---

@VMCopperUser wrote:

My SolarInverter doesnt allow me to change the password!!...  It has both Telnet and HTTP menu's, and, sadly, You can change critical data through those menus.

 

If you manage to get a secure connection inside someones LAN then they are done for.  I am sure that you dont have your computer set to block all lan traffic?  I am sure with a bit of work you could flash custom firmware on the SuperHubs too.  So if someone breaks into your LAN then they could flash the SH with firmware and chances are that all traffic coming from there does have permission to talk to your pc...

 

As we said ealrier tho, the "firewall" features of home routers is what gives the huge protection, we will still need a device like that when we move to ipv6 (I will not trust VM's hardware to do it).

 

All NetGear routers (with original firmware) can easily be tampered with from the LAN side.  I know the SH firmware will not deviate much but until I find a cheap SH to tamper with I'll not try anything.... A lot of other equipment can (from LAN) be exposed with little or no way to protect them without physically disconnecting the unit.  Devices on my network that have limited settings are a Roku box, Solar Inverter, Two TV's, One freeview box.  I could even include my two netgear routers in there.  The key is in the gateway (Router) and it will be even after the move to ipv6.

 

I think a /120 or /116 block would be more than enough to hand out to users.

---

An IPv6 block smaller than /64 would break stateless autoconfig, i agree a /64 block is wasteful but this is just how ipv6 has been designed and with 2^128 addresses there really is no realistic chance of them running out. It also means that even if you do leave systems on unfiltered routable addresses, the likelihood of someone finding them within 2^64 possible addresses is fairly slim.

As for blocking lan traffic, i don't block any traffic to my main workstation at all. No software firewall, and i also use a vpn connection to a colocated server to give myself fully routable ipv4 and ipv6 connectivity. 

I don't block any traffic, because aside from SSH there are no other services open to answer any such traffic. If you were to attack this service, you would either need to find a vulnerability in the particular version of SSH thats in use, or brute force my private key.

The superhub is designed to be updated from the isp end, i don't believe it is designed to be updated from the customer end although vulnerabilities could exist. That said, vulnerabilities could also exist on such devices which are accessible from the outside, thus giving an attacker access to your internal network.

There are various ways attackers could get into your internal network...

Misconfigured wifi? (google for aircrack-ng or reaver-wps)

Reflection attacks against outbound applications such as browsers... Within an html page on a website it is possible to instruct a browser to fetch other resources, if you know the default internal ip of certain types of router combined with the default password it may be possible to bounce requests off a users browser, simply by that user visiting a site over which you have some level of control. The same could probably be done with your solar inverter too, although it would be necessary to guess the internal ip you can narrow down the possibilities by process of elimination (eg the default dhcp scope, default internal ranges) and some browsers can even leak their internal ip address under certain circumstances.

Guest users may introduce trojans to your network...

You may take a device elsewhere, eg a public wifi network where it can be easily attacked, backdoored, and then take it home again.

The "protection" offered by filtering is not really protection at all, it is just hiding... If you are ever found, then its game over. Like you said, if you get a connection to someone's LAN then they are done for.

However, if you configure your devices properly then a hostile connection to the LAN would not be game over at all.

If you have devices which cannot be configured in a secure way, then you need to chase the vendor of that device for an update, or switch to a more responsible competitor.

I also have various devices here, which have non routable IPv4s not out of choice but because i dont have enough addresses to go round. Some of them have fully routable V6 with no filtering.

An HP printer - both the admin interface (https) and the actual print service require authentication.

An HP networked scanner - the https admin interface requires authentication, otherwise this device only makes outbound connections and has no other services listening.

Two wireless access points operating in bridging mode - they only offer https/ssh services for administration, again authenticated.

One TV - this is purely a media consumption device, it does not offer any services which accept inbound connections.

Two freesat receivers - these have an authenticated web interface from which you can schedule recording of shows, otherwise they too are consumption devices.

A NAS - this offers authenticated file shares which are accessed by the tv and freesat receivers, and an authenticated https page for management

A VOIP telephone adapter - this offers an authenticated SIP service, through which phonecalls can be made.

Two VOIP telephones - these connect to the telephone adapter, it also connects back when inbound calls are received.

I'm sure theres some other stuff i've forgotten, but i would be perfectly happy to put all this stuff on the internet safe in the knowledge that your very unlikely to guess my authentication details, and even if you compromised the devices via an exploit access to one device would not give you any elevated access to any other.