Why is your Internal v6 subnet advertised to the Internet?
> On Feb 16, 2024, at 8:08 PM, William Herrin <b...@herrin.us> wrote: > > On Fri, Feb 16, 2024 at 3:13 PM Michael Thomas <m...@mtcc.com> wrote: >> If you know which subnets need to be NAT'd don't you also know which >> ones shouldn't exposed to incoming connections (or conversely, which >> should be permitted)? It seems to me that all you're doing is moving >> around where that knowledge is stored? Ie, DHCP so it can give it >> private address rather than at the firewall knowing which subnets not to >> allow access? Yes, DHCP can be easily configured to make everything >> private, but DHCP for static reachable addresses is pretty handy too. > > Hi Mike, > > Suppose I have a firewall at 2602:815:6000::1 with an internal network > of 2602:815:6001::/64. Inside the network on 2602:815:6001::4 I have a > switch that accepts telnet connections with a user/password of > admin/admin. On the firewall, I program it to disallow all Internet > packets to 2602:815:6001::/64 that are not part of an established > connection. > > Someone tries to telnet to 2602:815:6001::4. What happens? Blocked. > > Now, I make a mistake on my firewall. I insert a rule intended to > allow packets outbound from 2602:815:6001::4 but I fat-finger it and > so it allows them inbound to that address instead. Someone tries to > telnet to 2602:815:6001::4. What happens? Hacked. > > Now suppose I have a firewall at 199.33.225.1 with an internal network > of 192.168.55.0/24. Inside the network on 192.168.55.4 I have a switch > that accepts telnet connections with a user/password of admin/admin. > On the firewall, I program it to do NAT translation from > 192.168.55.0/24 to 199.33.225.1 when sending packets outbound, which > also has the effect of disallowing inbound packets to 192.168.55.0/24 > which are not part of an established connection. > > Someone tries to telnet to 192.168.55.4. What happens? The packet > never even reaches my firewall because that IP address doesn't go > anywhere on the Internet. > > Now I make a mistake on my firewall. I insert a rule intended to allow > packets outbound from 192.168.55.4 but I fat-finger it and so it > allows them inbound to that address instead. Someone tries to telnet > to 192.168.55.4. What happens? The packet STILL doesn't reach my > firewall because that IP address doesn't go anywhere on the Internet. > > See the difference? Accessible versus accessible and addressable. Not > addressable enhances security. > > Regards, > Bill Herrin > > > -- > William Herrin > b...@herrin.us > https://bill.herrin.us/