[GTALUG] Linux hardening question

James Knott james.knott at rogers.com
Thu Jun 29 18:32:58 EDT 2017 

I have worked with telecommunications and networks for many years (I
first worked on a computer network in 1978, before there was such a
thing as Ethernet or IPv4) and often see IPv6 in my work.  I cannot say
I'm not going to work with it or the customer shouldn't use it.  I have
to be prepared to deal with the situation and these days that includes
being competent with IPv6.  Also, I wasn't referring to home users when
I was talking about hardening.  Much of my work has been in high
security data centres, where there are public web sites, among others,
running in a protected environment.  In today's world, working with IPv6
is part of the job and disabling it, when it is the future, is just
plain incompetence.  If you can't protect attacks via IPv6 as you would
via IPv4, you really should be looking for another job.  IPv6 is here
now, learn to deal with it, instead of hiding from it.  It's not going away.


On 06/29/2017 06:18 PM, Ansar Mohammed wrote:
> Again, please follow the thread, this is not about competency or
> capability on IPv6. 
>
> This is a simple question on hardening a Linux system. My entire
> network runs IPv6 also. But my home systems do not need to be hardened. 
>
> There have been many IPv6 only bugs and exploits including last years
> IPv6 ping of death on Cisco. 
> https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160525-ipv6
>
> The stack simply isn't as battle tested as IPv4. 
>
> Oh, and that growing portion of the internet that's IPv6 only is
> primarily China. 
>
> What's your business reason for the additional risk of IPv6?
>
> Does your application support IPv6? 
>
> Has your application been tested with IPv6?
>
> Do you have users that are IPv6 only?
>
> If you don't need it on a hardened system, you are just adding another
> attack vector for no good reason. 
>
>
>
> On Thu, Jun 29, 2017 at 5:36 PM James Knott via talk <talk at gtalug.org
> <mailto:talk at gtalug.org>> wrote:
>
>     On 06/29/2017 05:14 PM, Ansar Mohammed wrote:
>     > It's not a matter of being afraid of anything. Security 101
>     tells you
>     > to reduce your attack surface area.
>     > I would not increase my attack surface area  just for the sake
>     of being
>     > an early adopter of IPv6.
>     >
>     > To be clear the conversation is about hardening. This is the right
>     > thing to do.
>     >
>
>     Then you'll be hardening yourself out of a growing portion of the
>     Internet.  I use  a browser addon called "ShowIP" which displays
>     the web
>     site IP address.  I can see a significant part of the sites I go
>     to are
>     now IPv6.  Also, if you don't know how to set up a firewall on
>     IPv6, you
>     really can't consider yourself capable of hardening anything.  Fore
>     example, consider setting up a firewall.  On Cisco gear, unless you
>     filter on address, you IPv4 and IPv6 rules are identical.  On other
>     firewalls, such as pfSense, you can do both IPv4 & IPv6 with one rule.
>     You can also have separate rules if needed, your choice.  Also, if
>     you're not competent with IPv6, you'll never get some certifications
>     such as CCNA etc.  They require you to know IPv6.
>
>     BTW, here's the IPv6 address for gtalug.org <http://gtalug.org>:
>     2600:3c03::f03c:91ff:fe50:ea0a
>     ---
>     Talk Mailing List
>     talk at gtalug.org <mailto:talk at gtalug.org>
>     https://gtalug.org/mailman/listinfo/talk
>

More information about the talk mailing list