[AusNOG] IPv6 excuses

[Mark Smith]

On 28 May 2016 at 10:38, Peter Fern <ausnog at 0xc0dedbad.com> wrote:
> On 05/27/16 17:10, Mark Andrews wrote:
>> OSX has the host firewall on by default.
>
> Did that happen some time in the last 12 months?  This certainly wasn't
> the case last time I checked.
>

I find that a bit hard to believe.

One thing to realise is that the "firewall" might be off, however the
real question is whether there are services listening on external
interfaces that might be useful to target and that aren't implementing
their own security.

A quite a number of years ago I ran Ubuntu (in the order of somewhere
before 2008). From what I can remember, out of the box, the iptables
firewall had no rules, however all of the default listening services
had been configured to only listen on 127.0.0.1, so they were not
accessible external to the host.


>>   Linux has host firewall
>> and depending upon the distro it many be on or off by default.  In
>> reality you don't need a host firewall for most things.  A simple
>> acl after accept is enough as you only have a single port open if
>> any at all.
>
> The majority of Linux desktop distributions don't enable a host
> firewall, on server distributions, it's about an even split.  Ports open
> obviously depends on software installed and enabled.  ACLs or host
> firewalls need to be explicitly configured, desktop users may not even
> know what's running after package X pulls in dependency Y.
>
>> e.g. TV's don't need to be listening on the net.
>
> They don't need to be, but are they?

Devices are listening, because many of them have controller apps for
iphone/android.

> Now TVs support all sorts of
> streaming protocols, etc.  I have no idea what the quality of code is
> like on TV firmware.  And you can add streaming boxes, light bulbs, IoT,
> etc to the list.
>

So how about researching it a bit?

Start with running NMAP against any of your devices that could be
plugged directly into the Internet by a non-technical end user.

I have against my 2011 Sony Smart TV, Sony Blu-Ray Player, and 2014
Panasonic Smart PVR. The NMAP output looks like what I'd expect from
Internet proof devices.

>> What is needed is to build with concept that there is a hostile
>> environment out there and to validate all inputs before otherwise
>> using them.
>>
>> This is what we do with BIND.  We code assuming that there is nothing
>> between the server and the rest of the world.  We have machines
>> continually attempting to break it.  We issue advisaries when we
>> find a issue.  We assume there are blackhats inspecting every change
>> we make in a attempt to find a way in.  We also have thousands of
>> internal consistancy checks.
>
> And this is a great philosophy, but how many developers/projects do you
> think adhere to it?
>
>> If the ISP supplies the CPE then they need to source a CPE with
>> equivalent functionality which do exist.
>
> Indeed, and this is why my original question was, "What do the default
> firewalls look like on those modems [sic]?"
>

Read at least the first few pages of this paper from 1999, which shows
why the network located firewall as the primary protection method
model is flawed.

If you don't recognise the author, look him up too to find out his
credentials in this space.

"Distributed Firewalls"
https://www.cs.columbia.edu/~smb/papers/distfw.pdf


Microsoft implemented this distributed firewall model back in 2005.

https://technet.microsoft.com/en-us/library/cc740089(v=ws.10).aspx


Google have also recently announced that they're following this model
too internally, although I can't find a reference right at the moment.


>>>>  If manufacturers are selling consumer equipement that is incapable of
>>>> being exposed to the net directly they should be being fined for
>>>> selling substandard products and be forced to recall / provide updates.
>>> Except that this is far removed from reality.
>> It shouldn't be.  We have strong consumer protection laws in this
>> country and we pay a premium for this.
>
> Sure, but the fact is that there are more and more IP-enabled devices
> appearing in people's homes, and developer's skill/commitment to
> security varies wildly, and plenty of those devices simply *aren't*
> built or configured to be safely exposed to the Internet (partly fueled
> by the ubiquity of NAT for the last decade or more).  Wishing it wasn't
> so doesn't change the reality.
>

Plenty of people at Defcon and similar security conferences have been
showing the naivety of this view in recent years, and that is going to
be helping to change manufacturer behaviour.

A lot of those types of videos are on Youtube, look them up to see the
sort of work that has gone on showing vulnerabilities in these
devices.

Manufacturers sticking their head in the sand on this might be
protecting their head, however they aren't protecting anything else,
including their reputation.

Preparing for the worst case is the best security strategy. The worst
case is that any device that can be plugged into a network can be just
as easily plugged directly into the Internet. There is no way to stop
that possibility occurring.

> IMO it's just safer for end users to firewall at the CPE.

How do end users determine their firewall is any good? How many end
users even know what a firewall is?

I think it is a good thing that manufacturers are taking over this
role, because they can hire experts in this field, and scale that
expertise across 10s of 1000s or more devices, rather than leaving the
problem to individual device owners who will usually not have the
faintest idea about Internet security at all - and shouldn't need to.

Regards,
Mark.