Search This Blog

Monday, August 27, 2007

firewall-wizards Digest, Vol 16, Issue 16

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. ***SPAM*** Re: IPv6 support in firewalls (Dave Piscitello)
2. Re: IPv6 support in firewalls (Patrick M. Hausen)
3. Re: ***SPAM*** Re: IPv6 support in firewalls (Paul D. Robertson)
4. Re: IPv6 support in firewalls (Behm, Jeffrey L.)
5. Re: IPv6 support in firewalls (Paul D. Robertson)
6. Re: IPv6 support in firewalls (Behm, Jeffrey L.)


----------------------------------------------------------------------

Message: 1
Date: Mon, 27 Aug 2007 16:13:53 -0400
From: Dave Piscitello <dave@corecom.com>
Subject: [fw-wiz] ***SPAM*** Re: IPv6 support in firewalls
To: "Patrick M. Hausen" <hausen@punkt.de>, firewall Wizards Security
Mailing List <firewall-wizards@listserv.icsalabs.com>
Message-ID: <46D33081.8000007@corecom.com>
Content-Type: text/plain; charset="iso-8859-1"

Patrick, you make some valid points.

- yes, it's true that social engineering and leaks will undermine
attempts to keep internal topology details private. If someone's willing
to leak this sort of confidential information I suspect they will reveal
other details that put you at risk whether you are using private or
public space.

- Yes, double NAT'ing is not a pretty thing.

- My crystal ball only says that if I'm building inter-organizational
tunnels to connect parties outside my operational control directly to
assets on my internal network I probably have much worse security
problems to fret about than IP addresses. I'm not a fan of site-to-site
VPNs and "you authenticated using IKE so welcome to my subnet"
implementations but that takes us down another nasty rathole. IMO there
are alternatives to admitting hosts as IP addressable peers to your
network. However if this is the poison you choose to drink, you're right
that having unique IP addresses makes it easier to swallow.

- I'm happy to hear a large scale IPv6 success story.

- I wish I could feel as confident about IPv6. Nearly 14 years have
lapsed and I confess that my perspective is jaded. I think it may be
another 5 before we see measurable IPv6 penetration and at least a
decade beyond of 4-to-6 and 6-to-4 tunneling (and NAT).

We will have a 20 year old protocol with little innovation and only
unique addresses to show for our efforts. NAT may have been a cheap
hack. Time will tell whether IPv6 is regarded as the right thing or an
expensive hack. So I'll set a cask of beer aside and we'll revisit the
subject again in 2012.

Patrick M. Hausen wrote:
> Hi!
>
> On Mon, Aug 27, 2007 at 01:24:54PM -0400, Dave Piscitello wrote:
>
>>> First you should not rely on NAT as a security measure, anyway,
>>> because it isn't.
>> I advocate using every measure possible to provide security. IP masquerading
>> helps thwart information gathering. I would never suggest using NAT as the
>> only security measure. By IP masquerading, I avoid having a RIR identify the
>> address blocks I use internally, as they would if I were to use public
>> space. Explain why you feel this is wrong?
>
> I don't feel this is wrong, I think good security practice
> should be to make it unnecessary by design. The security
> of a cipher should not depend on the secrecy of the algorithm.
>
> The security of a network should not depend on the secrecy of
> the structure, because sooner or later secrets will be no longer.
>
> A bit of social engineering, a fired insider, ... holds for
> ciphers and for networks, IMHO. And I mean *should* as in
> RFC language, not as in common English ;-)
>
>>> Third, this is the _only_ way to get rid of the "net 10 considered
>>> harmful" nightmare
>> It's only a nightmare for people who do not exercise discipline
>> in assigning addresses.
>
> OK, so please hand me a list of the RFC 1918 networks of all
> third parties that I will need to connect to in the next ten
> years. Your crystal ball seems to be working a lot better than
> mine ;-)) No insult intended, honestly, but I don't buy the
> "discipline" argument. Different enterprises need to connect
> as business dictates, possibly tomorrow. And double NATing
> and proxying makes things worse, not better.
>
> As I said, SAP is already using addresses from their RIPE assigned
> allocation for their strictly internal VPN connections to customers.
> That would be "Oracle" for you American guys ;-) Biggest German
> software company ...
>
>> I could just as easily err with public addresses and assign the
>> same block of addresses to multiple sites.
>
> Yes you can. But then it's your fault. And if the successor of
> the successor for your former position gets it wrong, then either
> you or the first successor did not document properly.
>
> But the addresses of arbitraty peers are strictly outside of
> my control ...
>
> Uniqe addresses for every single device. You can still hide
> them behind a proxy if you feel like it. That's the additional
> benefit. You can decide which hosts to expose and which ones
> to hide. With at least a /48 assigned to every end user, there's
> plenty of maneuver room.
>
> Compare that to an IPv4 /29 for your uplink and all of a sudden a
> 7th department wants a server with port 80 exposed to the
> Internet.
>
>>> IMHO theses are the combined reasons to start over and
>>> kill NAT forever.
>> Won't happen in my lifetime, nor my childrens' lifetime.
>
> Time will tell ;-) I won't bet more than, say, a cask of
> beer on my position, but I strongly feel like it was
> The Right Thing [tm] and NAT was a cheap hack that has
> been far too successful.
>
> Kind regards,
> Patrick M. Hausen
> Leiter Netzwerke und Sicherheit
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dave.vcf
Type: text/x-vcard
Size: 220 bytes
Desc: not available
Url : https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20070827/a58dbfa2/attachment-0001.bin


