UTM and IPv6: Do they mix?

If there's any enterprise UTM firewall that's ready to support IPv6, the Nokia IP290 and Check Point's VPN-1 firewall software are definitely it

IPv6 is the writing on the firewall.

If there's any enterprise UTM firewall that's ready to be used to support IPv6, the Nokia IP290 running Nokia's IPSO operating system and Check Point's VPN-1 firewall software are definitely it. Nokia's strong IPv6 support includes interfaces on the platform, dynamic routing using RIP next generation (RIPng) and OSPF v3, and several types of tunneling. Add to this Check Point's support for IPv6 in firewall rules, in its SmartDefense IPS and in its SmartDashboard GUI, and the result is a usable IPv6 firewall.

Crossbeam, IBM, and Check Point's own UTM appliances are based on Check Point'sSecure Platform, which has limited support for IPv6 at this time, requiring considerable manual configuration and an additional (free) license. Check Point fans who want to explore IPv6 should keep an eye on Secure Platform, but should start with the Nokia IPSO platform, which has a greater commitment to IPv6 support at this time.

Next up in the IPv6 capability level is Juniper, which includes IPv6 support in the latest versions of its ScreenOS software. Juniper's IPv6 support is slightly more limited than Nokia's, offering RIPng only for dynamic routing. The big "gotcha" with Juniper's IPv6 support is that you can't get at it using the company's centralized management tool, NetScreen Security Manager. In fact, it's worse than that: You must disable IPv6 on the security gateway in order for NetScreen Security Manager to properly manage the gateway.

This means that IPv6 support in Juniper firewalls, at this point, is limited to either local Web-based GUI configuration or command-line control.

Cisco's ASA5540 and Fortinet's FortiGate firewalls both have IPv6 support, but it is visible only via the local command-line interface. Cisco's IPv6 support includes not only interfaces with IPv6 addresses and IPv6 firewall rules, but also firewall inspection of FTP, HTTP, ICMP, SMTP, TCP and UDP traffic running over IPv6. At this time, Cisco doesn't include any IPv6 dynamic-routing protocols in the ASA firmware. Fortinet's FortiGate software includes support for IPv6 similar to Cisco's, with configuration capabilities also limited to the command-line interface.

Secure Computing's Sidewinder, SonicWall's SonicOS, WatchGuard's Firebox X Peak, IBM/ISS' Proventia MX5010 and Astaro's ASG don't support IPv6 at this time.

Read related articles:
Check Point UTM management falters; Cisco, Juniper gain
UTM performance takes a hit
Juniper, Cisco all-in-1 devices hit on intrusion-prevention
VPN capabilities vary widely across UTM firewall devices
Tracking UTM high availability
A closer look at UTM hardware architecture
UTMs require routing for flexibility's sake
Watts up with power consumption?
AV's place is not in the all-in-one security box

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about ASAASG GroupAstaroCheck Point Software TechnologiesCiscoCrossBeamFortinetGatewayIBM AustraliaIPSISS GroupJuniper NetworksNetScreenNokiaSecure ComputingSonicWallSonicWallVIAWatchguardWatchguard

Show Comments