[DARARepeater] LAN Routing
Jack Gerbs
jgerbs at quanexus.com
Tue Oct 13 15:46:44 EDT 2020
Totally agree with Jim on this. IPv6 is not going to leave your network. Your ISP, today, is only running IPv4 and you would need to translate v6 to v4 at your gateway. The threat from IPv6 is an internal threat, where the malicious actor, once on your network, would look to exploit v6 vulnerabilities. it. There is an incredible amount of internal v6 running on many network today.
73, Jack, WB8SCT
From: dararepeater-bounces at mailman.qth.net <dararepeater-bounces at mailman.qth.net> On Behalf Of Jim Bacher, WB8VSU
Sent: Tuesday, October 13, 2020 3:38 PM
To: Derek Gooley <dgooley at gmail.com>
Cc: DARA Repeater List <dararepeater at mailman.qth.net>
Subject: Re: [DARARepeater] LAN Routing
Derek, in general router advertising never leaves the network it was broadcast on. As it would be an unsolicited packet on the incoming router, the router would automatically block the packet. For a home user I don't see it as a threat. For a corporation that is a threat.
My windows box just informed me it needs to reboot, so they must have pushed out the patch.
Jim Bacher, WB8VSU
wb8vsu at arrl.net<mailto:wb8vsu at arrl.net>
https://trc.guru<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2ftrc.guru&c=E,1,KnRqymRIVRLWhfeBfW3OdAoBiKzGSYbsssk3Fzfm1s4bfNfvCIJf2AiWAA-oJJmvErX2_vy67tFVwig3oh8awpnodHhx_6kefCH7i1NkkVI_8FKlPy0t3FqS&typo=1>
On Oct 13, 2020, at 2:45 PM, Derek Gooley <dgooley at gmail.com<mailto:dgooley at gmail.com>> wrote:
I'm not moving to IPv6 any time soon.
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898
On Mon, Oct 12, 2020, 16:16 Jim Bacher, WB8VSU < wb8vsu at arrl.net<mailto:wb8vsu at arrl.net>> wrote:
Mark, most IoT devices now days are going to be IPv6 and IPv4. If you have IPv6 turned off on your 2nd router then Jack's suggestion is a good easy choice. If you have IPv6 turned on, then it won't work if the devices have IPv6 enabled.
Everything is automatic under IPv6 which makes it more difficult to block an outgoing packet. Incoming are blocked by default. My two routers are capable of blocking networks or devices, whether they are IPv4 or IPv6. That can be complex to accomplish depending on the router and whether IPv6 is turned on.
Most of the risk with IoT, is allowing remote access to it and not changing the default password. So if you don't allow remote access, the device didn't have contamination on it when you bought it and you don't let it update there shouldn't be a problem.
Most of the issues I am aware of are due to pin holes created for a IoT device on the firewall / router to allow remote access or having a contaminated OS to start with. Jack may know of others as he is more up-to-date than I am on IT.
I am running IPv6 on my home networks. From what I can tell, more than 90% of the traffic is now IPv6 as a result. Most noticeable when running an update on a Raspberry Pi, as it will show where it's pulling the updates from. The bulk are from IPv6 addresses. Smart phones are also mostly IPv6 and you can't disable IPv6 on the cell phone.
Jim Bacher, WB8VSU
wb8vsu at arrl.net<mailto:wb8vsu at arrl.net>
https://trc.guru<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2ftrc.guru&c=E,1,m8tD1_20ndS5wLp-5E32tqliSHgmj8kO5tJB78TOo3a1g7LjPRTUaU_Pqqoqpp4DFCo5VOMUSnf1xFNW9pG2jaPJJ8VtE1hHqmW71UETYKMgaewIJ3_0SAuiuQ,,&typo=1>
On Oct 12, 2020, at 12:18 PM, Jack Gerbs < jgerbs at quanexus.com<mailto:jgerbs at quanexus.com>> wrote:
Mark,
An easy way to not allow devices to access the internet is to not put in a default gateway on the device, or put an unused address in for the default gateway. A more common way to do it is to create a rule that blocks the device from accessing the WAN port. Not sure your level of experience with firewalls, so don’t take this the wrong way, firewalls execute rules (ACLs) from top down, your more restrictive rules need to be applied first.
