I was shocked to realize that now with acquiring of Hitron modem all my IPv6 devices are open to direct attacks from outside, as there is no old good NAT for IPv6.
I looked for an option in Hitron to disable IPv6 in my LAN but with no success.
Any help with this?
If it is not possible, do I have any option other than turning Hitron to a bridge mode and buying another router? Any recomendation for such a router with IPv6 support turnable off and/or with a reasonable built-in firewall?
Solved! Solved! Go to Solution.
@roy86, that might have been included in firmware version 220.127.116.11 for the CGN3ACSMR. That was due for release in March but a wifi problem was detected very shortly after it was released, and as a result, that version was not released to the rest of the network. Any modems with that version loaded were rolled back to the latest production firmware that preceded .29
From the update list:
Improvement: First release of IPv6 firewall
I'm not sure if the IPV6 enable/disable was included or not, just speculating at this point as the release list doesn't specifically mention it.
Are you on an unlimited plan? If so, then the easiest way to get to where you want to be is to swap your current modem for a CODA-4582 and request the current trial version, 18.104.22.168, which includes an IPV6 enable/disable.
There is no facility on the Hitron modems for the user to enable/disable IPV6. I believe that it might be possible for tech support to do that, but that would depend on the firmware version on the modem. @RogersDave can confirm if that is possible at all, or will be with future firmware versions.
In the event that IPV6 cannot be disabled, I personally recommend Asus routers. Asus router do handle IPV6 properly, at least from what it appears, and IPV6 can be enabled or disabled, as determined by the user.
Apart from discussing the technical problem, I'd like to leave some general comments on the situation. I think it is highly irresponsible to provide "out of the box" solutions like Hitron modem which silently break usual long-established user's expectations of security. And as Hitron's own firewall has very limited set of settings, I am just not sure if Hitron alone, without yet another router, can provide both useful and secure mode of work even with some reconfiguration available to the end user. But first of all - why would anyone ever allow to release a product which opens customers' networks for attacks?
Generally these devices are desgined as just BASIC out of the box devices.. for your 75% of the users out there who just want basic internet access.
I bet you 75+% of all rogers users, have never ever been into the gateway settings, let alone the large number of them who probably have never changed the wireless name/password from what it came with.
Most people dont REALIZE what potential security holes there are out there.
I have had a long understanding of IPv4 as I have been at it for a year or two.
I have been out of the game as IPv6 was implemented.
Could anyone clarify any of risks and actions that can be taken (keep in mind I am talking about home usage and although I am not a basic out of the box user, there will be some that are who read this).
I know that in Enterprise environments we never relied on NAT alone, we always set a managed firewall on a dedicated hardware firewall. The modem was nothing more than a bridge.
At home, I have relied strictly on the NAT and software firewall solutions on my devices. I have never thought about the implications of the movement to IPv6 and security.
Some discussion on the topic is here: https://www.reddit.com/r/homelab/comments/4xgf1n/rogers_hitron_routers_are_routing_ipv6/
IMO, to estimate the risks one needs to analyze what services may have ports open for ipv6 connection on particuar user computer and what may be a target for attacks - which is a long story. AFAIK, common practice is not to allow open ports unless neccessary.
Possible alternatives to fix the problem IMO are
1. disabling ipv6 on users computers tablets phones and other devices
2. using software firewalls on users computers etc
3. turning hitron into a bridge mode and using an additional router which disables ipv6 stuff.
4. Just ignoring the threat - which may probably be an option for smartphones at least.
As for me personally, I am going to put hitron into a bridge mode and have an additional router.
No IPv6 Firewall on the Hitron CGN3ACSMR and no way to disable IPv6
I tried to contact Rogers via Facebook, but kept being told to try the community forums.
I am currently visiting my parents and was shocked to discover that they were getting IPv6 addresses on their computers, but were not firewalled off from the internet via IPv6.
This is completely irresponsible of Rogers to push out IPv6 and not provide at least the basic level of security.
I've already switched their Hitron device to bridge mode and purchased a third party router, but thousands of other customers are probably exposed.
I've already reached out to the media.
Hello everybody - I continue to research the question of NAT IPV4 and IPV6 security.
What I have found is that NAT beyond providing a private network behind the router address coming from your ISP, it also provided what is known as a stateful network firewall, which I already knew was the basic principle of what provides firewall security.
I have found that there are NAT solutions for IPv6, but they are not out of the box, as IPv4 routers were, they need to be configured and I am not sure that a stateful firewall configuration for IPv6 can be done on out of the box routers, nor would I even know how to set it up at this time.
I was speaking to the owner of a security and networking company that I used in a previous job and he said, they have never put corporate networks behind a NAT to provide security, that there were known ways of getting through if you had the tools and nohow - They have always put hardware firewalls between the modem/router and the network - they have always used a unix driven, internationally respected firewall, and for the VPN services to secure between sites. I and my staff never touched that box - it was completely beyond our knowledge of how to configure it, but we did use the monitoring tools for being aware of network and internet usage within the corporation, as well as to catch unusual patterns, say like a trogan, spamming, and to automatically shut down on a DOS attack.
Basic out of the box solutions of this style run for about 1000.00 with no VPN, and higher with a VPN at each site at around 500.00 and the basic ones are pretty straight foward for configuring, if all you are doing is a home solution where you aren't sharing and communicating and routing traffic within your various network sectors in your home - not something most will do - that is corporate and enterprise needs, not that many just go with a NAT IPv4 solution, but not overly smart when client information is on their servers.
So what made NAT common is that it was a simple out of the box, no configuration required solution - just plug it in and go, and provided more than enough security for over 75% of users. Myself, I keep a software firewall between my NAT router and my devices, and they are locked down pretty tightly as I know how to do this, although you can use any on the market (free or at cost, and even the Rogers freebie solution which I have never used as it requires that you be connected to their network to keep it authorized - if you take your laptop on say a 60 day trip, you are going to lose the activation and be out of luck) We travel away from home, and use them at work offices and so forth, so we can be off the Rogers network often.
Even Microsoft provides a reasonably good firewall at the stateful and program permission level, along with malware and virus detection, but I go beyond that with an enterprise level product - I was comfortable with it and I trust it. It is just the more expensive Symantec, not the basic home user ones. Just more options and requires a bit higher knowledge of how to configure, but the public home market Symantec or any of the free ones are pretty good, or hardware firewalls that are configurable, plus provide control of access and use are not that expensive either - if you understand unix/linux, there is lots of instruction on how to set up an old computer as a firewall, and the 3rd party flashable firmware that goes on many market routers - can't remember the names. DD WRT is a solution, with many tutorials on setting up tables for security routing, and advanced logging beyonnd the basic tools on most middle and lower end routers or on the Hitrons and other Internet provider devices.
So what I have read so far is that IPv6 through a router is that there are public addresses that will require stateful verification in order to connect - i.e., you sent the header out, it comes back and the system authorizes it as a return message, same as it has always done, but internally, there is a dedicated IPv6 address that is defaulting to internal only for communication within your network behind the router, and basically works as the same principle as the IPv4 NAT model - private addresses are available internally and not visible to past the router, but let's be honest, there is other information like MAC addresses, and other information that can be used if you know how, but for most homes, no one is going to both. There are simpler ways, say like hacking your router if you used a simple password, and then if you used the same password and user internally, it was open game once they got in there - a software solution may solve for this risk, as will an internal dedicated firewall/router.
So I am feeling more comfortable that IPv6 is quite secure and as risks are identified, that companies will push security methods down quickly. IPv6 has been in place in a limited manner since 2010 if I recall, and they have not reported many concerns, but given the belief that NAT is the majic cure for security (which on a simple way, it can be), there is a market growing to add NAT to IPv6. Tons of debate on it, but personally, I am not concerned.
The greatest risk for security still remains the user - spamming emails, social engineering, going to risky sites, opening emails you don't expect or don't recognize, not having a firewall or router configured well for security, turning your software firewalls off while still connected to the internet - air gap it - bring down the software install to your computer, or to a safe computer, and install it on an airgapped computer - you can do the same by disabiling your software firewall and airgap it (unplug it from the Internet).
Always having a solid backup routine in place incase you do get hacked.
Weak passwords, putting them on stickers on your computers - yes I have personally seen this so many times, both corporately and in homes).
Here is a link on a discussion of security http://www.itweapons.com/security-awareness-training-blog/
Mostly talking about the user. Feel free to use the support teams at Rogers, a private company, or here on the forum for support if you do get nailed by a security breach, and stay on top of these issues.
But in closing, at this point, noone has convinced me that IPv6 is any greater risk than IPv4 NAT.
Without NAT on, if you have prevent inbound traffic turned on, you have security that will cover most that would ever try to hack your home network - it means that your router will only let a packet in, if it contains a header requesting it from your inside computers. You could assign fixed addresses in the public network address subnets (most commonly known one is the 192.168.xxx with subnet 255.xxx.xxx.xxx
One other thing to note, if you aren't comfortable, Rogers is still on IPv4 at this time, the modem'router still supports NAT, and you just need to turn off IPv6 at the device level on your network adapters. If unsure, someone can answer how to do that on this site - just ask - they will just need to know the details of your device and OS. It is pretty basic, you just remove or disable the IPv6 protocols.
Plus, if you decide to turn off IPv4, you won't have Internet access, as by default, you are accessing DNS from Rogers or other sites via IPv4 at this point over most routers and the modems. Unless we hear otherwise.
So if you want to stay with NAT for now, just turn off IPv6 at the device level, and use IPv4 exclusively.
Beyond that, that is all I know at this point. I have been away from this side of the business for too long, and IPv6 was nothing but a recommendation and unapproved by the Internet Standards Association. Be assured that they look at all the security risks as they begin to approve implementation. Companies don't just go out and put protocols without a lot of research and approvals and beta testing by ISA.
Read one other discussion about NAT - many IT specialists have said that NAT provided a false sense of security to many users, when there were so many other things that had to also be considered such as,
did you change your password from the company default - do you realize that someone in your home can just reset the router and use the default user and password and wander in. I have been able to do that in my neigborhood on default Dlink routers. I find where they live and advise them, and I have found my fair share of wide open WI-FI connections - one person said, I thought my network was secure because I had the ISP modem/router in place - nope, I showed her how I wandered in not only to her network, use the default gateway login, and got in with the standard password - at least Rogers does scan and request you to change default passwords. But I got in via her WIFI and also showed her how I got to her shared files - cleaned it all up and made it secure - and charged her because that was my business at the time. She was more than willing to pay for it, she was an at home lawyer.
Bottom line, your most secure option is to bridge to a high end router with high level firewall capabilities, or to a dedicated hardware firewall - great if you are the type that want secure DMZ zones, port routing, managing access to sites and other higher end security and control methods (if you understand these terms, you know what I am talking about, if you don't, search it, and you probably don't need it anyway).
Keep the discussion going, don't know if this will make people more comfortable, but certainly be confident that Rogers/Intel/hitron and others are taking this whole issue seriously, and aren't just opening your networks wide open. If you home computer is at risk, so is their whole network. This is why ISP's often give free firewall software - they are fully aware that NAT alone isn't the do all and end all of good security.
By the way, I am not a Roger's employee, have no association to Rogers other than being a user who likes to help on this forum. But please be assured, that I am not belittling your concerns in anyway, they are valid concerns being asked by many, but as I said, I am becoming more comfortable as I research more that it is not an issue. No more than any other security system that someone may decide that they want to get in - but we are home users, we are not targets that most are interested in - those who do it want to disrupt govenements companies, large networks and finance, or big companies like Yahoo. It increases the risk that they will get caught, but the fun for them is getting in and showing that it can be done, and often get caught because they brag, or left electronic trails. We home users really are generally of no risk, other than our WIFI's with wifi sniffers and poor passwords.
Good night all and if you are concerned about a change in technology, this is a great place to ask.
If it hasn't been looked at, you have raised it as a concern that will be considered, and if it has been considered, the information will get to you.
The discussion about NAT, DMZ, IPv4, IPv6, etc is not one that I want to have with my 70 year old father. Rogers started pushing down IPv6 addresses to their customers with ZERO security on the Rogers supplied gateway equipment and this is totally unacceptable.
My parents computers have the basic level of security software and get patched by the Windows update as updates are pushed out. The problem becomes that some hacker finds a zero-day exploit on Windows and creates an exploit tool that scans for unprotected computers and then infects them. The infected computers then start to scan for other non protected computers and while doing that encrypts the contents of the hard drive. The demand to unencrypt the hard drive is small (a few hundred dollars), however for the hacker it is economies of scale. Attacking one home user for $200 is not worth it, but automate the attack and hit 10,000 or more home users, each for $200, the enterprise becomes very profitable.
Since Rogers has decided to open up a vast majority of their home users to the entire IPv6 internet without warning and without security they should be held accountable.
The words that ring in my head when ever I describe this issue are "Trust me, I'm a Network Engineer". I play daily in IPv4, IPv6, MPLS, etc. I've given classes to Rogers employees at their Brampton Office.