maintain some semblance of security.

Additionally : Original Source

"One of our honeypots that we have set up saw a botnet using an IPv6-only attack," Klein says. "It was hiding itself as IPv4 through our router, and it was attacking and issuing command and controls to a botnet in the Far East."
"Nobody today will deny that they have to do something about viruses or about spam," Frankel adds. "It's fair to say that rogue IPv6 traffic is in this category of threats that's going to hit you if you ignore it."

There are various approaches to controlling the behavior of IPV6 and what follows are some guidelines that can help you to selectively disable parts of the protocol stack or disable it entirely:

These, as far as I’m aware, are the parts that need to be blocked:

Protocol 41 - IPv6 tunnelling protocol
There are several distinct tunnelling methods employed, such as Teredo tunnelling, 6to4 and ISATAP. Each has a specific purpose and possess unique characteristics

For a tunnel to be utilised IPv6 embeds its data inside the payload section of an IPv4 packet, the IPv4 packet is given a header with a protocol of type 41. Thus, to ensure we prevent packets of this type from being transmitted through the firewall we must block protocol 41.

To block IPv6 tunnelling, create a new Global firewall rule with the following parameters and place it at the top of the Global Rules hierarchy:

Action = Block without logging
Protocol = IP
Direction = In/Out
Source Address = Any
Destination Address = Any
IP Details = Custom - 41

http://h.imagehost.org/0239/41.png

LLMNR - Linklocal Multicast Name Resolution protocol TCP/UDP 5355
Link Local Multicast Name Resolution (LLMNR) is a peer-to-peer name resolution protocol that is used for IPv6 when DNS name resolution is not possible. Whilst this only operates on the local link, it is advisable to block this activity.

To block LLMNR create a new Global Rule and place it just below the rule for protocol 41.

Action = Block without logging
Protocol = TCP or UDP
Direction = In/Out
Source Address = Any
Destination Address = Any
Source Port = 5355
Destination Port = 5355

Teredo - tunnelling UDP 3544
Teredo tunnelling consists of four basic components, Teredo clients, Teredo, relays, Teredo servers and Teredo host-specific relay. Teredo clients are the end points (nodes) in the communication process. Teredo clients are typically dual stacked (IPv4/IPv6) and send and receive encapsulated data.

Teredo relays act as routers between the IPv4 and IPv6 internets. When a Teredo relay receives an encapsulated packet from the IPv4 internet the packed is decapsulated and the native IPv6 packets are forwarded to the IPv6 Internet.

Teredo servers help facilitate tunnel communication by assigning an IPv6 address to Teredo clients and by assessing their NAT compatibility. Teredo servers also span IPv4 and IPv6 networks.

The standard listening port for Teredo servers is UDP 3544, whereas clients and relays may use any UDP port.

To block access to Teredo servers, create a new Global Rule and place it below the aforementioned.

Action = Block without logging
Protocol = UDP
Direction = In/Out
Source Address = Any
Destination Address = Any
Source Port = Any
Destination port = 3544

This rule could be further enhanced by creating a new Network Zone and adding the following addresses (These are the public Teredo server addresses)

 teredo.remlab.net (France)
 teredo.autotrans.consulintel.com (Spain)
 teredo.ipv6.microsoft.com (USA, Redmond) (default for WindowsXP/2003/Vista/2008 OS)
 teredo.ngix.ne.kr (South Korea)
 debian-miredo.progsoc.org (Australia)

Once the zone has been created, it may be selected as the Destination address in the rule above.

You could also simply create a A Blocked Network Zone by adding the addresses above

A final option to disable some of the functionality of IPv6 is to disable Teredo tunneling via netsh:

  1. Open elevated command prompt.

  2. netsh interface teredo set state disabled [ENTER]

Type exit.

How to Disable IPv6 Completely
All of the above simply blocks some of the functionality of IPv6. You may, as an alternative, disable IPv6 entirely, the next section provides some help with that process.

There are two different approaches to this, although the end result is the same. The method you use will be determined by which version of Vista or Windows 7 you are currently using.

For users of ‘Home’ editions, editing the registry directly will be required as these editions of Windows do not ship with local editing of Group Policy functionality. For users of other editions of Vista or Windows 7, you may use either option.

The first option is to make the necessary changes to disable the protocol stack via editing the registry.

"Using Registry Editor incorrectly can cause serious, system-wide problems that may require you to re-install Windows to correct them. Microsoft cannot guarantee that any problems resulting from the use of Registry Editor can be solved. Use this tool at your own risk."

This process may require elevated privileges: Original Source

  1. Open Network and Sharing Center

  2. Select Manage Network Connections (Change Adapter Settings - Win 7)

  3. Right click on the adapter and select Properties

  4. Untick the check box against TCP/IPv6

http://h.imagehost.org/0203/6Tick.png

Note unticking this box does not completely disable IPv6, even when unticked tunnelling is still active

  1. Click Ok and exit Network and Sharing Centre

Next:

  1. Open the Start Menu and select Run:

  2. type regedit. Click Ok.

http://h.imagehost.org/0653/RunReg.png

  1. Navigate to the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\

  1. In the right window check for the parameter ‘DisabledComponents’ If this value does not exist you will need to create it.