Jack
From: dararepeater-bounces at mailman.qth.net<mailto:dararepeater-bounces at mailman.qth.net> <dararepeater-bounces at mailman.qth.net<mailto:dararepeater-bounces at mailman.qth.net>> On Behalf Of Mark Erbaugh
Sent: Monday, October 12, 2020 12:11 PM
To: Derek Gooley <dgooley at gmail.com<mailto:dgooley at gmail.com>>; dararepeater at mailman.qth.net<mailto:dararepeater at mailman.qth.net>
Subject: Re: [DARARepeater] LAN Routing
Derek,
Thanks. I’ll have to take some time to digest all that and learn to craft firewall rules.
Another approach I was considering was connecting those devices to the secure network as long as I can configure the firewall to not allow them to access or be accessed from the Internet. Unlike my smart TV’s and Amazon Echo’s they don’t need access to the Internet to function. Would that approach be preferable to allowing connections across the subnets?
73,
Mark
From: Derek Gooley<mailto:dgooley at gmail.com>
Sent: Monday, October 12, 2020 11:40 AM
To: Mark Erbaugh<mailto:mark.election at gmail.com>
Cc: dararepeater at mailman.qth.net<mailto:dararepeater at mailman.qth.net>
Subject: Re: [DARARepeater] LAN Routing
Having the devices on separate subnets or VLANs won't secure anything if they're still routable to eachother. You need to create firewall rules to block traffic between them.
You could create a rule allowing traffic from your secure network to your IOT network, a rule allowing established connections from your dirty network to a secure network (so devices can communicate with hosts on your secure network once a connection is established), and a rule disallowing all other outbound and inbound traffic from your dirty network to achieve what you're asking.
Here's some guides on how to add firewall rules to Ubiquiti EdgeRouter:
https://help.ui.com/hc/en-us/articles/218889067-EdgeRouter-How-to-Create-a-Guest-LAN-Firewall-Rule<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fhelp.ui.com%2fhc%2fen-us%2farticles%2f218889067-EdgeRouter-How-to-Create-a-Guest-LAN-Firewall-Rule&c=E,1,bdDUoLtTp9a5hgMUSsWg59wOTM-gaO04IfLRYrDNlqt7ydY9qEsZfHQyPnpF7z9g4FbZnvrSoXKJyaWUx3QZjfjK7t5CwIq6RiwfY90auvpict-DrIDN4hR6srU,&typo=1>
https://help.ui.com/hc/en-us/articles/204962154-EdgeRouter-How-to-Create-a-WAN-Firewall-Rule<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fhelp.ui.com%2fhc%2fen-us%2farticles%2f204962154-EdgeRouter-How-to-Create-a-WAN-Firewall-Rule&c=E,1,1kBBm9SHwd17vwXLgJPJIo_7HkCRRKWKLopBk7rP7d3l3UAMyS0YPviuBDmfEtZoTr0JfjNhcodP3NsmR8QeDCccBeUOpPG3ObCpJmcI7vwz&typo=1>
https://help.ui.com/hc/en-us/articles/204952154-EdgeRouter-Zone-Based-Firewall<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fhelp.ui.com%2fhc%2fen-us%2farticles%2f204952154-EdgeRouter-Zone-Based-Firewall&c=E,1,RCshEPTtrPKSraRGILk3GBLhhRduHThAY1ducDgi7S2fC_wVRRcmf2H-jwcrP2VL09ukwfqKSYVDolb2WgFp3jSaPrMZmyUzKweHza7r6OKmixlCais,&typo=1>
On Mon, Oct 12, 2020, 11:06 Mark Erbaugh <mark.election at gmail.com<mailto:mark.election at gmail.com>> wrote:
I’ve started adding IOT devices to my home. Following some security advice https://pcper.com/2016/08/steve-gibsons-three-router-solution-to-iot-insecurity/<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fpcper.com%2f2016%2f08%2fsteve-gibsons-three-router-solution-to-iot-insecurity%2f&c=E,1,387TSYzRW26xvXvTzLfef5trEjglgbY2KZVlCKyeUg1S6mxUhxt4RSQP2AQhEq3DotIsK3CvfY-YY6BAlvpZjJ0B2C--rTJ9t_J32Aezz5Gjljv27FrFqo7Pvhg,&typo=1>) , I’ve configured two sub-nets, one for my computers which are secure (at least I’m running security software on them) and one for the IOT devices which I don’t trust as much. Hopefully, this will prevent an attacker from exploiting a weakness in one of my IOT devices to attack my secure computers.
But I have found a need for an exception to my configuration. I have a couple of devices that I don’t fully trust to be on my secure network that I need to communicate with from my computer on the secure network:
* FlexRadio 6700 (internal Linux software with unknown security)
* Raspberry Pi running OctoPi server to control my 3d printer
Right now, I’ve left the Flex on the secure network, so I’m trusting the Flex developers and I’m not using the OctoPi.
Is it possible to put these devices on the secure network but configure the router (I’m currently using a Ubiquity EdgeRouter X) so that they can be accessed from inside the network, but that they can’t access the internet? I’m assuming that if the device can’t access the Internet, the Internet can’t access the device – is that a valid assumption?
If so, how?
One suggestion I saw was to implement parental controls on those devices, but I see no mention of parental controls in the EdgeRouter configuration.
73,
Mark
______________________________________________________________
DARARepeater mailing list
Home: http://mailman.qth.net/mailman/listinfo/dararepeater<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fmailman.qth.net%2fmailman%2flistinfo%2fdararepeater&c=E,1,oV-K8lGzWL2ryfgHlBSLatevJFfZDhgTDWHDM53At_Gqsw_EXAd-HzkbNHd_WI4b7rPSACDsoWHg4xKwbPK9xwN_3q_sON2U0lo4Vegs&typo=1>
Help: http://mailman.qth.net/mmfaq.htm<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fmailman.qth.net%2fmmfaq.htm&c=E,1,mOB7jSfUNeOdizAULu02ktA-vEtAWPbgnmcNV-7zpzl6vLCeweaGTsnH43iUfMwzGVUafQxNrEV7jZS1_7nlbwBggn6YAKb15VoC_Ku5U8Mc1lScK34,&typo=1>
Post: mailto:DARARepeater at mailman.qth.net<mailto:DARARepeater at mailman.qth.net>
This list hosted by: http://www.qsl.net<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.qsl.net&c=E,1,EirwSbCV7F2MVLuTPhJdWDnMEM1qBssr310z_SoFYPE3dutDGunq1F-5F_5ZjecTAeWSIHkLxtg2uMlGqE_CoAL8EejjABVOzwAxSjl59ykyrH6U7tlZSOl9VWvA&typo=1>
Please help support this email list: http://www.qsl.net/donate.html<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.qsl.net%2fdonate.html&c=E,1,7BfjHNFHd6YtaLHkEKR_1ZUxb9OOdJN1gMsEqlmEZqE7pYIJ_1odH_gucUvscKCKFlTmOo1T_lAQ8Q6KUWv7ag8B6t-MXAmIgeEzf4TfiA,,&typo=1>
Our Q-Stack Advantage protects your systems and the information on your systems with a layered and proven approach. Quanexus provides managed Information Technology services for IT organizations, businesses, non-profits and more. Risk Assessments, Vulnerability Scans, Cabling, Telephone Systems, Surveillance and Access Control are all part of our value added services. Visit us at www.Quanexus.com<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fquanexus.com&c=E,1,6czxhaCxN0Q-ydvLV5kfrIpxet8EYuJn60a4iMjxQ5GPqiR5R9atLPac-LQVEVi9sCxdyv4fB2eD8CTlbOAdL22AczjvT-Kb1TDyc8J7DVsCVto,&typo=1> to learn more.
