We help IT Professionals succeed at work.

Allow TEREDO. and 6TO4.ipv6.microsoft.com in OpenDNS Whitelist?

YD_IT_Guy
YD_IT_Guy used Ask the Experts™
on
Similar to my earlier question regarding ISATAP and WPAD (here http://rdsrc.us/WZIRbe), I am wondering if it is safe to allow teredo. and 6to4.ipv6.microsoft.com.  I believe the latter enables ipv6 addresses to be encapsulated in an ipv4 for routing, but I am less clear on the teredo.ipv6.microsoft.com.  

My situation and environment:
I have recently implemented OpenDNS web content filtering at all of my company's retail locations.  I've chosen to use their Whitelist available with the Enterprise package to limit access.  Choosing this method required us to compose a list not only of sites they will need to browse but sites necessary for all related technology to function and update.

In monitoring the blocked domains I constantly encounter teredo.ipv6.microsoft.com and 6to4.ipv6.microsoft.com entries.  I have researched these but I have not yet found anything which can assure me that it will be safe to allow them.  OpenDNS, naturally, uses their DNS servers to enforce the filtering so I need to be absolutely sure these will not allow users to bypass this.

I would like to be 100% sure allowing these will 1) not create any potential security risks and 2) not enable my users to bypass OpenDNS and access restricted sites.

Thank you for your help!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Ard you talking the automatic tunneling from Windows devices back to Microsoft or is this something you have configured to route back to Microsoft?

The automatic tunneling is troubling to me, what is being communicated back to MS?
The fact that you have no control or understanding on what is being communicated is reason to filter it. Also, there is no way to inspect the traffic via a firewall at this point.
I added filters on my network to see what devices where tunneling, I was quite surprised.

I would advocate filtering that traffic unless there is a need.


harbor235 ;}

Author

Commented:
Hi harbor235

I've learned from KBs and forums that teredo and 6to4 are built into Windows 7 and enabled by default.  All of my store POS machines are Win7, these are devices being protected by OpenDNS and reporting these blocked communications.  (http://technet.microsoft.com/en-us/library/bb457011.aspx)

We do use Cisco VPN clients for the POS software, but this should be the only tunneling.  Only the POS traffic goes through the tunnel, all browsing goes through the standard local area connection filtered by OpenDNS's name servers. It's more difficult for me to inspect the traffic because it's from dozens of remote locations.

We are currently using IPv4 exclusively, so I don't believe we need this but would like to confirm with experts.  However, I would prefer to ALLOW teredo and 6to4 if there is no associated security risk or chance of allowing access to restricted sites. These entries are cluttering up my blocked domain reports. If they should be blocked I can do this by hosts file.

To simplify my question - would allowing teredo and 6to4 (dot ipv6 dot microsoft) enable unauthorized access to any DNS or proxy servers which my employees could use to browse the interpipes?  Could this technology be used by some bleep to trick my store machines and gain access to them?  I imagine neither is unlikely since this is default behavior for the OS, but want to hear it form those who know more about networking.

Thanks
Top Expert 2016
Commented:
To simplify my question - would allowing teredo and 6to4 (dot ipv6 dot microsoft) enable unauthorized access to any DNS or proxy servers which my employees could use to browse the interpipes?  Could this technology be used by some bleep to trick my store machines and gain access to them?  I imagine neither is unlikely since this is default behavior for the OS, but want to hear it form those who know more about networking.

From the outside inbound NO
from the inside out -- a qualified Maybe to be sure
from group policy run the following on your users machines

sc config iphlpsvc start= disabled
netsh interface teredo set state disabled
netsh interface ipv6 6to4 set state state=disabled undoonstop=disabled
netsh interface ipv6 isatap set state state=disabled

Author

Commented:
Hi ve3ofa,

Thank you for you reply.  The 'maybe' you mentioned is reason enough in my mind to disabled these.

I do not yet have my stores on a domain, the VPN is only to access an application server at our parent company overseas.  I assume I can slap these commands in a batch file and run on all store machines when I (painfully) access them one-by-one for updating and tweaking.

This is even better than blocking, I hadn't thought to disable the service!

Cheers