Default security functions on an IPv6 CPE

Mark Smith nanog at
Thu May 12 11:33:20 CEST 2011

On Thu, 12 May 2011 00:49:49 -0700
Ted Mittelstaedt <tedm at> wrote:

> On 5/11/2011 2:29 PM, Jon Bane wrote:
> >> - Hosts that have IPv6 enabled having also their internal firewalls
> >> enabled, the practical danger of CPE transparency to IPv6 is
> >> inexistent in unmanaged residential sites.
> >
> > I really do not understand this conclusion.  Vista/Win7 do have
> > firewalls enabled by default, but the first time the machine detects
> > it is connected to a new network it asks what kind of network you
> > are on.  The options being Public, Home or Work.  If the user choses
> > "Home" the firewall is effectively disabled as all of the SMB/NBT
> > ports are opened up, as well as several ports for media sharing.
> Man there's an amazing amount of theory and so little practical
> experience here with attacks it makes me shake my head.
> Direct IP attacks on hosts have been replaced by phishing attacks for
> the simple reason that for the last decade ever since Broadband has
> come into play, NAT's have blocked e2e connectivity.  However it didn't
> happen overnight.  For many years early in the 2000 decade we had
> many customers on Windows still get broken into directly, even XP users, 
> because the XP operating system itself would be compromised.
> An unpatched XP system WITH IT'S FIREWALL ON can be direct attacked
> and pwned in minutes.  None of the XP SP's forced
> automatic updates, all allow the user to disable updates during
> the conclusion of the application of the SP.  In many corporations
> it was standard to do this because they had apps that would break
> when newer SP's and patches were released.
> And we are seeing the exact same thing with Windows 7.  Just last week
> Acros Security boasted they would be displaying multiple pwning
> cracks at Hack in The Box in Amsterdam.  All of these were reported
> a year ago and Microsoft has only got around to patching a handful
> of them.  They all require phishing but that is only because the
> phishing attacks are the only attacks the cracker community is
> working on - because NAT killed e2e.  The cracker community is
> like any other business, they invest time and money in developing
> cracks, they need to get paid back, and the criminals that develop
> the cracks work on vectors that are easiest to crack, and phishing
> is easier than direct attacks because of lack of e2e.
> The issue here is can Windows 7 or other "modern" OS be pwned by a
> direct attack with it's firewall on - the answer is, absolutely yes.
> Any flaw discovered in the underlying OS that the firewall is running
> on and your in.  Geeze people, the OS processes the packet before
> handing it to the firewall running on the OS, so a flaw there and the
> attacker is in before the firewall ever sees the packet.
> And once a flaw is discovered, only half of the Win hosts out there will
> immediately update via automatic updates because the rest of them either 
> are set to download updates and store until user approval to apply, or 
> they are corporate, part of a directory, and updates have been
> disabled because the corporation has a procedure for internally testing
> ALL security patches before deployment for compatibility with existing
> apps.
> And once malware gets into a corporate directory your through.  In an
> AD all Windows hosts that are members are controlled by the root and
> if you manage to root that server then you can instruct all of the
> member hosts to shut off their firewalls, or you can replicate copies
> of your virus to all of them.
> And why is all of this possible?
> It is possible because you must have critical mass of a homogeneous
> group of hosts for any computer virus to work, or for a crack to
> make economically worth developing, and Windows systems have that 
> critical mass.  No other system does.  MacOS certainly is
> homogeneous but there's not enough out there.  And Linux is 
> heterogeneous because of all the different distros.  Even Android
> is starting to bifurcate.
> And why is a $50 firewall more secure than a $500 Windows 7 system?
> It is simple - because it's simpler!

You haven't really lifted the hood/bonnet on one by the looks of it.
They're general purpose computers too, most commonly running general
purpose OSes. They're exploitable too.

Less than three weeks ago I was making half serious jokes about building
a Stone SouperComputer out of a bunch of ADSL modems with dead ADSL

> A simpler firewall has less code in it, and with less code there is
> less chance of a mistake being overlooked.  That is Software Development
> 101, folks.
> Good security today is layers.  You protect against direct attacks
> by you harden the host with a host-based
> firewall and you firewall the border router too.  If the cracker
> can get past the border router then he still has to figure out how
> to get the host broken, and sometimes what he did on the border to
> get past it precludes getting past the host firewall.  Then you
> protect against the phishing by a combination of user training,
> and anti-malware software on the host that is customized for the
> host, as well as modifying application programs like the web browser
> and the e-mail client.  And for extreme cases like hosts that
> are setup for use by the general public, you either use host OS that
> don't meet critical mass (like Macs) or you use unprivileged
> user accounts that are wiped out at the end of the day, every day.
> Ted

More information about the ipv6-ops mailing list