________________________________
DARARepeater mailing list
Home: http://mailman.qth.net/mailman/listinfo/dararepeater<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fmailman.qth.net%2fmailman%2flistinfo%2fdararepeater&c=E,1,UNLrpe8vboBKS8gzg55g1gs_YtBNAV4Jjby8TemabRN1Gv5pFzTZXtyjX64x_K6rVno-cgdoM7cz-pB5vWH4WFzjXX6WeN04WzSaZf4WsGmqEt4_6EoCQl8OWY4,&typo=1>
Help: http://mailman.qth.net/mmfaq.htm<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fmailman.qth.net%2fmmfaq.htm&c=E,1,yzuxz_uMPl0Z3lh25-wB8NGyn_YWoMQAvttUlq7dOhtkjvPQh-tdhWSb4TGxEolyaPc9Oz90wZD7a7ycYh7RLJVTfQq6R0Wb3qE2s7gMgKFR-A0,&typo=1>
Post: mailto:DARARepeater at mailman.qth.net<mailto:DARARepeater at mailman.qth.net>
This list hosted by: http://www.qsl.net<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.qsl.net&c=E,1,BsiRmYcc_RlpfAXBXGDTXb1NVq25Zo5D63ksJo6UI_1y28fDuqmeu6R4gDcGYm3WeYGbvWVx-dbBui3UJ7PgM0QMstCcUMGCXRg1MEMB6F7uW3M,&typo=1>
Please help support this email list: http://www.qsl.net/donate.html<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.qsl.net%2fdonate.html&c=E,1,XsC3rrPSbQB-sDHUigu1hwlGiUoNT1eB0_NoPa8YBjhN2PC9MJ4CyR4C9_fmsRbSvVEk1fcNrH9MbiYRSETSY_dVtfljBhf3wBpPs6B0&typo=1>
______________________________________________________________
DARARepeater mailing list
Home: http://mailman.qth.net/mailman/listinfo/dararepeater<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fmailman.qth.net%2fmailman%2flistinfo%2fdararepeater&c=E,1,qVrp1lR00oHPaHv9Lk0EuW74IesuPmELzTToNFKs6XOqSS5QwjY7kQJpXouzuFxoQ7vVIZy9JEQLPi9SnAc2wfIOCpl-XVB8fcVPHOWXeiEEDCRZOB7D&typo=1>
Help: http://mailman.qth.net/mmfaq.htm<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fmailman.qth.net%2fmmfaq.htm&c=E,1,RDsNDrsTcBzDFywGZ9RdgL46RxKWImzIaBEBDZaJYzUsd5DQVuYRc5IzYqtMGpXkwVV9GFl1q5Bm_hJDN8j-qg797R3yJedlHz134ifgDA0Qs94,&typo=1>
Post: mailto: DARARepeater at mailman.qth.net<mailto:DARARepeater at mailman.qth.net>
This list hosted by: http://www.qsl.net<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.qsl.net&c=E,1,APpCDBWncRMtfd6w6aTLmfsL_mj8BPFA7SQ_XJZK-nuWpnYiKjOtqNWr54k-CAsrANR6S-pz-vqLPMJk6rxPG5PEQFeGOFGskk4DzcQZM2EZERC0S9Gnecik&typo=1>
Please help support this email list: http://www.qsl.net/donate.html<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.qsl.net%2fdonate.html&c=E,1,-AJ5vOLxPAkOuWHLVNI-5kWCjWV4QvOUJOs88j_7DhI7TmMAOixzbwOl6i9phKzYitnXjTuvsX0vSdKQVy8NASeQwAZTbdH4hrr2HajOx0E,&typo=1>
<font size="3" color="A5292B">Our <B>Q-Stack Advantage</B> protects your systems and the information on your systems with a layered and proven approach. Quanexus provides managed Information Technology services for IT organizations, businesses, non-profits and more. Risk Assessments, Vulnerability Scans, Cabling, Telephone Systems, Surveillance and Access Control are all part of our value added services. Visit us at <a href="https://quanexus.com">www.Quanexus.com</a> to learn more.</font>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.qth.net/pipermail/dararepeater/attachments/20201013/0e378db6/attachment-0001.html>
More information about the DARARepeater
mailing list