------------------------------

Message: 2
Date: Mon, 27 Aug 2007 20:47:18 +0200
From: "Patrick M. Hausen" <hausen@punkt.de>
Subject: Re: [fw-wiz] IPv6 support in firewalls
To: Dave Piscitello <dave@corecom.com>
Message-ID: <20070827184718.GA15748@hugo10.ka.punkt.de>
Content-Type: text/plain; charset=iso-8859-1

Hi!

On Mon, Aug 27, 2007 at 01:24:54PM -0400, Dave Piscitello wrote:

> > First you should not rely on NAT as a security measure, anyway,
> > because it isn't.
>
> I advocate using every measure possible to provide security. IP masquerading
> helps thwart information gathering. I would never suggest using NAT as the
> only security measure. By IP masquerading, I avoid having a RIR identify the
> address blocks I use internally, as they would if I were to use public
> space. Explain why you feel this is wrong?

I don't feel this is wrong, I think good security practice
should be to make it unnecessary by design. The security
of a cipher should not depend on the secrecy of the algorithm.

The security of a network should not depend on the secrecy of
the structure, because sooner or later secrets will be no longer.

A bit of social engineering, a fired insider, ... holds for
ciphers and for networks, IMHO. And I mean *should* as in
RFC language, not as in common English ;-)

> > Third, this is the _only_ way to get rid of the "net 10 considered
> > harmful" nightmare
>
> It's only a nightmare for people who do not exercise discipline
> in assigning addresses.

OK, so please hand me a list of the RFC 1918 networks of all
third parties that I will need to connect to in the next ten
years. Your crystal ball seems to be working a lot better than
mine ;-)) No insult intended, honestly, but I don't buy the
"discipline" argument. Different enterprises need to connect
as business dictates, possibly tomorrow. And double NATing
and proxying makes things worse, not better.

As I said, SAP is already using addresses from their RIPE assigned
allocation for their strictly internal VPN connections to customers.
That would be "Oracle" for you American guys ;-) Biggest German
software company ...

> I could just as easily err with public addresses and assign the
> same block of addresses to multiple sites.

Yes you can. But then it's your fault. And if the successor of
the successor for your former position gets it wrong, then either
you or the first successor did not document properly.

But the addresses of arbitraty peers are strictly outside of
my control ...

Uniqe addresses for every single device. You can still hide
them behind a proxy if you feel like it. That's the additional
benefit. You can decide which hosts to expose and which ones
to hide. With at least a /48 assigned to every end user, there's
plenty of maneuver room.

Compare that to an IPv4 /29 for your uplink and all of a sudden a
7th department wants a server with port 80 exposed to the
Internet.

> > IMHO theses are the combined reasons to start over and
> > kill NAT forever.
>
> Won't happen in my lifetime, nor my childrens' lifetime.

Time will tell ;-) I won't bet more than, say, a cask of
beer on my position, but I strongly feel like it was
The Right Thing [tm] and NAT was a cheap hack that has
been far too successful.

Kind regards,
Patrick M. Hausen
Leiter Netzwerke und Sicherheit
--
punkt.de GmbH * Vorholzstr. 25 * 76137 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
info@punkt.de

http://www.punkt.de
Gf: J?rgen Egeling AG Mannheim 108285


------------------------------

Message: 3
Date: Mon, 27 Aug 2007 16:13:00 -0400 (EDT)
From: "Paul D. Robertson" <paul@compuwar.net>
Subject: Re: [fw-wiz] ***SPAM*** Re: IPv6 support in firewalls
To: dave@corecom.com, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <Pine.LNX.4.44.0708271603160.16944-100000@bat.clueby4.org>
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; FORMAT=flowed

On Mon, 27 Aug 2007, Dave Piscitello wrote:

> using NAT as the only security measure. By IP masquerading, I avoid
> having a RIR identify the address blocks I use internally, as they would
> if I were to use public space. Explain why you feel this is wrong?

