[GTALUG] Linux hardening question
Ansar Mohammed
ansarm at gmail.com
Thu Jun 29 18:46:10 EDT 2017
Actually James, incompetence would be opening up a high security system to
additional attack vectors without a good business or technical reason
(which you really haven't provided).
On Thu, Jun 29, 2017 at 6:33 PM James Knott via talk <talk at gtalug.org>
wrote:
> I have worked with telecommunications and networks for many years (I
> first worked on a computer network in 1978, before there was such a
> thing as Ethernet or IPv4) and often see IPv6 in my work. I cannot say
> I'm not going to work with it or the customer shouldn't use it. I have
> to be prepared to deal with the situation and these days that includes
> being competent with IPv6. Also, I wasn't referring to home users when
> I was talking about hardening. Much of my work has been in high
> security data centres, where there are public web sites, among others,
> running in a protected environment. In today's world, working with IPv6
> is part of the job and disabling it, when it is the future, is just
> plain incompetence. If you can't protect attacks via IPv6 as you would
> via IPv4, you really should be looking for another job. IPv6 is here
> now, learn to deal with it, instead of hiding from it. It's not going
> away.
>
>
> On 06/29/2017 06:18 PM, Ansar Mohammed wrote:
> > Again, please follow the thread, this is not about competency or
> > capability on IPv6.
> >
> > This is a simple question on hardening a Linux system. My entire
> > network runs IPv6 also. But my home systems do not need to be hardened.
> >
> > There have been many IPv6 only bugs and exploits including last years
> > IPv6 ping of death on Cisco.
> >
> https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160525-ipv6
> >
> > The stack simply isn't as battle tested as IPv4.
> >
> > Oh, and that growing portion of the internet that's IPv6 only is
> > primarily China.
> >
> > What's your business reason for the additional risk of IPv6?
> >
> > Does your application support IPv6?
> >
> > Has your application been tested with IPv6?
> >
> > Do you have users that are IPv6 only?
> >
> > If you don't need it on a hardened system, you are just adding another
> > attack vector for no good reason.
> >
> >
> >
> > On Thu, Jun 29, 2017 at 5:36 PM James Knott via talk <talk at gtalug.org
> > <mailto:talk at gtalug.org>> wrote:
> >
> > On 06/29/2017 05:14 PM, Ansar Mohammed wrote:
> > > It's not a matter of being afraid of anything. Security 101
> > tells you
> > > to reduce your attack surface area.
> > > I would not increase my attack surface area just for the sake
> > of being
> > > an early adopter of IPv6.
> > >
> > > To be clear the conversation is about hardening. This is the right
> > > thing to do.
> > >
> >
> > Then you'll be hardening yourself out of a growing portion of the
> > Internet. I use a browser addon called "ShowIP" which displays
> > the web
> > site IP address. I can see a significant part of the sites I go
> > to are
> > now IPv6. Also, if you don't know how to set up a firewall on
> > IPv6, you
> > really can't consider yourself capable of hardening anything. Fore
> > example, consider setting up a firewall. On Cisco gear, unless you
> > filter on address, you IPv4 and IPv6 rules are identical. On other
> > firewalls, such as pfSense, you can do both IPv4 & IPv6 with one
> rule.
> > You can also have separate rules if needed, your choice. Also, if
> > you're not competent with IPv6, you'll never get some certifications
> > such as CCNA etc. They require you to know IPv6.
> >
> > BTW, here's the IPv6 address for gtalug.org <http://gtalug.org>:
> > 2600:3c03::f03c:91ff:fe50:ea0a
> > ---
> > Talk Mailing List
> > talk at gtalug.org <mailto:talk at gtalug.org>
> > https://gtalug.org/mailman/listinfo/talk
> >
>
> ---
> Talk Mailing List
> talk at gtalug.org
> https://gtalug.org/mailman/listinfo/talk
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/talk/attachments/20170629/a1e9d3a0/attachment.html>
More information about the talk
mailing list