Search This Blog

Monday, August 27, 2007

firewall-wizards Digest, Vol 16, Issue 17

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: IPv6 support in firewalls (Paul D. Robertson)
2. Re: IPv6 support in firewalls (ArkanoiD)
3. Re: IPv6 support in firewalls (Behm, Jeffrey L.)
4. Re: IPv6 support in firewalls (Roger Marquis)
5. Re: IPv6 support in firewalls (Paul D. Robertson)
6. Re: IPv6 support in firewalls (Behm, Jeffrey L.)
7. Re: IPv6 support in firewalls (Marcus J. Ranum)


----------------------------------------------------------------------

Message: 1
Date: Mon, 27 Aug 2007 16:50:37 -0400 (EDT)
From: "Paul D. Robertson" <paul@compuwar.net>
Subject: Re: [fw-wiz] IPv6 support in firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <Pine.LNX.4.44.0708271648081.16944-100000@bat.clueby4.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII

On Mon, 27 Aug 2007, Behm, Jeffrey L. wrote:

> Then the game is already lost, on the home computing front,
> and the implication of this thread is that there will be even
> more devices at home connected to the Internet in the future
> ("PC, mobile phone, fridge, coffee machine"). Not a pretty
> outlook.

Yes, and *anyone* who's done any sampling of home PCs recently will
understand that. I can't remember the last time I saw a clean MS-based
home system.

> At least with a NAT device (at this point in Internet history),
> the home-user has a better chance of remaining "un-hacked"
> than they would if they hooked their PC directly up to the
> Internet w/o such a device.

Can you substantiate that? Because the vectors I'm seeing on home PCs
aren't traditional network worm vectors, they're Web and E-mail-based
malcode that gets in regardless of any NAT. All the network stuff I'm
seeing is connecting out (IRC, HTTP.)

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."

http://www.fluiditgroup.com/blog/pdr/

------------------------------

Message: 2
Date: Tue, 28 Aug 2007 01:14:02 +0400
From: ArkanoiD <ark@eltex.net>
Subject: Re: [fw-wiz] IPv6 support in firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20070827211402.GA30910@eltex.net>
Content-Type: text/plain; charset=us-ascii

Well, i guess routing modem or whatever access device will be
used for ipv6 connectivity will do some firewalling by default
as current NAT boxes do.

On Mon, Aug 27, 2007 at 03:55:15PM -0500, Behm, Jeffrey L. wrote:
> Then the game is already lost, on the home computing front,
> and the implication of this thread is that there will be even
> more devices at home connected to the Internet in the future
> ("PC, mobile phone, fridge, coffee machine"). Not a pretty
> outlook.
>
> At least with a NAT device (at this point in Internet history),
> the home-user has a better chance of remaining "un-hacked"
> than they would if they hooked their PC directly up to the
> Internet w/o such a device.

------------------------------

Message: 3
Date: Mon, 27 Aug 2007 16:27:54 -0500
From: "Behm, Jeffrey L." <BehmJL@bv.com>
Subject: Re: [fw-wiz] IPv6 support in firewalls
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.cybertrust.com>
Message-ID:
<0C3670BC9169B244AA6E7B2E436180D196375C@TSMC-MAIL-04.na.bvcorp.net>
Content-Type: text/plain; charset="us-ascii"

I feel I could have substantiated it a few years ago.

Example: I had built a linux box for a network class
I was teaching at a local university, so I could show
them telnet, ssh, DNS, ftp, http, samba, etc.

I quickly (and stupidly (i.e. didn't harden it at all
and didn't put it behind a NAT device)) threw the box
together, and put it out on a routable IP address
outside my NAT device on my home network the morning
before the night class. Even before I even made it
to class, it was owned (via an RPC hack). Had I put it
behind a NAT device, and only allowed those services
I wanted to access, I would bet that it wouldn't have
been owned in less than 12 hours.

It seems to me that those writing the mal-code are on
to the idea that NAT devices are in place more and more
often, so they aren't wasting time trying to get code
past them.

