'Re: [PacketFence-users] NAC bypass'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       packetfence-users
Subject:    Re: [PacketFence-users] NAC bypass
From:       Louis Scaringella via PacketFence-users <packetfence-users () lists ! sourceforge ! net
Date:       2019-05-23 20:20:52
Message-ID: 95197F23-7321-41F2-B5A5-F93FF99152AD () yellowdognetworks ! com
[Download RAW message or body]

Thanks! I always like to get different perspectives on how people do things. That is \
the same with many of my customer environments.




> On May 23, 2019, at 3:16 PM, Sallee, Jake via PacketFence-users \
> <packetfence-users@lists.sourceforge.net> wrote: 
> > Out of curiosity, how are you prevent IPv6 addresses from flowing? Is this at the \
> > router/L3 switch or firewall level?
> 
> That's a good question!
> 
> The answer is both firewall and L3.
> 
> I have lots of internal vlans ... like ... a lot.  So, so many ... I may have a \
> psychological problem. 
> All my vlan interfaces do not have IPv6 addresses and the switches and routers will \
> not forward v6 packets (I'm not running an IPv6 capable routing protocol).  All \
> modern OSes will tunnel your IPv6 over IPv4 (windows does this by default IIRC) but \
> that is a 6to4 gateway and brings the conversation full circle. 
> I also run a cluster of internal segmentation firewalls which do not permit IPv6 to \
> pass through them. 
> So IPv6 is dropped either at the router or FW if it is seen by them, and if the OS \
> tunnels IPv6 through a v4 connection that is no different than regular traffic. 
> Bada-bing bada-boom! No IPv6 for you!
> 
> Jake Sallee
> Godfather of Bandwidth
> System Engineer
> University of Mary Hardin-Baylor
> WWW.UMHB.EDU
> 
> 900 College St.
> Belton, Texas
> 76513
> 
> Fone: 254-295-4658
> Phax: 254-295-4221
> 
> ________________________________________
> From: Louis Scaringella <lscaringella@YellowDogNetworks.com>
> Sent: Thursday, May 23, 2019 2:07 PM
> To: packetfence-users@lists.sourceforge.net
> Cc: Sallee, Jake
> Subject: Re: [PacketFence-users] NAC bypass
> 
> EXTERNAL Exercise Caution
> 
> Out of curiosity, how are you prevent IPv6 addresses from flowing? Is this at the \
> router/L3 switch or firewall level? 
> What about non-routable link local addresses?
> 
> 
> 
> > On May 23, 2019, at 1:21 PM, Sallee, Jake via PacketFence-users \
> > <packetfence-users@lists.sourceforge.net> wrote: 
> > Max:
> > 
> > This strikes me as an uninformed opinion.
> > 
> > While a lot of tools don't speak IPv6, very little of the world runs IPv6 ... \
> > even though its over a decade old. Most IPv6 providers run an IPv6to4 gateway and \
> > technically all IPv6 traffic will run through a 6to4 gateway somewhere or else \
> > they would not have access to traditional IPv4 networks ... AKA the bulk of the \
> > internet. 
> > Once your traffic has gone through the gateway it is essentially classic IPv4 and \
> > thus is readable by all those tools you were trying to avoid. 
> > In my network IPv6 flat doesn't work.  If you have your computer configured with \
> > an IPv6 address your traffic will not flow ... at all.  So ... problem solved : ) \
> >  Also, plenty of "defensive" tools support IPv6.  My NSM distro of choice is \
> > SecurityOnion and it fully supports IPv6. 
> > As a final note I would hold anyone under strict suspicion who says they can move \
> > around a network undetected.  You may go unnoticed for a number of reasons, but \
