Re: NAT firewall for IPv6?

[Chase Christian <madsushi () gmail com>]

The original email was not a serious question, but a joke:

https://twitter.com/SwiftOnSecurity/status/749059605360062464
https://twitter.com/SwiftOnSecurity/status/749062835687174144
https://twitter.com/SwiftOnSecurity/status/749068172460847105



On Tue, Jul 5, 2016 at 1:41 PM, Naslund, Steve <SNaslund () medline com> wrote:

> It is all about defense in depth.  The engineers here are speaking to the
> network pieces (the second N in NANOG is network, right :) and we have told
> this person that it is unlikely that v6 in the only vector and I myself
> talked about malware handling on the clients themselves.  From a network
> engineering perspective many of us agreed that the biggest single threat to
> his network was a firewall in an unknown state with an unknown
> administrator password that could be owned by anyone on earth at this
> point.  That single piece threatens the entire network as a whole and is a
> ticking time bomb ready to blow his entire LAN off the Internet if it fails.
>
> He probably does not own the entire environment himself, he is filling in
> for a vacationing network engineer.  So he is working on the network piece
> and is probably not responsible for the anti-malware software on the
> clients (if anyone is, see below).
>
> Our "support" as you call it was a response to this person questions about
> blocking v6 as an attack vector in the first place.  We answered his
> question but then told him that was unlikely to be the problem and what he
> should do about taking back his firewall, securing v6 via the firewall, and
> handling the malware at the client.  Seems solid advise to me so far.
>
> BTW we did not bill him for anything.  He got a lot of free advice from a
> lot of people he could not even begin to afford to employ, so not a bad
> deal for him.  You also have to understand that this gentleman seems to be
> in an educational environment which usually means lots of clients he does
> not have control over so having some kind of network based malware control
> is helpful.  Clients in this type of environment have to defend themselves
> from each other and he will likely have stuff brought in from the outside.
> Good malware detection in the network can help identify clients that
> contain malware and are a threat to other devices.  Fancier network
> gear/IDS/IDP would actually remove offending clients from the network or at
> least segments them into an isolation area.
>
> Let me re-iterate:
>
>         1.      Take back ownership of your firewall and bring it up to
> date including new malware signatures.  If you don't have current support,
> get it...........directly so if your consultant bails you are not dead
> meat.  This will ensure that the outside world will not own or control
> stuff inside your network while you put the fires out.  At the very least
> it can help malware infected machines from phoning home to their command
> and control servers which sometimes prevents a lot of damage.
>         2.      Make your v6 rules mirror at least the security level of
> your v4 rules.  Passing v6 unchallenged is unacceptable.  If your firewall
> won't do it replace it with one that will.
>         3.      Ensure all clients under your control have current
> anti-virus/anti-malware detection.  Clients have to defend themselves from
> threats internal to the firewall as well as ones outside.  Don't be hard on
> the outside with a soft chewy center.
>         4.      Never, ever accept anything less than full administrative
> control passwords and accounts from your consultants, before you give them
> final payment.  I actually prefer to lock them out when they complete an
> install until I need them to help with something.  This prevents them from
> holding you hostage or one of their "postal" employees from wiping you out
> as well as preventing them from using your network for experimentation
> without you knowing it.  It is an important part of change control to
> ensure that outsiders cannot modify your configuration without contacting
> you first.  We usually give our consultants highly logged VPN accounts that
> we can disable or enable as needed.
>
> Steven Naslund
> Chicago IL
>
>
>
> > > No while that is also needed, it is very unlikely to fix his issue. The
> issue at hand is that some of their computers have become virus infected.
> > > The fix for that is to upgrade the virus scanner and making sure that
> all software upgrades are done.
>
> > > Someone comes to you and says his Firefox is getting infected through
> IPv6.
> > > If your support is worth anything, you will not take that at face value
> and bill him for a ton work related to IPv6. No, you will go find out what
> the real issue is and solve that. The only thing we know right now is that
> he is >>confused.
> > > Regards,
> > >
> > > Baldur