Stupid users, who click on an unknown .exe are a good
enough vector to exploit, as you are seeing today...

Jeff

On Monday, August 27, 2007 3:51 PM, Paul D. Robertson wrote:

>> At least with a NAT device (at this point in Internet history),
>> the home-user has a better chance of remaining "un-hacked"
>> than they would if they hooked their PC directly up to the
>> Internet w/o such a device.
>
>Can you substantiate that? Because the vectors I'm seeing on home PCs
>aren't traditional network worm vectors, they're Web and E-mail-based
>malcode that gets in regardless of any NAT. All the network stuff I'm
>seeing is connecting out (IRC, HTTP.)


------------------------------

Message: 4
Date: Mon, 27 Aug 2007 14:25:06 -0700 (PDT)
From: Roger Marquis <marquis@roble.com>
Subject: Re: [fw-wiz] IPv6 support in firewalls
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <20070827135853.P12555@eboyr.pbz>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed

Patrick M. Hausen wrote:
> Yes, I think "official" registered address space for every
> single node, PC, mobile phone, fridge, coffee machine, ... _is_
> the ultimate goal and one of the major reasons to deploy IPv6.

For us it is a major reason for not deploying IPv6. We don't want
to enable inbound connections or maintain (more complex) firewall
rules.

Every time I hear this sentiment of late it reminds me of another ILEC
astroturfing attempt, against net neutrality ATT (and DT) would _love_ to
own all your addresses, and charge for them, and force you to use their
devices to connect as they do with cell phones, and make it difficult to
move. For these reasons alone IPv6 is a consumer's nightmare.

> First you should not rely on NAT as a security measure, anyway,
> because it isn't.

Enough straw man arguments... Nobody's suggesting relying on NAT
for security, even though, in the standard implementation, it does a
better job than any other single IPv4 feature.

> Besides added complexity and worse logging capabilities. Modern
> proxy firewalls with transparency appear like a router to the
> protected hosts, so why not use them that way and disable NAT?

This is behind many network admin's fears of NAT i.e, that it is
complex and difficult to monitor or log. in properly implemented
networks it is neither.

> Third, this is the _only_ way to get rid of the "net 10
> considered harmful" nightmare that pops up over and over again
> when two enterprises want to connect their internal nets in some
> way.

Having dealt with this many times all I can say is YASMA (yet
another straw man argument). NAT works just as well between
organizations that tied their internal networks to the common
RFC1918 subnets, and for the protocols (only DNS really) that
might also need translating.

> IMHO theses are the combined reasons to start over and
> kill NAT forever.

See <http://groups.google.com/group/comp.protocols.tcp-ip/msg/f1a9cb0e15b33a5c?hl=en&>
for five much better reasons to keep NAT forever.

--
Roger Marquis
Roble Systems Consulting
http://www.roble.com/


------------------------------

Message: 5
Date: Mon, 27 Aug 2007 17:19:58 -0400 (EDT)
From: "Paul D. Robertson" <paul@compuwar.net>
Subject: Re: [fw-wiz] IPv6 support in firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <Pine.LNX.4.44.0708271716250.16944-100000@bat.clueby4.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII

On Mon, 27 Aug 2007, Behm, Jeffrey L. wrote:

> I feel I could have substantiated it a few years ago.
>
> Example: I had built a linux box for a network class
> I was teaching at a local university, so I could show
> them telnet, ssh, DNS, ftp, http, samba, etc.
>
> I quickly (and stupidly (i.e. didn't harden it at all
> and didn't put it behind a NAT device)) threw the box
> together, and put it out on a routable IP address
> outside my NAT device on my home network the morning
> before the night class. Even before I even made it
> to class, it was owned (via an RPC hack). Had I put it
> behind a NAT device, and only allowed those services
> I wanted to access, I would bet that it wouldn't have
> been owned in less than 12 hours.

Speed of compromise is different than compromise or not. I remain
steadfastly convinced that obscurity does change the rate of compromise,
especially in terms of target of opportunity attacks.

