You know the cosmological model that the earth is balanced on the back of a giant turtle, which is supported by successive lower tiers of other turtles?
https://en.wikipedia.org/wiki/Turtles_all_the_way_down It's like that, except it's trolls all the way down. On Tue, Jul 5, 2016 at 3:24 PM, Chase Christian <[email protected]> wrote: > The original email was not a serious question, but a joke: > > https://twitter.com/SwiftOnSecurity/status/749059605360062464 > https://twitter.com/SwiftOnSecurity/status/749062835687174144 > https://twitter.com/SwiftOnSecurity/status/749068172460847105 > > > > On Tue, Jul 5, 2016 at 1:41 PM, Naslund, Steve <[email protected]> > wrote: > > > It is all about defense in depth. The engineers here are speaking to the > > network pieces (the second N in NANOG is network, right :) and we have > told > > this person that it is unlikely that v6 in the only vector and I myself > > talked about malware handling on the clients themselves. From a network > > engineering perspective many of us agreed that the biggest single threat > to > > his network was a firewall in an unknown state with an unknown > > administrator password that could be owned by anyone on earth at this > > point. That single piece threatens the entire network as a whole and is > a > > ticking time bomb ready to blow his entire LAN off the Internet if it > fails. > > > > He probably does not own the entire environment himself, he is filling in > > for a vacationing network engineer. So he is working on the network > piece > > and is probably not responsible for the anti-malware software on the > > clients (if anyone is, see below). > > > > Our "support" as you call it was a response to this person questions > about > > blocking v6 as an attack vector in the first place. We answered his > > question but then told him that was unlikely to be the problem and what > he > > should do about taking back his firewall, securing v6 via the firewall, > and > > handling the malware at the client. Seems solid advise to me so far. > > > > BTW we did not bill him for anything. He got a lot of free advice from a > > lot of people he could not even begin to afford to employ, so not a bad > > deal for him. You also have to understand that this gentleman seems to > be > > in an educational environment which usually means lots of clients he does > > not have control over so having some kind of network based malware > control > > is helpful. Clients in this type of environment have to defend > themselves > > from each other and he will likely have stuff brought in from the > outside. > > Good malware detection in the network can help identify clients that > > contain malware and are a threat to other devices. Fancier network > > gear/IDS/IDP would actually remove offending clients from the network or > at > > least segments them into an isolation area. > > > > Let me re-iterate: > > > > 1. Take back ownership of your firewall and bring it up to > > date including new malware signatures. If you don't have current > support, > > get it...........directly so if your consultant bails you are not dead > > meat. This will ensure that the outside world will not own or control > > stuff inside your network while you put the fires out. At the very least > > it can help malware infected machines from phoning home to their command > > and control servers which sometimes prevents a lot of damage. > > 2. Make your v6 rules mirror at least the security level of > > your v4 rules. Passing v6 unchallenged is unacceptable. If your > firewall > > won't do it replace it with one that will. > > 3. Ensure all clients under your control have current > > anti-virus/anti-malware detection. Clients have to defend themselves > from > > threats internal to the firewall as well as ones outside. Don't be hard > on > > the outside with a soft chewy center. > > 4. Never, ever accept anything less than full administrative > > control passwords and accounts from your consultants, before you give > them > > final payment. I actually prefer to lock them out when they complete an > > install until I need them to help with something. This prevents them > from > > holding you hostage or one of their "postal" employees from wiping you > out > > as well as preventing them from using your network for experimentation > > without you knowing it. It is an important part of change control to > > ensure that outsiders cannot modify your configuration without contacting > > you first. We usually give our consultants highly logged VPN accounts > that > > we can disable or enable as needed. > > > > Steven Naslund > > Chicago IL > > > > > > > > >>No while that is also needed, it is very unlikely to fix his issue. The > > issue at hand is that some of their computers have become virus infected. > > >>The fix for that is to upgrade the virus scanner and making sure that > > all software upgrades are done. > > > > >>Someone comes to you and says his Firefox is getting infected through > > IPv6. > > >>If your support is worth anything, you will not take that at face value > > and bill him for a ton work related to IPv6. No, you will go find out > what > > the real issue is and solve that. The only thing we know right now is > that > > he is >>confused. > > >> > > >>Regards, > > >> > > >>Baldur > > >
