[AusNOG] IPv6 excuses

[Peter Fern]

On 05/28/16 13:36, Mark Smith wrote:
> On 28 May 2016 at 10:38, Peter Fern <ausnog at 0xc0dedbad.com> wrote:
>> On 05/27/16 17:10, Mark Andrews wrote:
>>> OSX has the host firewall on by default.
>> Did that happen some time in the last 12 months?  This certainly wasn't
>> the case last time I checked.
>>
> I find that a bit hard to believe.

Feel free to confirm independently, I don't own one.  Google seems to
confirm my recollection though.

> One thing to realise is that the "firewall" might be off, however the
> real question is whether there are services listening on external
> interfaces that might be useful to target and that aren't implementing
> their own security.

Define 'useful' here - do vulns count?  I vaguely recall nmbd having
remote code execution on OSX a year or two ago.

> A quite a number of years ago I ran Ubuntu (in the order of somewhere
> before 2008). From what I can remember, out of the box, the iptables
> firewall had no rules, however all of the default listening services
> had been configured to only listen on 127.0.0.1, so they were not
> accessible external to the host.

Which only holds true until the user installs more software.

>>> e.g. TV's don't need to be listening on the net.
>> They don't need to be, but are they?
> Devices are listening, because many of them have controller apps for
> iphone/android.

Indeed, amongst other services, I'd suggest.

>> Now TVs support all sorts of
>> streaming protocols, etc.  I have no idea what the quality of code is
>> like on TV firmware.  And you can add streaming boxes, light bulbs, IoT,
>> etc to the list.
>>
> So how about researching it a bit?
>
> Start with running NMAP against any of your devices that could be
> plugged directly into the Internet by a non-technical end user.

I don't have much of a sample for these particular devices - my TV and
receiver are dumb, and all the rest of my media infra runs on Linux
boxes.  I do have a couple of devices though that I'm certain don't have
any auth or ACLs by default.

> Read at least the first few pages of this paper from 1999, which shows
> why the network located firewall as the primary protection method
> model is flawed.
>
> If you don't recognise the author, look him up too to find out his
> credentials in this space.
>
> "Distributed Firewalls"
> https://www.cs.columbia.edu/~smb/papers/distfw.pdf
>
>
> Microsoft implemented this distributed firewall model back in 2005.
>
> https://technet.microsoft.com/en-us/library/cc740089(v=ws.10).aspx
>
>
> Google have also recently announced that they're following this model
> too internally, although I can't find a reference right at the moment.

I'm not in any way suggesting that a firewall at the border should be
the /only/ firewall, just that when enabling IPv6 for unsuspecting
users, there may be consequences that could be mitigated by some extent
by enabling such a firewall.

>> Sure, but the fact is that there are more and more IP-enabled devices
>> appearing in people's homes, and developer's skill/commitment to
>> security varies wildly, and plenty of those devices simply *aren't*
>> built or configured to be safely exposed to the Internet (partly fueled
>> by the ubiquity of NAT for the last decade or more).  Wishing it wasn't
>> so doesn't change the reality.
>>
> Plenty of people at Defcon and similar security conferences have been
> showing the naivety of this view in recent years, and that is going to
> be helping to change manufacturer behaviour.
>
> A lot of those types of videos are on Youtube, look them up to see the
> sort of work that has gone on showing vulnerabilities in these
> devices.
>
> Manufacturers sticking their head in the sand on this might be
> protecting their head, however they aren't protecting anything else,
> including their reputation.
>
> Preparing for the worst case is the best security strategy. The worst
> case is that any device that can be plugged into a network can be just
> as easily plugged directly into the Internet. There is no way to stop
> that possibility occurring.

Right, there may be hope, but that doesn't fix today.  I think this
comment is generally in agreement with what I've been saying though.

>> IMO it's just safer for end users to firewall at the CPE.
> How do end users determine their firewall is any good? How many end
> users even know what a firewall is?
>
> I think it is a good thing that manufacturers are taking over this
> role, because they can hire experts in this field, and scale that
> expertise across 10s of 1000s or more devices, rather than leaving the
> problem to individual device owners who will usually not have the
> faintest idea about Internet security at all - and shouldn't need to.

My suggestion here was primarily related to ISP-provided CPE and
enabling IPv6.  I'm in absolutely no way suggesting that device vendors
should be allowed to abdicate responsibility for securing their devices,
just that since many do a poor job, the addition of a firewall at the
CPE is a good idea.