Security problem with subnets

v7
firewall

(Tomasz Czauderna) #1

NethServer Version: 7
Module: Firewall

Hi i found problem. With visibility sub networks with red interface.
But at first small scheme in attachment

On neth server i have static public IP. I don’t know what have another MIP customers. And what have MIP implements.
But situation look that if i make scan all sub networks in my subnet i see another sub networks with hosts (netscan) my MIP not only behind NethServer on green interface.
I have configured only 192.168.1.0/24 and VLAN 192.168.11.0/24 on one interface but i see hosts with 192.168.5… etc. Which look like private from another sub network another company !

And :

  1. I should raport this to my MIP. In my opinion this unacceptable for Internet Provider.
  2. Netserver should accept Private Address Poll on RED interface ? I think this should block all traffic with Private Address Poll. Exception VPN.

Please give directions and possibly the way to proceed
Best Regards


(James Nesbitt) #2

That is a serious problem and whoever configured the router at the MIP should at least have his write access to the router config removed and sent back for training.

I would say gather all of the evidence from your logs and present it to the most senior person at the MIP you are able to contact and present that person with all of the evidence you have gathered and give them a timescale to fix it and if they don’t go public with it.

In short, they should not be allowing those private routes belonging to other customers to be advertised like that, it breaks the RFCs as well as breaks numerous data protection laws.


(Eddie Atherton) #3

Could the ISP be acting like a Cable system where multiple people are effectively connecting to the same “wire” and the other subnets you are seeing are servers not running any kind of firewall/router which would stop the non-routable address ranges from leaking out.

Cheers.


(Rob Bosch) #4

This could be very well the case. I remember in the ‘old days’, when broadband internet first came to light, I had a cable connection for internet. Back then the ISP segmented the network in several rings. But if someone had, for instance windows filesharing on (windows 98SE) you could easily access thos shares, or use shared printers from others.
I agree with @bwdjames, that whoever configured the network at your ISP, should be sent back to school.


(Tomasz Czauderna) #5

Thank you all for the answers so far. They have convinced me that the problem is well interpreted.
Thank @bwdjames for 3 paragraphs this is more important for me.

Can You tell me which facts should have included in raport for good document?
This is important in my case because in this network are significant companies for our district and not only.
And the question is how to secure your questions ?


(Michael Kicks) #6

As far as I can see, there could be at least a couple of reasons for this kind of behaviour. Both not related to NethServer, which is quite… picky to gave access to red-zone-connected devices (unless you tell/setup it to allow connection).

And about misdeeds of ISP, i would like to tell tales about one of the first FTTH ISP in Italy which connected all devices of the customers into one, single RFC 1918 class wide the whole city, with a maximum of 3 devices connected to ever router.
If someone’s asking “what about NAT?”, my answer is “I also would like to know…”

Or one of the most… “nice” (not the funny meaning) behaviour of one of the biggest consumers ISP’s in Italy, which is using Class-B addreses for routing the packets outside the consumer’s routers…
A little Traceroute from my laptop. My network is the row 1, from row 2 it’s outside the WAN interface of my router (which declare to have a public ip address)

traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  172.31.110.1 (172.31.110.1)  1.858 ms  2.079 ms  3.686 ms
 2  * * *
 3  172.17.89.189 (172.17.89.189)  31.188 ms 172.17.88.214 (172.17.88.214)  32.096 ms 172.17.89.57 (172.17.89.57)  33.641 ms
 4  172.17.88.169 (172.17.88.169)  35.075 ms 172.17.88.153 (172.17.88.153)  38.829 ms 172.17.88.181 (172.17.88.181)  40.048 ms
 5  172.19.241.101 (172.19.241.101)  45.845 ms  45.567 ms 172.19.241.113 (172.19.241.113)  45.003 ms
 6  * * *
 7  72.14.195.206 (72.14.195.206)  34.923 ms 74.125.51.12 (74.125.51.12)  35.314 ms 74.125.48.192 (74.125.48.192)  34.154 ms
 8  108.170.245.65 (108.170.245.65)  36.844 ms  39.533 ms 108.170.245.81 (108.170.245.81)  41.188 ms
 9  108.170.234.247 (108.170.234.247)  43.466 ms 108.170.234.101 (108.170.234.101)  43.535 ms 209.85.248.163 (209.85.248.163)  43.576 ms
10  google-public-dns-a.google.com (8.8.8.8)  45.925 ms  30.597 ms  30.842 ms

How to route 192.168.1.0/24 from 192.168.1.0/24
(Stefano Zamboni) #8

there are many major ISPs in italy that behave like it, but I’m quite sure this is not an Italy only issue :wink:


(James Nesbitt) #9

I would say the report should start off by stating what you have found and quote the RfCs which they have broken
Then include the evidence to support what you have stated, eg. any screenshots from the reports in the NS console which shows what you are stating; if you have had to run some cli commands, give screenshots of those and also give them the exact commands you ran so they can replicate it as well.

Best to give all of the information up front; that way, if they try to argue that you are wrong, you can refer to the information you gave them without having to find the information after the fact. Also gives them a good way to verify your claims.


(Stefano Zamboni) #10

My 2c: major italian ISPs know perfectly what’s wrong but they simply don’t care

Try to reporting them is just a waste of time and energies


(Mark Edworthy) #11

After considering this thread, if the ISP is deliberately ignoring the issues, then it may be necessary to initiate a legal prosecution against the ISP for data protection breaches.


(Stefano Zamboni) #12

Interesting POV but unapplicable


(James Nesbitt) #13

I would say legal prosecution would be a very last resort as in certain circles it may be seen as a gray area ad the ISP may try to give a strong defense and try to draw it out and make it as expensive as possible for you in the hope that you may give up the legal fight (which means they would win). Bear in mind that if this is being done by a number of other ISPs in the country, it would not surprise me if they may quietly give a financially contribution the defending ISP’s legal costs in the hope that they win due to the far reaching consequences if they loose.
If it ever comes to investigating this option, I would first do the following 2 things:

  1. Get a highly reputable IT security/auditing company to investigate and review the situation and let them make a full and highly detailed report that can withstand scrutiny, especially in court.
  2. Once you have the report, speak to a reputable person in the legal profession (like a lawyer) who specializes in data protection issues and who also has experience with IT and take their advise of how best to proceed.

(Mark Edworthy) #14

@bwdjames,
I agree with your points. Better still, considering that we live in a culture that prides itself on free market ideologies, it would be easier to do some research and sign up with a more suitable ISP that does not indulge in such practices.


(James Nesbitt) #15

@medworthy Yes, that is a very good option to investigate and I would agree that for many, that would be a more preferable option.


(Rob Bosch) #16

This getting offtopic but IMO infrastructure should never be let to free market parties. Be it energy (electricity, gas etc), roads, railways or public IT infrastructure, it should be let to the government to deal with it. Commercial parties can use the infrastructure to deploy services like ISP, content or any other imaginable service.
As soon infrastructures are let to commercial parties, you can count on having degraded performance because it takes too much of the profit to maintain and expand the infrastructure.

Examples of this are the deplorable state of UK railways. In the Netherlands rollout of fibre has come to a standstill because one of the major telecom companies has bought the company that was rolling out fibre. Now the telecom company decided the copper infra they already have is still enough and rolling out fibre is too expensive. instead of connecting 95% of all connections with fibre in 5 years, it will take more than 25 now to do this.


(Mark Edworthy) #17

@robb,
Interesting point, I think the issue about state owned infrastructure verses the (regulated) free market leads into a larger question about socialist ownership of these utilities (in which, considering the issues surrounding the questions that are being asked by society at large, is a divisive topic at the present moment).

Whilst I don’t think that this forum is suitable to fully explore and discuss this topic, in general I would agree with your points.

I would suggest that other social media platform, such as minds.com (which I am a member of) would be a more suitable place to discuss such a topic.


(Tomasz Czauderna) #18

Come back to topic i see is stay popular.
I make small research with clients of my operator.
In main all end points is behind customer mainly switches.
Guys from MSP say “all is fine” and all is compatible with Security Politics and RFC.
But i have doubts:

  • I can identify clients and call to theirs (RFC ? category 1 / category 2 looks broken)
  • Main operator customer switches all accessible from subnetwork no vlan etc (Security Politics and protection laws)
  • Above switches makes subnetworks for customers
    *And If I does not want to see another hosts i must block subnets on RED interface.

But procedure in Poland is very hard.
Case on Police they can’t do anything not have act. And They not respect RFC because not included in criminal law.
Lawyers small group which understand what is wrong.


(James Nesbitt) #19

Well it is a good policy to block traffic coming from private IP ranges on the RED internet facing interface in principle and practice from a security perspective in the first instance.

It sounds like they have really implemented the infrastructure badly in order to save on costs.

Sounds like the following may be in order:

  1. Block any unwanted traffic on the RED interface from the other MSP customers and make sure that your own network does not leak any private information.
  2. Do some research to see if there any any other MSPs in the country who at least comply with the RFCs and data protection laws.
  3. Forget the police as essentially this is case for the civil courts and not the criminal courts, at least at this stage.