It is all about defense in depth. The engineers here are speaking to the
network pieces (the second N in NANOG is network, right :) and we have told
this person that it is unlikely that v6 in the only vector and I myself talked
about malware handling on the clients themselves. From a network engineering
perspective many of us agreed that the biggest single threat to his network was
a firewall in an unknown state with an unknown administrator password that
could be owned by anyone on earth at this point. That single piece threatens
the entire network as a whole and is a ticking time bomb ready to blow his
entire LAN off the Internet if it fails.
He probably does not own the entire environment himself, he is filling in for a
vacationing network engineer. So he is working on the network piece and is
probably not responsible for the anti-malware software on the clients (if
anyone is, see below).
Our "support" as you call it was a response to this person questions about
blocking v6 as an attack vector in the first place. We answered his question
but then told him that was unlikely to be the problem and what he should do
about taking back his firewall, securing v6 via the firewall, and handling the
malware at the client. Seems solid advise to me so far.
BTW we did not bill him for anything. He got a lot of free advice from a lot
of people he could not even begin to afford to employ, so not a bad deal for
him. You also have to understand that this gentleman seems to be in an
educational environment which usually means lots of clients he does not have
control over so having some kind of network based malware control is helpful.
Clients in this type of environment have to defend themselves from each other
and he will likely have stuff brought in from the outside. Good malware
detection in the network can help identify clients that contain malware and are
a threat to other devices. Fancier network gear/IDS/IDP would actually remove
offending clients from the network or at least segments them into an isolation
area.
Let me re-iterate:
1. Take back ownership of your firewall and bring it up to date
including new malware signatures. If you don't have current support, get
it...........directly so if your consultant bails you are not dead meat. This
will ensure that the outside world will not own or control stuff inside your
network while you put the fires out. At the very least it can help malware
infected machines from phoning home to their command and control servers which
sometimes prevents a lot of damage.
2. Make your v6 rules mirror at least the security level of your
v4 rules. Passing v6 unchallenged is unacceptable. If your firewall won't do
it replace it with one that will.
3. Ensure all clients under your control have current
anti-virus/anti-malware detection. Clients have to defend themselves from
threats internal to the firewall as well as ones outside. Don't be hard on the
outside with a soft chewy center.
4. Never, ever accept anything less than full administrative
control passwords and accounts from your consultants, before you give them
final payment. I actually prefer to lock them out when they complete an
install until I need them to help with something. This prevents them from
holding you hostage or one of their "postal" employees from wiping you out as
well as preventing them from using your network for experimentation without you
knowing it. It is an important part of change control to ensure that outsiders
cannot modify your configuration without contacting you first. We usually give
our consultants highly logged VPN accounts that we can disable or enable as
needed.
Steven Naslund
Chicago IL
>>No while that is also needed, it is very unlikely to fix his issue. The issue
>>at hand is that some of their computers have become virus infected.
>>The fix for that is to upgrade the virus scanner and making sure that all
>>software upgrades are done.
>>Someone comes to you and says his Firefox is getting infected through IPv6.
>>If your support is worth anything, you will not take that at face value and
>>bill him for a ton work related to IPv6. No, you will go find out what the
>>real issue is and solve that. The only thing we know right now is that he is
>>>>confused.
>>
>>Regards,
>>
>>Baldur
