IPv6 uptake (was: The Reg does 240/4)

• Previous message (by thread): IPv6 uptake (was: The Reg does 240/4)
• Next message (by thread): IPv6 uptake (was: The Reg does 240/4)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Bill, same scenario, but instead of fat fingering an outbound rule, you fat finger a port map for inbound connections to a different host and get the destination address wrong. 

Still hacked. 

NAT doesn’t prevent fat fingers from getting you hacked, it just changes the nature of the required fat fingering. 

Care to talk about trying to track down a compromised host through the audit trail given an abuse report that doesn’t include the source port number? (Oracle even one that happens to include it)?

Owen


> On Feb 16, 2024, at 17:05, William Herrin <bill at herrin.us> wrote:
> 
> On Fri, Feb 16, 2024 at 3:13 PM Michael Thomas <mike at mtcc.com> wrote:
>> If you know which subnets need to be NAT'd don't you also know which
>> ones shouldn't exposed to incoming connections (or conversely, which
>> should be permitted)? It seems to me that all you're doing is moving
>> around where that knowledge is stored? Ie, DHCP so it can give it
>> private address rather than at the firewall knowing which subnets not to
>> allow access? Yes, DHCP can be easily configured to make everything
>> private, but DHCP for static reachable addresses is pretty handy too.
> 
> Hi Mike,
> 
> Suppose I have a firewall at 2602:815:6000::1 with an internal network
> of 2602:815:6001::/64. Inside the network on 2602:815:6001::4 I have a
> switch that accepts telnet connections with a user/password of
> admin/admin. On the firewall, I program it to disallow all Internet
> packets to 2602:815:6001::/64 that are not part of an established
> connection.
> 
> Someone tries to telnet to 2602:815:6001::4. What happens? Blocked.
> 
> Now, I make a mistake on my firewall. I insert a rule intended to
> allow packets outbound from 2602:815:6001::4 but I fat-finger it and
> so it allows them inbound to that address instead. Someone tries to
> telnet to 2602:815:6001::4. What happens? Hacked.
> 
> Now suppose I have a firewall at 199.33.225.1 with an internal network
> of 192.168.55.0/24. Inside the network on 192.168.55.4 I have a switch
> that accepts telnet connections with a user/password of admin/admin.
> On the firewall, I program it to do NAT translation from
> 192.168.55.0/24 to 199.33.225.1 when sending packets outbound, which
> also has the effect of disallowing inbound packets to 192.168.55.0/24
> which are not part of an established connection.
> 
> Someone tries to telnet to 192.168.55.4. What happens? The packet
> never even reaches my firewall because that IP address doesn't go
> anywhere on the Internet.
> 
> Now I make a mistake on my firewall. I insert a rule intended to allow
> packets outbound from 192.168.55.4 but I fat-finger it and so it
> allows them inbound to that address instead. Someone tries to telnet
> to 192.168.55.4. What happens? The packet STILL doesn't reach my
> firewall because that IP address doesn't go anywhere on the Internet.
> 
> See the difference? Accessible versus accessible and addressable. Not
> addressable enhances security.
> 
> Regards,
> Bill Herrin
> 
> 
> --
> William Herrin
> bill at herrin.us
> https://bill.herrin.us/

• Previous message (by thread): IPv6 uptake (was: The Reg does 240/4)
• Next message (by thread): IPv6 uptake (was: The Reg does 240/4)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]