> It seems to me that those writing the mal-code are on
> to the idea that NAT devices are in place more and more
> often, so they aren't wasting time trying to get code
> past them.

It's more than that, for malcode that involves user action, you're already
inside the trust boundary, and you're not as reliant on quickly patched
bugs. It's easy to fix the network, it's much more difficult to fix the
user.

> Stupid users, who click on an unknown .exe are a good
> enough vector to exploit, as you are seeing today...

Which is why I'm convinced those users should not be in charge of their
own security.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."

http://www.fluiditgroup.com/blog/pdr/

------------------------------

Message: 6
Date: Mon, 27 Aug 2007 16:57:02 -0500
From: "Behm, Jeffrey L." <BehmJL@bv.com>
Subject: Re: [fw-wiz] IPv6 support in firewalls
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.cybertrust.com>
Message-ID:
<0C3670BC9169B244AA6E7B2E436180D196375E@TSMC-MAIL-04.na.bvcorp.net>
Content-Type: text/plain; charset="us-ascii"

But they *are* in charge, and will be increasingly so. How
do you change that? Anyone with a $50/mo 1, 3, or 5Mb ISP
Connection and a PC is "on the net," secured or not...(more
likely, not).

You have to KISS, if you want these folks to use whatever
mechanism is in place. Make it more complicated than,
"open the box, plug this cable in here, and that one in
there, done," and it won't get used. That's why the NAT
device market took off so quickly. One can't expect the
end user to configure a "stateful packet filter for
outbound only connections." That's *not* gonna happen.


On Monday, August 27, 2007 4:20 PM, Paul D. Robertson wrote:

>On Mon, 27 Aug 2007, Behm, Jeffrey L. wrote:
>
>> Stupid users, who click on an unknown .exe are a good
>> enough vector to exploit, as you are seeing today...
>
>Which is why I'm convinced those users should not be in charge of their

>own security.

------------------------------

Message: 7
Date: Mon, 27 Aug 2007 17:50:04 -0400
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] IPv6 support in firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>, Dave Piscitello
<dave@corecom.com>
Message-ID: <6.2.0.14.2.20070827172936.050275d0@ranum.com>
Content-Type: text/plain; charset="us-ascii"

Patrick M. Hausen wrote:
>The security of a cipher should not depend on the secrecy of the algorithm.

Why does everyone always quote this? It applies to cryptography
but - unless I'm completely missing the point - we are talking about
firewalls and network security, not cryptography. It is a decent
general design principle but simply because something sounds
really catchy doesn't make it universally applicable.

Consider the statement:
The strength of an army should depend on its soldiers, not on
keeping your battle-plans secret.

That is, of course, ridiculous.

>The security of a network should not depend on the secrecy of
>the structure, because sooner or later secrets will be no longer.

The security of a network should not depend on the secrecy of
its structure, but denying the enemy useful information is one
of the fundamental techniques of warfare. And, as far as I can
tell, network security has more similarities to siege-craft than
cryptography. If your enemy does not know the terrain, they
are more likely to give their intent away while performing
reconnaissance, or to make a mistake once they get inside
your perimeter. In fact, I got called in on a case a number of
years ago where a major financial organization was compromised
by a hacker and they detected him because he was trying to
map the network and stumbled into the wrong system in
the process.

Lastly, and far from least, even cryptographers don't practice
what they preach. You won't see the NSA publishing the
algorithms used in a STU any time soon. Nor will you see
the NSA declassifying Type 1 crypto algorithms in your
lifetime. I highly recommend David Kahn's "Seizing the Enigma"
as a fascinating history in its own right. One part that was
even hollywood-worthy was the sailors who raced into
the cipher room of a sinking U-boat to try to salvage the
Enigma machine - so that the codebreakers could better
reverse-engineer its algorithms once they had the actual
code-wheels in their possession.

Of COURSE your security shouldn't depend on the secrecy
of the algorithm. But you're crazy not to deny the enemy
every bit of information you can.

mjr.

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 16, Issue 17
************************************************

No comments: