Monday, October 5, 2015

ipv6 firewall bakeoff

For the last 2 months, I've been on a team of security engineers that has been looking at numerous ipv6 features in a few of the common & major firewalls. I want to share some of my findings & thoughts.

1st off, all of the vendors  ( JNPR / CSCO / FTNT ) produces great firewalls products. They all have numerous strengths and weakness. I 've always tried to be fair and unbiasis  in my reviews.

If you think you will run a 100% ipv6-only network  & with no dependencies with ipv4, I hate to bust your bubble. Some features and services have NOT been ipv6 enabled or offered in most of these vendors firewalls.

Take the fortinet fortigate series runing 5.2.x, they have a cool DNS server function. It allows you to build AAAA records ( but limited in ResourceRecord types...... ) and query via ipv6 protocol.

e.g (  a query using host record for a DNS server on a fortigate  )

SOC01>host -6 -t aaaa 2001:db8:99:101::1 -v
Using domain server:
Name: 2001:db8:99:101::1
Address: 2001:db8:99:101::1#53
Aliases: has IPv6 address 64:ff9b::b8a8:dd68

But you  can't enable a ipv6 dns forwarder. All forwarding has to be executed by ipv4 forwarders

Same goes for snmpv3 support and ipv6 in all three vendors solutions. You just can't do it with ipv6.

Here's the table of the features we test and validated. The findings are quite interesting;


The cisco ASA, a well known firewall, but barely has ipv6 support imho  & when compared to the other 2. Cisco has executed the bare minimum just to claim ipv6 support imho. It's sad  they are way behind the other 2 vendors that I have evaluated,  but more ipv6 support is being added as time goes by.
  • the lack of  DHCPv6 server feature is a big show stopper for me
  • the same holds true of the DHCPv6 client features and ipv6-PD
  • lack of any IPv6  bgp router process 

We can only hope for more improvements in the cisco ASA  camp and with time, this will happen, but for the time-being cisco is lacking and slow for any new features.

The Fortigates, a not so well known  vendor & depending on the area or vertical you  work in,  yet it has overall a very good ipv6 support  and has offered ipv6 support for over a decade or maybe more iirc.

It's a good buy and the best bang for the buck imho. Mainly due to the lack of any licensed features models,  accept for forticlient and vdoms.  The integral AP controller is a added bonus  & with a wide range of APs offered.

But be advise, FTNT has struggled for awhile with building a reliable FortiOS, so you might walk away very upset in the reliability area & in the latest 5.0 or 5.2 FortiOS versions. You should keep your eyes open on this company.

The  JuniperSRXs are a very good deal. Very strong & rich in features from routing to tunneling, but it lacking or not as good with UTM features in the smaller units. It can be a pricey solution  with it's licensing model and in the same camp of a cisco ASA. But in the SRX area  it's a strong ipv6 solution firewalls. If you need  10/100gig firewalls and with ipv6 solutions, the SRXs are a good choice if not the best.

If I was working only in a SP/ISP sector,   I would look at the top end SRX firewalls for these areas. A SRX is hard to hate and works very well imho.

Note, we did not  test or evaluate  any CheckPoint, PaloAlto, Cyberoam or Dell-Sonicwalls products. Also UTM features where never enable in any of the three firewalls that I looked at. All firewalls where ran in multi-routed modes and with max virutal-routers/context/vdoms based on that hardware.

So when deciding on your nextgenfw model & in a ipv6 network, you need to look at the  whole complete pictures. Where one area shines, you might find darkness in another area.

The features of IPv6-PD and PPPoEv6 supports seems to be a big issues in the end-user/home device segment, where dynamic routing support is the #1 issues in a enterprise and SP arena.

All three vendors offers various degree of  ipv6 support & cost. You need to lay all out &  on the table and determine your needs based on your budget.

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
      /  \

No comments:

Post a Comment