    9a. Open the Edit menu and select 'New DWORD (32-bit) Value. Type ‘DisabledComponents’ and press Enter.

http://h.imagehost.org/0328/dword.png

  1. Double click on the new ‘DisabledComponents’ entry in the right window and add the following value 0xffffffff - Hexidecimal.

http://h.imagehost.org/0217/dword1.png

  1. Click Ok.

  2. Exit Registry Editor and restart your system for the change to take effect.

The alternative method for users with access to Group Policy editor can be found Here

I wonder what the chances are of getting support for IPv6 fast tracked so that it does not become a major cause of concern prior to the release of Version 4?

Are there any technical issues that would prohibit IPv6 being supported by the current version of CIS?

Cheers :slight_smile:

Hi tsec, I’m not a developer with Comodo, but I can imagine the issues involved in ‘bootstrapping’ support into the current version, I don’t think it would be pretty.

As it stands, there are very few firewalls that ‘fully’ support IPV6 and only a few IDS that can deep scan for tunnelled traffic. There are one or two ‘personal’ firewalls that have support for IPV6 but if you want true filtering and detection you may need to look a something like Cisco PIX or Checkpoint $$$

Don’t get me wrong here, I’m not talking about support for tunnelling, I’m talking about real ‘I understand the difference between IPV4 and IPV6 packets’ support.

There’s a lot of work to be done in this area and I don’t see it happening all that quickly. Sure the major OS vendors have very kindly supplied support for the stack, but the infrastructure to really support it is just not there. Therein lies the problem.

By the way, this is not simply a firewall issue, if you take a look around you’ll find that even major vendors of devices like routers don’t yet support the stack, completely (see my comment regards tunnelling above)

My advice, for what it’s worth, is better safe than sorry. If you don’t need it, turn it off…

Thanks very much for the reply, Quill.

I asked the question over at wilders about other products that would detect IPv6 traffic (my thread is yet to be moderated there), but I see that you have answered it here.

Time to turn IPv6 off then.

Cheers :slight_smile:

Portocol 41 - IPV6 tunnelling protocol LLMNR - Linklocal Multicast Name Resolution protocol TCP/UDP 5355 Teredo - tunnelling UDP 3544

All of the above can be blocked with appropriate global rules. You can also add the following Teredo server/relays to your Blocked zones.

If CIS doesnt yet support IPv6 how does one block protocol 41 within the firewall’s global rules?

I have managed to get everything else done, but I cant see how to block 41?

(IP details, Custom, 41??? )

Cheers :slight_smile:

Use the custom option, then specify the protocol number

I have 2 questions:

  1. How can i tell if a need Ipv6?

  2. How do I disable / turn off IPv6 in vista?

1) How can i tell if a need Ipv6?

It’s no so much application support, as a great many have already been updated to support the IPV6 RFCs. See here:

It’ s really all about making sure that you have complete, end to end support:

http://www.microsoft.com/whdc/device/network/IPv6_IGD.mspx
http://www.ipv6.com/articles/general/IPv6-End-to-End-Solution.htm

2) How do I disable / turn off IPv6 in vista?

Use the method described above.

Can IPv6 be disabled by simply unticking the option in your Network Connection Settings or do you have to do all of the above?

E

Hi Eric. Doing it that way doesn’t disable tunnelling over the interface.

Now log into the computer and use the Group Policy Management Console (GPMC) to configure the IPv6 settings. The new policy will be located under Computer Configuration > Policies > Administrative Templates > Network > IPv6 Configuration, as shown below:

How do I open the Group policy Management console in Vista?

How do I block the TCP/UDP 5355 and UDP 3544? Are thse numbers the ports number?
I’ve already blocked Protocol 41.

It should be the same as XP and 7 but I’ve never used Vista. Go to start/run and type gpedit.msc

[attachment deleted by admin]

Ever since I have blocked P 41, I have had a number of logged alerts of apps and windows itself attempting to connect to a RIPE server in EU?

Are these glitches / FP’s or something else?

Curiously yours,

t

:slight_smile:

[attachment deleted by admin]

Hells bells, even cfp.exe is trying it on now… see attached screenie.

Sure would like to know what’s going on here :smiley:

[attachment deleted by admin]

Protocol 41 is used by 6to4, Teredo and ISATAP for tunnelling. Some types of tunnel can be created automatically.

If you haven’t completely disabled IPV6 applications and the OS are still capable of creating tunnels.

If you don’t want to see these, just disable logging for protocol 41 events

The IP Address is that of:

inetnum: 92.242.128.0 - 92.242.159.255
netname: UK-BAREFRUIT-20071227
descr: Barefruit Ltd.

This organisation is used by the UltraDNS to provide replacement 404 webpages. The traffic you’re seeing could be IPV6 DNS tunnelled requests, but that’s only a guess. A packet analyser would confirm or not that theory…

Thanks for this info! I’ll disable IPv6 completely as it was only ever in “Limited” status and not used by anything I run.

E