[prev in list] [next in list] [prev in thread] [next in thread]
List: packetfence-users
Subject: Re: [PacketFence-users] NAC bypass
From: Louis Scaringella via PacketFence-users <packetfence-users () lists ! sourceforge ! net
Date: 2019-05-23 20:20:52
Message-ID: 95197F23-7321-41F2-B5A5-F93FF99152AD () yellowdognetworks ! com
[Download RAW message or body]
Thanks! I always like to get different perspectives on how people do things. That is \
the same with many of my customer environments.
> On May 23, 2019, at 3:16 PM, Sallee, Jake via PacketFence-users \
> <packetfence-users@lists.sourceforge.net> wrote:
> > Out of curiosity, how are you prevent IPv6 addresses from flowing? Is this at the \
> > router/L3 switch or firewall level?
>
> That's a good question!
>
> The answer is both firewall and L3.
>
> I have lots of internal vlans ... like ... a lot. So, so many ... I may have a \
> psychological problem.
> All my vlan interfaces do not have IPv6 addresses and the switches and routers will \
> not forward v6 packets (I'm not running an IPv6 capable routing protocol). All \
> modern OSes will tunnel your IPv6 over IPv4 (windows does this by default IIRC) but \
> that is a 6to4 gateway and brings the conversation full circle.
> I also run a cluster of internal segmentation firewalls which do not permit IPv6 to \
> pass through them.
> So IPv6 is dropped either at the router or FW if it is seen by them, and if the OS \
> tunnels IPv6 through a v4 connection that is no different than regular traffic.
> Bada-bing bada-boom! No IPv6 for you!
>
> Jake Sallee
> Godfather of Bandwidth
> System Engineer
> University of Mary Hardin-Baylor
> WWW.UMHB.EDU
>
> 900 College St.
> Belton, Texas
> 76513
>
> Fone: 254-295-4658
> Phax: 254-295-4221
>
> ________________________________________
> From: Louis Scaringella <lscaringella@YellowDogNetworks.com>
> Sent: Thursday, May 23, 2019 2:07 PM
> To: packetfence-users@lists.sourceforge.net
> Cc: Sallee, Jake
> Subject: Re: [PacketFence-users] NAC bypass
>
> EXTERNAL Exercise Caution
>
> Out of curiosity, how are you prevent IPv6 addresses from flowing? Is this at the \
> router/L3 switch or firewall level?
> What about non-routable link local addresses?
>
>
>
> > On May 23, 2019, at 1:21 PM, Sallee, Jake via PacketFence-users \
> > <packetfence-users@lists.sourceforge.net> wrote:
> > Max:
> >
> > This strikes me as an uninformed opinion.
> >
> > While a lot of tools don't speak IPv6, very little of the world runs IPv6 ... \
> > even though its over a decade old. Most IPv6 providers run an IPv6to4 gateway and \
> > technically all IPv6 traffic will run through a 6to4 gateway somewhere or else \
> > they would not have access to traditional IPv4 networks ... AKA the bulk of the \
> > internet.
> > Once your traffic has gone through the gateway it is essentially classic IPv4 and \
> > thus is readable by all those tools you were trying to avoid.
> > In my network IPv6 flat doesn't work. If you have your computer configured with \
> > an IPv6 address your traffic will not flow ... at all. So ... problem solved : ) \
> > Also, plenty of "defensive" tools support IPv6. My NSM distro of choice is \
> > SecurityOnion and it fully supports IPv6.
> > As a final note I would hold anyone under strict suspicion who says they can move \
> > around a network undetected. You may go unnoticed for a number of reasons, but \
> > it is *literally* impossible to be undetectable on a network. And, if the \
> > network team wants to find you bad enough, they will. Trust me.
> > Jake Sallee
> > Godfather of Bandwidth
> > System Engineer
> > University of Mary Hardin-Baylor
> > http://WWW.UMHB.EDU
> >
> > 900 College St.
> > Belton, Texas
> > 76513
> >
> > Fone: 254-295-4658
> > Phax: 254-295-4221
> >
> > ________________________________________
> > From: Max McGrath via PacketFence-users <packetfence-users@lists.sourceforge.net>
> > Sent: Thursday, May 23, 2019 12:08 PM
> > To: ML PF
> > Cc: Max McGrath
> > Subject: [PacketFence-users] NAC bypass
> >
> > EXTERNAL Exercise Caution
> > Hello -
> >
> > I've been looking into NAC Bypass lately and came across the following:
> >
> > Most defensive tools exclusively look at IPv4 addresses. Forcing traffic over \
> > IPv6 yields a high chance you will go undetected and be unchallenged.
> > Would this be true in PacketFence, or would it depend on my specific \
> > configuration?
> > Max
> > --
> > Max McGrath [https://urldefense.proofpoint.com/v2/url?u=https-3A__static.licdn.com \
> > _scds_common_u_img_webpromo_btn-5Fprofile-5Fgreytxt-5F80x15.png&d=DwIFAg&c=61yQaCo \
> > NVjQr1ah003i6yA&r=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA&m=FIAzVlcOPqEjodnFXQemsWqyIMKywyq4ELlpTMYAu04&s=_1sSp07FqWczc33G7UfwhDpzdO-wcx8mlprAX0poUyc&e= \
> > ] <www.linkedin.com_in_max-2Dm" rel="nofollow">https://urldefense.proofpoint.com/v2/url?u=http-3A__www.linkedin.com_in_max-2Dm> \
> > cgrath-2Da299124b&d=DwMFaQ&c=61yQaCoNVjQr1ah003i6yA&r=hv6FWbB_1Tauwq1un9h_XR4pflYM \
> > FHr0Ag1rvcLKIQA&m=kpvMAJTEdvMKZ0D2qE8FzWouIHwKlexZ01KQD1TSKvo&s=OTRA2r5e4HRmG2Uaf8oKT7uy56LDd0Fks4eAjh8nDvg&e=>
> > Infrastructure and Security Manager
> > Carthage College
> > 262-551-6666
> > mmcgrath@carthage.edu<mailto:mmcgrath@carthage.edu>
> >
> >
> > _______________________________________________
> > PacketFence-users mailing list
> > PacketFence-users@lists.sourceforge.net
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_l \
> > istinfo_packetfence-2Dusers&d=DwIFAg&c=61yQaCoNVjQr1ah003i6yA&r=hv6FWbB_1Tauwq1un9 \
> > h_XR4pflYMFHr0Ag1rvcLKIQA&m=FIAzVlcOPqEjodnFXQemsWqyIMKywyq4ELlpTMYAu04&s=q4xPBr0KB-Z2W9d0NzWNI0vKJ4sWjVQyltlpPA-Ne1E&e=
> >
>
> The information transmitted, including any attachments, is intended only for the \
> person or entity to which it is addressed and may contain confidential and/or \
> privileged material. Any review, retransmission, dissemination or other use of, or \
> taking of any action in reliance upon, this information by persons or entities \
> other than the intended recipient is prohibited, and all liability arising \
> therefrom is disclaimed. If you received this in error, please contact the sender \
> and delete the material from any computer.
>
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
The information transmitted, including any attachments, is intended only for the \
person or entity to which it is addressed and may contain confidential and/or \
privileged material. Any review, retransmission, dissemination or other use of, or \
taking of any action in reliance upon, this information by persons or entities other \
than the intended recipient is prohibited, and all liability arising therefrom is \
disclaimed. If you received this in error, please contact the sender and delete the \
material from any computer.
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic