[DARARepeater] LAN Routing
Derek Gooley
dgooley at gmail.com
Tue Oct 13 15:49:48 EDT 2020
This is a vulnerability in the Windows ICMP stack, not the router. You'd be
vulnerable to it e.g. if an attacker gains execution on an IoT device on
your home network, or on public wifi or anywhere else where a malicious
actor could be on the same network as your Windows device. And the point
wasn't about this specific vulnerability, but that there have been a ton of
major issues in IPv6 stack implementations recently, and that it's better
to stick to IPv4 for the near future for the sake of security.
On Tue, Oct 13, 2020 at 3:37 PM Jim Bacher, WB8VSU <wb8vsu at arrl.net> wrote:
> Derek, in general router advertising never leaves the network it was
> broadcast on. As it would be an unsolicited packet on the incoming router,
> the router would automatically block the packet. For a home user I don't
> see it as a threat. For a corporation that is a threat.
>
> My windows box just informed me it needs to reboot, so they must have
> pushed out the patch.
>
> Jim Bacher, WB8VSU
> wb8vsu at arrl.net
> <https://trc.guru>https://trc.guru
> On Oct 13, 2020, at 2:45 PM, Derek Gooley <dgooley at gmail.com> wrote:
>>
>> I'm not moving to IPv6 any time soon.
>>
>>
>> https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898
>>
>> On Mon, Oct 12, 2020, 16:16 Jim Bacher, WB8VSU < wb8vsu at arrl.net> wrote:
>>
>>> Mark, most IoT devices now days are going to be IPv6 and IPv4. If you
>>> have IPv6 turned off on your 2nd router then Jack's suggestion is a good
>>> easy choice. If you have IPv6 turned on, then it won't work if the devices
>>> have IPv6 enabled.
>>>
>>> Everything is automatic under IPv6 which makes it more difficult to
>>> block an outgoing packet. Incoming are blocked by default. My two routers
>>> are capable of blocking networks or devices, whether they are IPv4 or IPv6.
>>> That can be complex to accomplish depending on the router and whether IPv6
>>> is turned on.
>>>
>>> Most of the risk with IoT, is allowing remote access to it and not
>>> changing the default password. So if you don't allow remote access, the
>>> device didn't have contamination on it when you bought it and you don't let
>>> it update there shouldn't be a problem.
>>>
>>> Most of the issues I am aware of are due to pin holes created for a IoT
>>> device on the firewall / router to allow remote access or having a
>>> contaminated OS to start with. Jack may know of others as he is more
>>> up-to-date than I am on IT.
>>>
>>> I am running IPv6 on my home networks. From what I can tell, more than
>>> 90% of the traffic is now IPv6 as a result. Most noticeable when running an
>>> update on a Raspberry Pi, as it will show where it's pulling the updates
>>> from. The bulk are from IPv6 addresses. Smart phones are also mostly IPv6
>>> and you can't disable IPv6 on the cell phone.
>>>
>>> Jim Bacher, WB8VSU
>>> wb8vsu at arrl.net
>>> <https://trc.guru> https://trc.guru
>>> On Oct 12, 2020, at 12:18 PM, Jack Gerbs < jgerbs at quanexus.com> wrote:
>>>>
>>>> Mark,
>>>>
>>>> An easy way to not allow devices to access the internet is to not
>>>> put in a default gateway on the device, or put an unused address in for the
>>>> default gateway. A more common way to do it is to create a rule that blocks
>>>> the device from accessing the WAN port. Not sure your level of experience
>>>> with firewalls, so don’t take this the wrong way, firewalls execute rules
>>>> (ACLs) from top down, your more restrictive rules need to be applied first.
>>>>
>>>> Jack
>>>>
>>>>
>>>>
>>>> *From:* dararepeater-bounces at mailman.qth.net <
>>>> dararepeater-bounces at mailman.qth.net> *On Behalf Of *Mark Erbaugh
>>>> *Sent:* Monday, October 12, 2020 12:11 PM
>>>> *To:* Derek Gooley <dgooley at gmail.com>; dararepeater at mailman.qth.net
>>>> *Subject:* Re: [DARARepeater] LAN Routing
>>>>
>>>>
>>>>
>>>> Derek,
>>>>
>>>>
>>>>
>>>> Thanks. I’ll have to take some time to digest all that and learn to
>>>> craft firewall rules.
