Comcast enables 6to4 relays

Jeroen Massar jeroen at unfix.org
Tue Aug 31 11:31:01 CDT 2010


On 2010-08-31 18:07, Jack Bates wrote:
> Jeroen Massar wrote:
>>
>> Jack: there are a lot more methods to infect a host than this as there
>> are lots and lots of p2p protocols which are being used by C&C botnets.
>> And never forgot about this very simple protocol called HTTP(S).
>>
> 
> I agree, though let's consider HTTP. If a firewall is set to filter it,
> yet you are tunneling through with IPv6, you've bypassed your HTTP
> filters which may, among other things, provide AV protection. I
> recognize that there are plenty of ways to infect a machine. My concern
> is that teredo can bypass firewall security and relies upon host
> security to protect the computer. Unfortunately, not everyone utilizes
> host security and has dependence on network firewalls.

If you have a "firewall" which only blocks things it knows you don't
have a proper firewall.

The only 'firewall' that makes sense anyway is the one which is
unplugged. There is always a way out of the network as long as you can
have a controlled box on the outside that you can send packets to and from.

Network firewalls are great for 'centralized' mitigation and trying to
at least cut out most of the wrong stuff you don't want to see as an
administrator, but if you are truly serious about it then you should be
deploying monitoring on the hosts that are attached to your network too,
just remember that a lot of people have VPN software, connect from home
to that VPN and do other weird setups (Skype for instance, BitTorrent)
where there are possibilities to bypass your "firewall".

And indeed, there is no proper solution for that unless you create a
walled garden and allow people to only connect to known services and
only allow them to send minimal messages, no flash, no other cruft like
images.

Steganography is also so much fun, Too many ways, even per default and
also if someone really wants.

Only thing you can do is keep your eyes wide open and of course define
what you are really trying to protect against, as one can just as well
just use sneakernet to move data around.

Greets,
 Jeroen






More information about the NANOG mailing list