NAT firewall for IPv6?
Chase Christian
madsushi at gmail.com
Tue Jul 5 22:24:44 UTC 2016
The original email was not a serious question, but a joke:
https://twitter.com/SwiftOnSecurity/status/749059605360062464
https://twitter.com/SwiftOnSecurity/status/749062835687174144
https://twitter.com/SwiftOnSecurity/status/749068172460847105
On Tue, Jul 5, 2016 at 1:41 PM, Naslund, Steve <SNaslund at medline.com> wrote:
> It is all about defense in depth. The engineers here are speaking to the
> network pieces (the second N in NANOG is network, right :) and we have told
> this person that it is unlikely that v6 in the only vector and I myself
> talked about malware handling on the clients themselves. From a network
> engineering perspective many of us agreed that the biggest single threat to
> his network was a firewall in an unknown state with an unknown
> administrator password that could be owned by anyone on earth at this
> point. That single piece threatens the entire network as a whole and is a
> ticking time bomb ready to blow his entire LAN off the Internet if it fails.
>
> He probably does not own the entire environment himself, he is filling in
> for a vacationing network engineer. So he is working on the network piece
> and is probably not responsible for the anti-malware software on the
> clients (if anyone is, see below).
>
> Our "support" as you call it was a response to this person questions about
> blocking v6 as an attack vector in the first place. We answered his
> question but then told him that was unlikely to be the problem and what he
> should do about taking back his firewall, securing v6 via the firewall, and
> handling the malware at the client. Seems solid advise to me so far.
>
> BTW we did not bill him for anything. He got a lot of free advice from a
> lot of people he could not even begin to afford to employ, so not a bad
> deal for him. You also have to understand that this gentleman seems to be
> in an educational environment which usually means lots of clients he does
> not have control over so having some kind of network based malware control
> is helpful. Clients in this type of environment have to defend themselves
> from each other and he will likely have stuff brought in from the outside.
> Good malware detection in the network can help identify clients that
> contain malware and are a threat to other devices. Fancier network
> gear/IDS/IDP would actually remove offending clients from the network or at
> least segments them into an isolation area.
>
> Let me re-iterate:
>
> 1. Take back ownership of your firewall and bring it up to
> date including new malware signatures. If you don't have current support,
> get it...........directly so if your consultant bails you are not dead
> meat. This will ensure that the outside world will not own or control
> stuff inside your network while you put the fires out. At the very least
> it can help malware infected machines from phoning home to their command
> and control servers which sometimes prevents a lot of damage.
> 2. Make your v6 rules mirror at least the security level of
> your v4 rules. Passing v6 unchallenged is unacceptable. If your firewall
> won't do it replace it with one that will.
> 3. Ensure all clients under your control have current
> anti-virus/anti-malware detection. Clients have to defend themselves from
> threats internal to the firewall as well as ones outside. Don't be hard on
> the outside with a soft chewy center.
> 4. Never, ever accept anything less than full administrative
> control passwords and accounts from your consultants, before you give them
> final payment. I actually prefer to lock them out when they complete an
> install until I need them to help with something. This prevents them from
> holding you hostage or one of their "postal" employees from wiping you out
> as well as preventing them from using your network for experimentation
> without you knowing it. It is an important part of change control to
> ensure that outsiders cannot modify your configuration without contacting
> you first. We usually give our consultants highly logged VPN accounts that
> we can disable or enable as needed.
>
> Steven Naslund
> Chicago IL
>
>
>
> >>No while that is also needed, it is very unlikely to fix his issue. The
> issue at hand is that some of their computers have become virus infected.
> >>The fix for that is to upgrade the virus scanner and making sure that
> all software upgrades are done.
>
> >>Someone comes to you and says his Firefox is getting infected through
> IPv6.
> >>If your support is worth anything, you will not take that at face value
> and bill him for a ton work related to IPv6. No, you will go find out what
> the real issue is and solve that. The only thing we know right now is that
> he is >>confused.
> >>
> >>Regards,
> >>
> >>Baldur
>
More information about the NANOG
mailing list