Gi Firewall for mobile subscribers

Wed Apr 10 14:06:45 UTC 2019

I think the traffic Amos is referring to is random traffic hitting the
devices causing them to "wake up". Everyone here knows a simple dump on
port 22 will show traffic. We  have a /22 that gets an avg of 1-2 mbit of
random traffic (mainly 22 and 3389).

On Wed, Apr 10, 2019 at 9:49 AM Ca By <cb.list6 at gmail.com> wrote:

>
>
> On Wed, Apr 10, 2019 at 6:23 AM Amos Rosenboim <amos at oasis-tech.net>
> wrote:
>
>> Hello NANOG,
>>
>>
>>
>> We are discussing internally and wanted to get more opinions and
>> especially more data on what are people actually doing.
>>
>> We are running an ISP network with about 150K fixed broadband users,
>> running dual stack (IPv4 behind CGNAT).
>>
>> On the ISP network  IPv6 is simply routed, and is firewalled on the CPE.
>>
>>
>>
>> This network added mobile services about a year ago, also dual stack (we
>> have no control on the mobile devices so we were too concerned to choose
>> IPv6 only access).
>>
>> We have an ongoing discussion about Gi firewall (adding a firewall
>> between the subscribers and the internet, allowing only subscriber
>> initiated connections), for the IPv6 traffic.
>>
>>
>>
>> The firewall is doing very little security, the ruleset is very basic,
>> allowing anything from subscribers to the internet and blocking all traffic
>> from the internet towards the subscribers.
>>
>> We have a few rules to limit the number of connections per subscriber (to
>> a relatively high number) and that is it.
>>
>>
>>
>> One of the arguments in favor of having the firewall is that unsolicited
>> traffic from the internet can “wake” idle mobile devices, and create
>> signaling (paging) storms as well as drain user batteries.
>>
>>
>>
>> On the other hand, allowing only subscriber initiated traffic is mostly
>> achievable using ACLs on the mobile core facing routers, or is it with the
>> growing percentage of UDP traffic ?
>>
>>
>>
>> BTW – I don’t mention IPv4 traffic on the mobile network as it’s all
>> behind CGNAT which don’t allow internet initiated connections.
>>
>>
>>
>> Anyway, we are very interested to know hear more opinions,  and
>> especially to hear what are other mobile operators do.
>>
>>
>>
>> Regards
>>
>>
>>
>> Amos
>>
>>
>>
>
> Step outside the theoretical and model your real threats. Attack yourself
> of pay someone to do a real pentest.
>
> 1. Does a hacker know the ipv6 of your subs? How frequently does the sub
> get a new 128 bit address?
>
> 2.  What does the hacker get from a paging storm?  Economic benefit ?
> Lolz? Has a malicious paging storm ever happened in the real world?  What
> level of effort would be required to trigger that?  Is that level of effort
> more or less than it would take to tip over a stateful firewall (session
> exhaustion, pps attack, alg bugs, vulns in the fw
>
> https://www.zdnet.com/article/cisco-removed-its-seventh-backdoor-account-this-year-and-thats-a-good-thing/
> )
>
> 3. Assuming the hacker gleans the address of the sub, what ports are open
> in the real world? What can a hacker connect to and accomplish?
>
>
>
>>
>>
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190410/35aaf6b9/attachment.html>