IPv6 Firewall on CPEs - Default on or off
Merike Kaeo
merike at doubleshotsecurity.com
Thu Dec 6 18:53:27 CET 2012
On Dec 5, 2012, at 12:31 AM, Anfinsen, Ragnar wrote:
> *Lorenzo
>
>> Eric, this isn't something you'd be interested in taking on (as an
>> addition to your growing body of work on IPv6 security), by any chance?
>
> +1
After catching up with this thread there's a few points I figured I'd make.
1. Agree with the Off/Low (default)/Diode style firewall approach although since CPEs are devices that get owned so easily I think the arguments on firewall aspect is somewhat humorous. [sorry, in a somewhat cynical mood this AM]. In past year I've seen too many CPE's that are easily hacked that I'd prefer some attention be paid to ensuring noone can own your CPE rather than figure out what traffic makes sense to permit/deny through it. The easiest way to own is by some devices enabling configuration thru WAN and of course the default username/pw that noone changes so even LAN side device access can be achieved.
When I first heard of the pinhole aspect and how applications have capability to poke a hole through the firewall I was cautiously optimistic that this would be an interesting compromise. However, the realities are that not many applications clean up after themselves when the session is done. Lots of holes everywhere. So I became less enamored of a stateful firewall in CPE devices since it would give a user a false sense of security. At least let them be aware that all traffic is passed and move the mitigation techniques elsewhere.
2. In my not so cynical mode I do like the idea of someone working thru what the Low mode would block. In addition to the known to be primarily malicious use ports (there's only a handful) it may be useful to include packets with SRC IP of netblock that should never be passed. (this of course brings issues of what happens if some netblocks get reassigned to NOT be special purpose addresses as has happened in v4...well, keep the list tiny).
3. While many application attacks are increasing along with attacks that fall under the radar since they can't be spotted as 'anomolies' with network monitoring devices, don't discount the old ones. They are seen around in plenty of script kiddie tools and are alive and well. Spoofed addresses are used in some large DoS amplification attacks.
4. I really am wary about arguments where 'we have not seen an IPv6 attack so there is no need to worry' - it's a matter of time. But I would prefer to
see the mitigation techniques be on end user devices.
Overall great to see all the discussion. A lot of great work being done to move things forward.
- merike
More information about the ipv6-ops
mailing list