You may want to look into a new product by Ixia https://www.ixiacom.com/products/threatarmor (seems their site is under maint atm).
On Tue, Jul 5, 2016 at 10:31 AM, Naslund, Steve <snasl...@medline.com> wrote: > On another note, using a firewall to stop viruses is probably not going to > work in general (unless the firewall has some additional malware detection > engine). > > Here is the issue in a nutshell. A firewall primarily controls where > people can connect to and from on a network. The problem with that is that > a lot of malware is received from sites that your users intended to go to. > People click on links without knowing where they go and people go to less > than reputable web sites (or reputable sites that we recently > compromised). If you, by default, allow your users to access the Internet > with a browser they are vulnerable to malware. Even with malware detection > capability you are still vulnerable to signatures and attacks that are not > yet able to be detected. > > Even if filtering was enabled on your Palo Alto for ipv6 it would not help > at this point because you have no idea what signatures it is using to > filter with and when the last time those were updated I doubt your v4 > filtering is of much use either at this point. URL filtering is largely a > big game of whack a mole that you will lose eventually. Malware filtering > is based on one or both of the following methods. > > 1. You filter URLs known to be bad players (you are vulnerable > until your protection vendor realizes they are bad players). > > 2. You filter based on adaptive detection of code that looks > suspicious. This is a bit better but still vulnerable because the bad guys > are always innovating to pass through these devices. > > My recommendation would be network malware detection (possibly through a > firewall add-on) as well as good virus/malware detection on the client > computers. Sometimes the malware is easier to detect at the client because > it reveals itself by trying to access unauthorized memory, processes, or > storage. > > Steven Naslund > Chicago IL > > > > > -----Original Message----- > From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Edgar Carver > Sent: Friday, July 01, 2016 9:29 PM > To: nanog@nanog.org > Subject: NAT firewall for IPv6? > > Hello NANOG community. I was directed here by our network administrator > since she is on vacation. Luckily, I minored in Computer Science so I have > some familiarity. > > We have a small satellite campus of around 170 devices that share one > external IPv4 and IPv6 address via NAT for internet traffic. Internal > traffic is over an MPLS. > > We're having problems where viruses are getting through Firefox, and we > think it's because our Palo Alto firewall is set to bypass filtering for > IPv6. Unfortunately, the network admin couldn't give me the password since > a local consultant set it up, and it seems they went out of business. I > need to think outside the box. > > Is there some kind of NAT-based IPv6 firewall I can setup on the router > that can help block viruses? I figure that's the right place to start since > all the traffic gets funneled there. We have a Cisco Catalyst as a router. > Or, ideally, is there an easy way to turn off IPv6 completely? I really > don't see a need for it, any legitimate service should have an IPv4 address. > > I'd really appreciate your advice. I plan to drive out there tomorrow, > where I can get the exact model numbers and stuff. > > Regards, > Dr. Edgar Carver >
