The original email was not a serious question, but a joke: https://twitter.com/SwiftOnSecurity/status/749059605360062464 https://twitter.com/SwiftOnSecurity/status/749062835687174144 https://twitter.com/SwiftOnSecurity/status/749068172460847105
On Tue, Jul 5, 2016 at 1:41 PM, Naslund, Steve <snasl...@medline.com> wrote: > It is all about defense in depth. The engineers here are speaking to the > network pieces (the second N in NANOG is network, right :) and we have told > this person that it is unlikely that v6 in the only vector and I myself > talked about malware handling on the clients themselves. From a network > engineering perspective many of us agreed that the biggest single threat to > his network was a firewall in an unknown state with an unknown > administrator password that could be owned by anyone on earth at this > point. That single piece threatens the entire network as a whole and is a > ticking time bomb ready to blow his entire LAN off the Internet if it fails. > > He probably does not own the entire environment himself, he is filling in > for a vacationing network engineer. So he is working on the network piece > and is probably not responsible for the anti-malware software on the > clients (if anyone is, see below). > > Our "support" as you call it was a response to this person questions about > blocking v6 as an attack vector in the first place. We answered his > question but then told him that was unlikely to be the problem and what he > should do about taking back his firewall, securing v6 via the firewall, and > handling the malware at the client. Seems solid advise to me so far. > > BTW we did not bill him for anything. He got a lot of free advice from a > lot of people he could not even begin to afford to employ, so not a bad > deal for him. You also have to understand that this gentleman seems to be > in an educational environment which usually means lots of clients he does > not have control over so having some kind of network based malware control > is helpful. Clients in this type of environment have to defend themselves > from each other and he will likely have stuff brought in from the outside. > Good malware detection in the network can help identify clients that > contain malware and are a threat to other devices. Fancier network > gear/IDS/IDP would actually remove offending clients from the network or at > least segments them into an isolation area. > > Let me re-iterate: > > 1. Take back ownership of your firewall and bring it up to > date including new malware signatures. If you don't have current support, > get it...........directly so if your consultant bails you are not dead > meat. This will ensure that the outside world will not own or control > stuff inside your network while you put the fires out. At the very least > it can help malware infected machines from phoning home to their command > and control servers which sometimes prevents a lot of damage. > 2. Make your v6 rules mirror at least the security level of > your v4 rules. Passing v6 unchallenged is unacceptable. If your firewall > won't do it replace it with one that will. > 3. Ensure all clients under your control have current > anti-virus/anti-malware detection. Clients have to defend themselves from > threats internal to the firewall as well as ones outside. Don't be hard on > the outside with a soft chewy center. > 4. Never, ever accept anything less than full administrative > control passwords and accounts from your consultants, before you give them > final payment. I actually prefer to lock them out when they complete an > install until I need them to help with something. This prevents them from > holding you hostage or one of their "postal" employees from wiping you out > as well as preventing them from using your network for experimentation > without you knowing it. It is an important part of change control to > ensure that outsiders cannot modify your configuration without contacting > you first. We usually give our consultants highly logged VPN accounts that > we can disable or enable as needed. > > Steven Naslund > Chicago IL > > > > >>No while that is also needed, it is very unlikely to fix his issue. The > issue at hand is that some of their computers have become virus infected. > >>The fix for that is to upgrade the virus scanner and making sure that > all software upgrades are done. > > >>Someone comes to you and says his Firefox is getting infected through > IPv6. > >>If your support is worth anything, you will not take that at face value > and bill him for a ton work related to IPv6. No, you will go find out what > the real issue is and solve that. The only thing we know right now is that > he is >>confused. > >> > >>Regards, > >> > >>Baldur >