Can you explain to me a common attack scenario[1] where you wouldn't need
access to a network node that already *had* the addressing infomration
where an attacker could take advantage of knowing the internal addressing
scheme where there's a firewall doing its job in regards to inbound connections?

I've had a multi-billion dollar corporation's internal network use two
/16's of routable address space for several years without falling foul to
any attack[2] that would have been stopped by the address space not being
routable.

It's not like you're going to 'reset' the address space every time someone
leaves anyway.

Paul
[1] Where 'common' has the value of 'you'd see this in the real world.'
[2] Both successful non-malcode attacks were idiot admin/developer on a
DMZ attacks and were in-band negating any NAT "value."
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."

http://www.fluiditgroup.com/blog/pdr/

------------------------------

Message: 4
Date: Mon, 27 Aug 2007 15:38:07 -0500
From: "Behm, Jeffrey L." <BehmJL@bv.com>
Subject: Re: [fw-wiz] IPv6 support in firewalls
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.cybertrust.com>
Message-ID:
<0C3670BC9169B244AA6E7B2E436180D1963756@TSMC-MAIL-04.na.bvcorp.net>
Content-Type: text/plain; charset="us-ascii"

How many end users of IT can tell you what a "stateful filter set up for

outbound connections only" is, much less set it up?

On Monday, August 27, 2007 1:53 PM ArkanoiD wrote:

>Well, stateful filter set up for outbound connections only is
>exactly equivalent to NAT device. It is even better because
>there are no moronic "UPNP" things that could be accidentally left
>turned on..
>
>On Mon, Aug 27, 2007 at 09:40:33AM -0500, Behm, Jeffrey L. wrote:
>> On Monday, August 27, 2007 2:31 AM, Patrick M. Hausen wrote:
>>
>> Snipped out the discussion about why IPv6 should be deployed to
>> every device, even those "inside the firewall" and that NAT should
>> be killed...
>>
>> >First you should not rely on NAT as a security measure, anyway,
>> >because it isn't.
>>
>> For a security-conscious IT professional, this may be a true
statement.
>>
>> But, for the vast majority of end users of IT, given the choice of a
>> Hardware NAT device vs. nothing for security, I'll pick the hardware
>> NAT device every time.


------------------------------

Message: 5
Date: Mon, 27 Aug 2007 16:22:57 -0400 (EDT)
From: "Paul D. Robertson" <paul@compuwar.net>
Subject: Re: [fw-wiz] IPv6 support in firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <Pine.LNX.4.44.0708271622080.16944-100000@bat.clueby4.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII

On Mon, 27 Aug 2007, Behm, Jeffrey L. wrote:

> How many end users of IT can tell you what a "stateful filter set up for
>
> outbound connections only" is, much less set it up?

If an end-user is setting up security, the game is already lost.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."

http://www.fluiditgroup.com/blog/pdr/

------------------------------

Message: 6
Date: Mon, 27 Aug 2007 15:55:15 -0500
From: "Behm, Jeffrey L." <BehmJL@bv.com>
Subject: Re: [fw-wiz] IPv6 support in firewalls
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.cybertrust.com>
Message-ID:
<0C3670BC9169B244AA6E7B2E436180D1963757@TSMC-MAIL-04.na.bvcorp.net>
Content-Type: text/plain; charset="us-ascii"

Then the game is already lost, on the home computing front,
and the implication of this thread is that there will be even
more devices at home connected to the Internet in the future
("PC, mobile phone, fridge, coffee machine"). Not a pretty
outlook.

At least with a NAT device (at this point in Internet history),
the home-user has a better chance of remaining "un-hacked"
than they would if they hooked their PC directly up to the
Internet w/o such a device.


On Monday, August 27, 2007 3:23 PM, Paul D. Robertson wrote:

>On Mon, 27 Aug 2007, Behm, Jeffrey L. wrote:
>
>> How many end users of IT can tell you what a "stateful filter set up
for
>> outbound connections only" is, much less set it up?
>
>If an end-user is setting up security, the game is already lost.


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 16, Issue 16
************************************************

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)