>>>>
>>>>
>>>>
>>>> Another approach I was considering was connecting those devices to the
>>>> secure network as long as I can configure the firewall to not allow them to
>>>> access or be accessed from the Internet. Unlike my smart TV’s and Amazon
>>>> Echo’s they don’t need access to the Internet to function. Would that
>>>> approach be preferable to allowing connections across the subnets?
>>>>
>>>>
>>>>
>>>> 73,
>>>>
>>>> Mark
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> *From: *Derek Gooley <dgooley at gmail.com>
>>>> *Sent: *Monday, October 12, 2020 11:40 AM
>>>> *To: *Mark Erbaugh <mark.election at gmail.com>
>>>> *Cc: *dararepeater at mailman.qth.net
>>>> *Subject: *Re: [DARARepeater] LAN Routing
>>>>
>>>>
>>>>
>>>> Having the devices on separate subnets or VLANs won't secure anything
>>>> if they're still routable to eachother. You need to create firewall rules
>>>> to block traffic between them.
>>>>
>>>>
>>>>
>>>> You could create a rule allowing traffic from your secure network to
>>>> your IOT network, a rule allowing established connections from your dirty
>>>> network to a secure network (so devices can communicate with hosts on your
>>>> secure network once a connection is established), and a rule disallowing
>>>> all other outbound and inbound traffic from your dirty network to achieve
>>>> what you're asking.
>>>>
>>>>
>>>>
>>>> Here's some guides on how to add firewall rules to Ubiquiti EdgeRouter:
>>>>
>>>>
>>>>
>>>>
>>>> https://help.ui.com/hc/en-us/articles/218889067-EdgeRouter-How-to-Create-a-Guest-LAN-Firewall-Rule
>>>> <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fhelp.ui.com%2fhc%2fen-us%2farticles%2f218889067-EdgeRouter-How-to-Create-a-Guest-LAN-Firewall-Rule&c=E,1,bdDUoLtTp9a5hgMUSsWg59wOTM-gaO04IfLRYrDNlqt7ydY9qEsZfHQyPnpF7z9g4FbZnvrSoXKJyaWUx3QZjfjK7t5CwIq6RiwfY90auvpict-DrIDN4hR6srU,&typo=1>
>>>>
>>>>
>>>> https://help.ui.com/hc/en-us/articles/204962154-EdgeRouter-How-to-Create-a-WAN-Firewall-Rule
>>>> <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fhelp.ui.com%2fhc%2fen-us%2farticles%2f204962154-EdgeRouter-How-to-Create-a-WAN-Firewall-Rule&c=E,1,1kBBm9SHwd17vwXLgJPJIo_7HkCRRKWKLopBk7rP7d3l3UAMyS0YPviuBDmfEtZoTr0JfjNhcodP3NsmR8QeDCccBeUOpPG3ObCpJmcI7vwz&typo=1>
>>>>
>>>>
>>>> https://help.ui.com/hc/en-us/articles/204952154-EdgeRouter-Zone-Based-Firewall
>>>> <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fhelp.ui.com%2fhc%2fen-us%2farticles%2f204952154-EdgeRouter-Zone-Based-Firewall&c=E,1,RCshEPTtrPKSraRGILk3GBLhhRduHThAY1ducDgi7S2fC_wVRRcmf2H-jwcrP2VL09ukwfqKSYVDolb2WgFp3jSaPrMZmyUzKweHza7r6OKmixlCais,&typo=1>
>>>>
>>>> On Mon, Oct 12, 2020, 11:06 Mark Erbaugh <mark.election at gmail.com>
>>>> wrote:
>>>>
>>>> I’ve started adding IOT devices to my home. Following some security
>>>> advice
>>>> https://pcper.com/2016/08/steve-gibsons-three-router-solution-to-iot-insecurity/
>>>> <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fpcper.com%2f2016%2f08%2fsteve-gibsons-three-router-solution-to-iot-insecurity%2f&c=E,1,387TSYzRW26xvXvTzLfef5trEjglgbY2KZVlCKyeUg1S6mxUhxt4RSQP2AQhEq3DotIsK3CvfY-YY6BAlvpZjJ0B2C--rTJ9t_J32Aezz5Gjljv27FrFqo7Pvhg,&typo=1>)
>>>> , I’ve configured two sub-nets, one for my computers which are secure (at
>>>> least I’m running security software on them) and one for the IOT devices
>>>> which I don’t trust as much. Hopefully, this will prevent an attacker from
>>>> exploiting a weakness in one of my IOT devices to attack my secure
>>>> computers.
>>>>
>>>>
>>>>
>>>> But I have found a need for an exception to my configuration. I have a
>>>> couple of devices that I don’t fully trust to be on my secure network that
>>>> I need to communicate with from my computer on the secure network:
>>>>
>>>>
>>>> - FlexRadio 6700 (internal Linux software with unknown security)
>>>>
>>>> - Raspberry Pi running OctoPi server to control my 3d printer
>>>>
>>>>
>>>>
>>>>
>>>> Right now, I’ve left the Flex on the secure network, so I’m trusting
>>>> the Flex developers and I’m not using the OctoPi.
>>>>
>>>>
>>>>
>>>> Is it possible to put these devices on the secure network but configure
>>>> the router (I’m currently using a Ubiquity EdgeRouter X) so that they can
>>>> be accessed from inside the network, but that they can’t access the
>>>> internet? I’m assuming that if the device can’t access the Internet, the
>>>> Internet can’t access the device – is that a valid assumption?
>>>>
>>>>
>>>>
>>>> If so, how?
>>>>
>>>>
>>>>
>>>> One suggestion I saw was to implement parental controls on those
>>>> devices, but I see no mention of parental controls in the EdgeRouter
>>>> configuration.
>>>>
>>>>
>>>>
>>>> 73,
>>>>
>>>> Mark
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ______________________________________________________________
>>>> DARARepeater mailing list
>>>> Home: http://mailman.qth.net/mailman/listinfo/dararepeater
>>>> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fmailman.qth.net%2fmailman%2flistinfo%2fdararepeater&c=E,1,oV-K8lGzWL2ryfgHlBSLatevJFfZDhgTDWHDM53At_Gqsw_EXAd-HzkbNHd_WI4b7rPSACDsoWHg4xKwbPK9xwN_3q_sON2U0lo4Vegs&typo=1>
>>>> Help: http://mailman.qth.net/mmfaq.htm
>>>> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fmailman.qth.net%2fmmfaq.htm&c=E,1,mOB7jSfUNeOdizAULu02ktA-vEtAWPbgnmcNV-7zpzl6vLCeweaGTsnH43iUfMwzGVUafQxNrEV7jZS1_7nlbwBggn6YAKb15VoC_Ku5U8Mc1lScK34,&typo=1>
>>>> Post: mailto:DARARepeater at mailman.qth.net
>>>>
>>>> This list hosted by: http://www.qsl.net
>>>> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.qsl.net&c=E,1,EirwSbCV7F2MVLuTPhJdWDnMEM1qBssr310z_SoFYPE3dutDGunq1F-5F_5ZjecTAeWSIHkLxtg2uMlGqE_CoAL8EejjABVOzwAxSjl59ykyrH6U7tlZSOl9VWvA&typo=1>
>>>> Please help support this email list: http://www.qsl.net/donate.html
>>>> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.qsl.net%2fdonate.html&c=E,1,7BfjHNFHd6YtaLHkEKR_1ZUxb9OOdJN1gMsEqlmEZqE7pYIJ_1odH_gucUvscKCKFlTmOo1T_lAQ8Q6KUWv7ag8B6t-MXAmIgeEzf4TfiA,,&typo=1>
>>>>
>>>>
>>>>
>>>> Our *Q-Stack Advantage* protects your systems and the information on
>>>> your systems with a layered and proven approach. Quanexus provides managed
>>>> Information Technology services for IT organizations, businesses,
>>>> non-profits and more. Risk Assessments, Vulnerability Scans, Cabling,
>>>> Telephone Systems, Surveillance and Access Control are all part of our
>>>> value added services. Visit us at www.Quanexus.com
>>>> <https://quanexus.com> to learn more.
>>>>
>>>> ------------------------------
>>>>
>>>> DARARepeater mailing list
>>>> Home: http://mailman.qth.net/mailman/listinfo/dararepeater
>>>> Help: http://mailman.qth.net/mmfaq.htm
>>>> Post: mailto:DARARepeater at mailman.qth.net
>>>>
>>>> This list hosted by: http://www.qsl.net
>>>> Please help support this email list: http://www.qsl.net/donate.html
>>>>
>>>> ______________________________________________________________
>>> DARARepeater mailing list
>>> Home: http://mailman.qth.net/mailman/listinfo/dararepeater
>>> Help: http://mailman.qth.net/mmfaq.htm
>>> Post: mailto: DARARepeater at mailman.qth.net
>>>
>>> This list hosted by: http://www.qsl.net
>>> Please help support this email list: http://www.qsl.net/donate.html
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.qth.net/pipermail/dararepeater/attachments/20201013/6f6928bf/attachment-0001.html>
More information about the DARARepeater
mailing list