nanog mailing list archives
Re: NAT firewall for IPv6?
From: Eric Kuhnke <eric.kuhnke () gmail com>
Date: Tue, 5 Jul 2016 16:05:08 -0700
You know the cosmological model that the earth is balanced on the back of a giant turtle, which is supported by successive lower tiers of other turtles? https://en.wikipedia.org/wiki/Turtles_all_the_way_down It's like that, except it's trolls all the way down. On Tue, Jul 5, 2016 at 3:24 PM, Chase Christian <madsushi () gmail com> wrote:
The original email was not a serious question, but a joke: https://twitter.com/SwiftOnSecurity/status/749059605360062464 https://twitter.com/SwiftOnSecurity/status/749062835687174144 https://twitter.com/SwiftOnSecurity/status/749068172460847105 On Tue, Jul 5, 2016 at 1:41 PM, Naslund, Steve <SNaslund () medline com> wrote:It is all about defense in depth. The engineers here are speaking to the network pieces (the second N in NANOG is network, right :) and we havetoldthis person that it is unlikely that v6 in the only vector and I myself talked about malware handling on the clients themselves. From a network engineering perspective many of us agreed that the biggest single threattohis network was a firewall in an unknown state with an unknown administrator password that could be owned by anyone on earth at this point. That single piece threatens the entire network as a whole and isaticking time bomb ready to blow his entire LAN off the Internet if itfails.He probably does not own the entire environment himself, he is filling in for a vacationing network engineer. So he is working on the networkpieceand is probably not responsible for the anti-malware software on the clients (if anyone is, see below). Our "support" as you call it was a response to this person questionsaboutblocking v6 as an attack vector in the first place. We answered his question but then told him that was unlikely to be the problem and whatheshould do about taking back his firewall, securing v6 via the firewall,andhandling the malware at the client. Seems solid advise to me so far. BTW we did not bill him for anything. He got a lot of free advice from a lot of people he could not even begin to afford to employ, so not a bad deal for him. You also have to understand that this gentleman seems tobein an educational environment which usually means lots of clients he does not have control over so having some kind of network based malwarecontrolis helpful. Clients in this type of environment have to defendthemselvesfrom each other and he will likely have stuff brought in from theoutside.Good malware detection in the network can help identify clients that contain malware and are a threat to other devices. Fancier network gear/IDS/IDP would actually remove offending clients from the network oratleast segments them into an isolation area. Let me re-iterate: 1. Take back ownership of your firewall and bring it up to date including new malware signatures. If you don't have currentsupport,get it...........directly so if your consultant bails you are not dead meat. This will ensure that the outside world will not own or control stuff inside your network while you put the fires out. At the very least it can help malware infected machines from phoning home to their command and control servers which sometimes prevents a lot of damage. 2. Make your v6 rules mirror at least the security level of your v4 rules. Passing v6 unchallenged is unacceptable. If yourfirewallwon't do it replace it with one that will. 3. Ensure all clients under your control have current anti-virus/anti-malware detection. Clients have to defend themselvesfromthreats internal to the firewall as well as ones outside. Don't be hardonthe outside with a soft chewy center. 4. Never, ever accept anything less than full administrative control passwords and accounts from your consultants, before you givethemfinal payment. I actually prefer to lock them out when they complete an install until I need them to help with something. This prevents themfromholding you hostage or one of their "postal" employees from wiping yououtas well as preventing them from using your network for experimentation without you knowing it. It is an important part of change control to ensure that outsiders cannot modify your configuration without contacting you first. We usually give our consultants highly logged VPN accountsthatwe can disable or enable as needed. Steven Naslund Chicago ILNo while that is also needed, it is very unlikely to fix his issue. Theissue at hand is that some of their computers have become virus infected.The fix for that is to upgrade the virus scanner and making sure thatall software upgrades are done.Someone comes to you and says his Firefox is getting infected throughIPv6.If your support is worth anything, you will not take that at face valueand bill him for a ton work related to IPv6. No, you will go find outwhatthe real issue is and solve that. The only thing we know right now isthathe is >>confused.Regards, Baldur
Current thread:
- Re: NAT firewall for IPv6?, (continued)
- Re: NAT firewall for IPv6? A . L . M . Buxey (Jul 05)
- Re: NAT firewall for IPv6? Spencer Ryan (Jul 05)
- Re: NAT firewall for IPv6? Valdis . Kletnieks (Jul 05)
- Re: NAT firewall for IPv6? Spencer Ryan (Jul 05)
- Re: NAT firewall for IPv6? A . L . M . Buxey (Jul 05)
- Re: NAT firewall for IPv6? Spencer Ryan (Jul 05)
- Re: NAT firewall for IPv6? A . L . M . Buxey (Jul 05)
- Re: NAT firewall for IPv6? Tom Beecher (Jul 05)
- Re: NAT firewall for IPv6? Octavio Alvarez (Jul 05)
- Re: NAT firewall for IPv6? Baldur Norddahl (Jul 05)
- RE: NAT firewall for IPv6? Naslund, Steve (Jul 05)
- Re: NAT firewall for IPv6? Chase Christian (Jul 05)
- Re: NAT firewall for IPv6? Eric Kuhnke (Jul 05)
- Re: NAT firewall for IPv6? Baldur Norddahl (Jul 05)
- Re: NAT firewall for IPv6? Stephen Strowes (Jul 08)
- Re: NAT firewall for IPv6? Larry Sheldon (Jul 05)