> > it is *literally* impossible to be undetectable on a network.  And, if the \
> > network team wants to find you bad enough, they will.  Trust me. 
> > Jake Sallee
> > Godfather of Bandwidth
> > System Engineer
> > University of Mary Hardin-Baylor
> > http://WWW.UMHB.EDU
> > 
> > 900 College St.
> > Belton, Texas
> > 76513
> > 
> > Fone: 254-295-4658
> > Phax: 254-295-4221
> > 
> > ________________________________________
> > From: Max McGrath via PacketFence-users <packetfence-users@lists.sourceforge.net>
> > Sent: Thursday, May 23, 2019 12:08 PM
> > To: ML PF
> > Cc: Max McGrath
> > Subject: [PacketFence-users] NAC bypass
> > 
> > EXTERNAL Exercise Caution
> > Hello -
> > 
> > I've been looking into NAC Bypass lately and came across the following:
> > 
> > Most defensive tools exclusively look at IPv4 addresses. Forcing traffic over \
> > IPv6 yields a high chance you will go undetected and be unchallenged. 
> > Would this be true in PacketFence, or would it depend on my specific \
> > configuration? 
> > Max
> > --
> > Max McGrath [https://urldefense.proofpoint.com/v2/url?u=https-3A__static.licdn.com \
> > _scds_common_u_img_webpromo_btn-5Fprofile-5Fgreytxt-5F80x15.png&d=DwIFAg&c=61yQaCo \
> > NVjQr1ah003i6yA&r=hv6FWbB_1Tauwq1un9h_XR4pflYMFHr0Ag1rvcLKIQA&m=FIAzVlcOPqEjodnFXQemsWqyIMKywyq4ELlpTMYAu04&s=_1sSp07FqWczc33G7UfwhDpzdO-wcx8mlprAX0poUyc&e= \
> > ] <www.linkedin.com_in_max-2Dm" rel="nofollow">https://urldefense.proofpoint.com/v2/url?u=http-3A__www.linkedin.com_in_max-2Dm> \
> > cgrath-2Da299124b&d=DwMFaQ&c=61yQaCoNVjQr1ah003i6yA&r=hv6FWbB_1Tauwq1un9h_XR4pflYM \
> > FHr0Ag1rvcLKIQA&m=kpvMAJTEdvMKZ0D2qE8FzWouIHwKlexZ01KQD1TSKvo&s=OTRA2r5e4HRmG2Uaf8oKT7uy56LDd0Fks4eAjh8nDvg&e=>
> >  Infrastructure and Security Manager
> > Carthage College
> > 262-551-6666
> > mmcgrath@carthage.edu<mailto:mmcgrath@carthage.edu>
> > 
> > 
> > _______________________________________________
> > PacketFence-users mailing list
> > PacketFence-users@lists.sourceforge.net
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_l \
> > istinfo_packetfence-2Dusers&d=DwIFAg&c=61yQaCoNVjQr1ah003i6yA&r=hv6FWbB_1Tauwq1un9 \
> > h_XR4pflYMFHr0Ag1rvcLKIQA&m=FIAzVlcOPqEjodnFXQemsWqyIMKywyq4ELlpTMYAu04&s=q4xPBr0KB-Z2W9d0NzWNI0vKJ4sWjVQyltlpPA-Ne1E&e=
> > 
> 
> The information transmitted, including any attachments, is intended only for the \
> person or entity to which it is addressed and may contain confidential and/or \
> privileged material. Any review, retransmission, dissemination or other use of, or \
> taking of any action in reliance upon, this information by persons or entities \
> other than the intended recipient is prohibited, and all liability arising \
> therefrom is disclaimed. If you received this in error, please contact the sender \
> and delete the material from any computer. 
> 
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

The information transmitted, including any attachments, is intended only for the \
person or entity to which it is addressed and may contain confidential and/or \
privileged material. Any review, retransmission, dissemination or other use of, or \
taking of any action in reliance upon, this information by persons or entities other \
than the intended recipient is prohibited, and all liability arising therefrom is \
disclaimed. If you received this in error, please contact the sender and delete the \
material from any computer.


_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic