It’s Security Ignorance, not Featuritis

A blog post by Russ White pointed me to an article describing how IPv6 services tend to be less protected than IPv4 services. No surprise there, people like Eric Vyncke and I were telling anyone who was willing to listen that operating two-protocol networks isn’t the same thing as operating a single-protocol one (see also RFC 1925 rule 4).

I always had great fun explaining the potential security implications, and actually had someone walking out of a presentation with a deeply concerned look on his face once.

However, I disagree with Russ’ conclusions that the problem observed in that article is caused by too many features in the network operating systems. While most networking devices do have a severe case of featuritis, the root cause of the lack of IPv6 security is way simpler: ignorance (invoking Hanlon’s razor) of product managers and programmers working for major networking companies.

Just to give you a simple example: assume you control access to your Cisco IOS routers with VTY ACLs. If you enable IPv6 on those devices anyone can access them… until you configure ipv6 access-class to protect them on IPv6 side. Way worse, the last time I checked you still couldn’t restrict IPv6 access to the web server running on Cisco IOS. No comment, let captain Picard have the last word.

Linux is no better. There’s iptables and ip6tables. If your servers magically acquire IPv6 addresses you might be toast. One of the few systems that works correctly and tries to offer the same default security on IPv4 and IPv6 is Windows.

Microsoft having the most secure operating system? Are we in an alternate reality?

Would it be so hard to make things secure? Not really, in many cases it would be good enough to change the defaults from permit access from anywhere to deny access unless told otherwise or permit access from inside network (which wouldn’t solve the problem but would still be much better than what we have today). Is anyone reminded of Windows home/work/public networks?

Finally, how can we blame application developers for their total security ignorance, if even the programming teams working for networking vendors can’t get it right?

2 comments:

  1. I would argue that "too many features" is a good reason for "good old fashioned ignorance" -- if there are so many features that you can't even hope to know about them, and more are added every month/week/day, it's going to be difficult to see how anyone can be anything except ignorant about all of them.... :-)

    Russ
    Replies
    1. And of course I cannot help but agree with you, but my point was that people working on feature X obviously don't ask the questions "what's the attack surface of feature X?" and "how do we protect feature X?" (i.e. security is not an integral part of feature development).
Add comment
Sidebar