Re: NAT firewall for IPv6?

[Eric Kuhnke <eric.kuhnke () gmail com>]

You know the cosmological model that the earth is balanced on the back of a
giant turtle, which is supported by successive lower tiers of other turtles?

https://en.wikipedia.org/wiki/Turtles_all_the_way_down

It's like that, except it's trolls all the way down.



On Tue, Jul 5, 2016 at 3:24 PM, Chase Christian <madsushi () gmail com> wrote:

> The original email was not a serious question, but a joke:
>
> https://twitter.com/SwiftOnSecurity/status/749059605360062464
> https://twitter.com/SwiftOnSecurity/status/749062835687174144
> https://twitter.com/SwiftOnSecurity/status/749068172460847105
>
>
>
> On Tue, Jul 5, 2016 at 1:41 PM, Naslund, Steve <SNaslund () medline com>
> wrote:
>
> > It is all about defense in depth.  The engineers here are speaking to the
> > network pieces (the second N in NANOG is network, right :) and we have
> told
> > this person that it is unlikely that v6 in the only vector and I myself
> > talked about malware handling on the clients themselves.  From a network
> > engineering perspective many of us agreed that the biggest single threat
> to
> > his network was a firewall in an unknown state with an unknown
> > administrator password that could be owned by anyone on earth at this
> > point.  That single piece threatens the entire network as a whole and is
> a
> > ticking time bomb ready to blow his entire LAN off the Internet if it
> fails.
> > He probably does not own the entire environment himself, he is filling in
> > for a vacationing network engineer.  So he is working on the network
> piece
> > and is probably not responsible for the anti-malware software on the
> > clients (if anyone is, see below).
> >
> > Our "support" as you call it was a response to this person questions
> about
> > blocking v6 as an attack vector in the first place.  We answered his
> > question but then told him that was unlikely to be the problem and what
> he
> > should do about taking back his firewall, securing v6 via the firewall,
> and
> > handling the malware at the client.  Seems solid advise to me so far.
> >
> > BTW we did not bill him for anything.  He got a lot of free advice from a
> > lot of people he could not even begin to afford to employ, so not a bad
> > deal for him.  You also have to understand that this gentleman seems to
> be
> > in an educational environment which usually means lots of clients he does
> > not have control over so having some kind of network based malware
> control
> > is helpful.  Clients in this type of environment have to defend
> themselves
> > from each other and he will likely have stuff brought in from the
> outside.
> > Good malware detection in the network can help identify clients that
> > contain malware and are a threat to other devices.  Fancier network
> > gear/IDS/IDP would actually remove offending clients from the network or
> at
> > least segments them into an isolation area.
> >
> > Let me re-iterate:
> >
> >         1.      Take back ownership of your firewall and bring it up to
> > date including new malware signatures.  If you don't have current
> support,
> > get it...........directly so if your consultant bails you are not dead
> > meat.  This will ensure that the outside world will not own or control
> > stuff inside your network while you put the fires out.  At the very least
> > it can help malware infected machines from phoning home to their command
> > and control servers which sometimes prevents a lot of damage.
> >         2.      Make your v6 rules mirror at least the security level of
> > your v4 rules.  Passing v6 unchallenged is unacceptable.  If your
> firewall
> > won't do it replace it with one that will.
> >         3.      Ensure all clients under your control have current
> > anti-virus/anti-malware detection.  Clients have to defend themselves
> from
> > threats internal to the firewall as well as ones outside.  Don't be hard
> on
> > the outside with a soft chewy center.
> >         4.      Never, ever accept anything less than full administrative
> > control passwords and accounts from your consultants, before you give
> them
> > final payment.  I actually prefer to lock them out when they complete an
> > install until I need them to help with something.  This prevents them
> from
> > holding you hostage or one of their "postal" employees from wiping you
> out
> > as well as preventing them from using your network for experimentation
> > without you knowing it.  It is an important part of change control to
> > ensure that outsiders cannot modify your configuration without contacting
> > you first.  We usually give our consultants highly logged VPN accounts
> that
> > we can disable or enable as needed.
> >
> > Steven Naslund
> > Chicago IL
> >
> >
> >
> > > > No while that is also needed, it is very unlikely to fix his issue. The
> > issue at hand is that some of their computers have become virus infected.
> > > > The fix for that is to upgrade the virus scanner and making sure that
> > all software upgrades are done.
> >
> > > > Someone comes to you and says his Firefox is getting infected through
> > IPv6.
> > > > If your support is worth anything, you will not take that at face value
> > and bill him for a ton work related to IPv6. No, you will go find out
> what
> > the real issue is and solve that. The only thing we know right now is
> that
> > he is >>confused.
> > > > Regards,
> > > >
> > > > Baldur