Default security functions on an IPv6 CPE

Ted Mittelstaedt tedm at ipinc.net
Thu May 12 09:49:49 CEST 2011


On 5/11/2011 2:29 PM, Jon Bane wrote:
>> - Hosts that have IPv6 enabled having also their internal firewalls
>> enabled, the practical danger of CPE transparency to IPv6 is
>> inexistent in unmanaged residential sites.
>
> I really do not understand this conclusion.  Vista/Win7 do have
> firewalls enabled by default, but the first time the machine detects
> it is connected to a new network it asks what kind of network you
> are on.  The options being Public, Home or Work.  If the user choses
> "Home" the firewall is effectively disabled as all of the SMB/NBT
> ports are opened up, as well as several ports for media sharing.

Man there's an amazing amount of theory and so little practical
experience here with attacks it makes me shake my head.

Direct IP attacks on hosts have been replaced by phishing attacks for
the simple reason that for the last decade ever since Broadband has
come into play, NAT's have blocked e2e connectivity.  However it didn't
happen overnight.  For many years early in the 2000 decade we had
many customers on Windows still get broken into directly, even XP users, 
because the XP operating system itself would be compromised.

An unpatched XP system WITH IT'S FIREWALL ON can be direct attacked
and pwned in minutes.  None of the XP SP's forced
automatic updates, all allow the user to disable updates during
the conclusion of the application of the SP.  In many corporations
it was standard to do this because they had apps that would break
when newer SP's and patches were released.

And we are seeing the exact same thing with Windows 7.  Just last week
Acros Security boasted they would be displaying multiple pwning
cracks at Hack in The Box in Amsterdam.  All of these were reported
a year ago and Microsoft has only got around to patching a handful
of them.  They all require phishing but that is only because the
phishing attacks are the only attacks the cracker community is
working on - because NAT killed e2e.  The cracker community is
like any other business, they invest time and money in developing
cracks, they need to get paid back, and the criminals that develop
the cracks work on vectors that are easiest to crack, and phishing
is easier than direct attacks because of lack of e2e.

The issue here is can Windows 7 or other "modern" OS be pwned by a
direct attack with it's firewall on - the answer is, absolutely yes.
Any flaw discovered in the underlying OS that the firewall is running
on and your in.  Geeze people, the OS processes the packet before
handing it to the firewall running on the OS, so a flaw there and the
attacker is in before the firewall ever sees the packet.

And once a flaw is discovered, only half of the Win hosts out there will
immediately update via automatic updates because the rest of them either 
are set to download updates and store until user approval to apply, or 
they are corporate, part of a directory, and updates have been
disabled because the corporation has a procedure for internally testing
ALL security patches before deployment for compatibility with existing
apps.

And once malware gets into a corporate directory your through.  In an
AD all Windows hosts that are members are controlled by the root and
if you manage to root that server then you can instruct all of the
member hosts to shut off their firewalls, or you can replicate copies
of your virus to all of them.

And why is all of this possible?

It is possible because you must have critical mass of a homogeneous
group of hosts for any computer virus to work, or for a crack to
make economically worth developing, and Windows systems have that 
critical mass.  No other system does.  MacOS certainly is
homogeneous but there's not enough out there.  And Linux is 
heterogeneous because of all the different distros.  Even Android
is starting to bifurcate.

And why is a $50 firewall more secure than a $500 Windows 7 system?
It is simple - because it's simpler!

A simpler firewall has less code in it, and with less code there is
less chance of a mistake being overlooked.  That is Software Development
101, folks.

Good security today is layers.  You protect against direct attacks
by you harden the host with a host-based
firewall and you firewall the border router too.  If the cracker
can get past the border router then he still has to figure out how
to get the host broken, and sometimes what he did on the border to
get past it precludes getting past the host firewall.  Then you
protect against the phishing by a combination of user training,
and anti-malware software on the host that is customized for the
host, as well as modifying application programs like the web browser
and the e-mail client.  And for extreme cases like hosts that
are setup for use by the general public, you either use host OS that
don't meet critical mass (like Macs) or you use unprivileged
user accounts that are wiped out at the end of the day, every day.

Ted



More information about the ipv6-ops mailing list