Video Screencast Help

Why is IPv6 blocked in the default firewall policy?

Created: 23 Aug 2010 • Updated: 25 Sep 2010 | 5 comments
This issue has been solved. See solution.

I'm curious, is IPv6 blocked in the default Firewall policy because it is simply a best practice to disable services that are not in use, or because there are known vulnerabilities or issues that have been found as a result of having IPv6 enabled? 

Comments 5 CommentsJump to latest comment

Vikram Kumar-SAV to SEP's picture

Block IPv6 over IPv4 ( Teredo ) is blocked by default

Teredo is a platform-independent

protocol developed by Microsoft®, which is enabled by default in Windows Vista™. Teredo provides
a way for nodes located behind an IPv4 NAT to connect to IPv6 nodes on the Internet. However, by
tunneling IPv6 traffic over IPv4 UDP through the NAT and directly to the end node, Teredo raises
some security concerns. Primary concerns include bypassing security controls, reducing defense in
depth, and allowing unsolicited traffic. Additional security concerns associated with the use of
Teredo include the ability of remote nodes to open the NAT for themselves, how it may benefit
worms, ways to deny Teredo service, and the difficulty in finding all Teredo traffic to inspect.

Block IPV6
As SEP does not support IPV6.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

VKalani's picture

This will give you more info:

http://technet.microsoft.com/en-us/library/bb726956.aspx

-VKalani

SOLUTION
P_K_'s picture

The Default Firewall Deny rule include blocking IPv6, IPv6 over IPv4.. The firewall blocks attacks that travel through IPv4, but not through IPv6. If you install the client on the computers that run Microsoft Vista, the Rules list includes several default rules that block the Ethernet protocol type of IPv6. If you remove the default rules, you must create a rule that blocks IPv6

 SEP includes the Symantec Client Firewall, which does not support IPv6. By default, the Symantec Client Firewall will block all incoming and outgoing IPv6 traffic. When you install Symantec Endpoint Protection suite on Windows Vista, it will disable Vista's built-in firewall (which supports IPv6). Thus, installing Symantec Endpoint Protection Suite on Windows Vista breaks IPv6.

If you want to use Symantec Endpoint Protection Suite and have IPv6 working, you should not install the firewall component of Symantec Endpoint Protection Suite. In this case, you will need to use Windows' built-in firewall for both IPv4 and IPv6.

MCT MCSE-2012 Symantec Technical Specialist (SCTS)

ShadowsPapa's picture

all of the above......... we've no need for it and it generates a bunch of extra garbage so personally, 4 us, I'm only happy to disable and block..........

clamu's picture

Awesome, thanks guys.  I wish I could mark more than one as the solution, instead I will give your posts +1 vote.