Preventing Windoze Servers IPv6 Stack From Coming Up Behind FWSM
We recently noticed that a sysadmin brought up a Server 2008 box behind one of our firewalls and was able to RDP to the box though we have rules explicity blocking RDP.
Further investigation discovered that the connection was through protocol 41 (ipv6) and that the sysadmin's desktop was Windoze 7 and both it and the 2008 box had their ipv6 stack enabled against our best practices.
Our network is (sort of) ipv6 enabled but there still is no addressing plan nor do I have the near term cycles to translate all my firewall rules from v4 to v6.
It appears that the server got a valid v6 address through stateless autoconfig even though v6 is not enabled on the FWSM it appears to be allowing the Router Solicitations (RS) out and the Router Advertizements (RA) back in which allows the box to autoconfig.
How can I prevent misconfigured systems in the future from getting autoconfig addresses. My understanding is even if the autoconfig fails and it fails back to a link local address it still may be able to use a Teredo tunnel.
We have blocked protocol 41 explicity on all the interfaces which will drop a lot of the tunneling (back home to Redmond) but we want to ensure that autoconfig fails so the box just gives up on preffing v6 or tunneled interfaces and fails down to v4. We have observed with a half baked v6 connection the clients have to wait for v6 attempts to time out resulting in complaints that the network or server is slow.
Yes, I know - spank the sysadmin and get them to follow process is one solution as is enabling v6 of the FWSM then dropping all the traffic but I'm looking for a stopgap.
"ipv6 nd suppress" on the cat6500 "outside" vlan does not work as the IOS we are running does not support the "all" keyword so RAs are dropped but those in response to a RS aren't.
Posting this for anyone interested in using a Raspberry PI as a flow collector for Stealthwatch. We created a very lightweight version of our software. It can create flows if the eth port is attached to a SPAN or you can forward NetFlow/IPFIX ...
Dear Team Suppose we have hundreds of rules in access policy on cisco fmc device. Now I want to fetch all access policy rules in which I have mentioned some specific port number X. Can anyone help me with the process to fetch the same?
Greetings everyone, Happy New Year! I would like to thank you all for making our ISE demos in dCloud a great success!
The ISE instant demo has been in the top 5 of Enterprise demos for a long time now and recently just moved into the #1 and 2 slots...
User Experience Enhancements
As part of the Cisco Common User Experience program, we are working towards a more uniform user experience and terminology alignment. This program runs across all Cisco security products.
A More Intuitive Cognitiv...