IPS/IDS behind Double NAT

[EnthusiastXYZ]

How useful is IPS/IDS behind Double NAT for the router that is connected to local clients and not WAN?

 

[SamirD]

It can still be useful as threats can come from anywhere with the advent of flash drives and local devices like that.

 

[MrGuvernment]

This a home set up or work, why is there a double nat situation?

 

[EnthusiastXYZ]

This a home set up or work, why is there a double nat situation?

Yes and one of my routers leaks sensetive data to WAN. There is no fix for that yet. I have to get behind ISP's router to mitigate that.

 

[EnthusiastXYZ]

I am not sure what is worse - having my personal router leak LLDP to WAN every 30 seconds or take chances with ISP router. LLDP is supposed to help security, but it gives out way too much info and on WAN it makes my router stick out like a sore thumb when I type "tcpdump -ni eth4 not proto 6 and not proto 17 and not arp" (which filters out non-UDP, non-TCP, and non-ARP on WAN). My router is the only one to show LLDP packets. All other WAN Layer 2 requests (for all IP's that are not mine) are ARP-only. LLDP also makes my router advertise itself as "UniFi" instead of IP-only.

ISP router may be worse, but it is unkown.There is no way to login to ISP router via SSH and perform TCPDump, but the "Disable UPnP" function in ISP router settings does not work at least for LAN because in Double NAT configuration, running TCPDump on personal router shows that ISP router keeps sending inbound IP 239.255.255.250 UDP Port 1900 packets to my personal router. My personal router filters out all such packets, but it is unknown what ISP router does on WAN...

 

[SamirD]

I am not sure what is worse - having my personal router leak LLDP to WAN every 30 seconds or take chances with ISP router. LLDP is supposed to help security, but it gives out way too much info and on WAN it makes my router stick out like a sore thumb when I type "tcpdump -ni eth4 not proto 6 and not proto 17 and not arp" (which filters out non-UDP, non-TCP, and non-ARP on WAN). My router is the only one to show LLDP packets. All other WAN Layer 2 requests (for all IP's that are not mine) are ARP-only. LLDP also makes my router advertise itself as "UniFi" instead of IP-only.

ISP router may be worse, but it is unkown.There is no way to login to ISP router via SSH and perform TCPDump, but the "Disable UPnP" function in ISP router settings does not work at least for LAN because in Double NAT configuration, running TCPDump on personal router shows that ISP router keeps sending inbound IP 239.255.255.250 UDP Port 1900 packets to my personal router. My personal router filters out all such packets, but it is unknown what ISP router does on WAN...

Ah, the fun of trying to deal with the monkeyfest of company's self-serving implementations. I would be curious as to if your wan connection even routes those LLDP further down the line depending on what the ISP's network looks like--that may be why you're only finding yours advertising like that. Otherwise, yep, now I see why people dumped ubiquiti stuff in droves and why they had a massive security breech in the first place.

 

[MrGuvernment]

I presume your ISP router does not offer a Bridge mode? to pass through direct to your own router?

 

[EnthusiastXYZ]

Ah, the fun of trying to deal with the monkeyfest of company's self-serving implementations. I would be curious as to if your wan connection even routes those LLDP further down the line depending on what the ISP's network looks like--that may be why you're only finding yours advertising like that. Otherwise, yep, now I see why people dumped ubiquiti stuff in droves and why they had a massive security breech in the first place.

I know LLDP has its own MAC address, its Layer 2, does not get an IP, cannot be blocked by any NAT Firewall rules and/or custom IPTables because they don't apply to Layer 2. UDM EBTables, which function on Layer 2, don't recognize LLDP EtherType 0x88cc and custom EBTables don't block it.

UDM allows to spoof WAN MAC addres and as such, my LLDP packets don't identify my WAN MAC address, but they identify what LLDP is supposed to identify - device specifics. Nobody else on WAN advertises anything other than ARP, making my router stand out.

 

[EnthusiastXYZ]

I presume your ISP router does not offer a Bridge mode? to pass through direct to your own router?

When ISP router is in Bridged Mode, I can run TCPDump in WAN and I can see the LLDP leak. I assume if I can see everyone's ARP requests on WAN along with my LLDP leak, then everyone else on WAN can see the same, including that LLDP leak.

When ISP router is in Router Mode, LLDP packets from my UDM cannot be routed past ISP router because LLDP is non-routable. Since I didn't see anyone else on WAN leaking LLDP, I assume ISP router does not send out its own LLDP frames to WAN, but I can't know that because ISP router is locked for users and won't allow SSH access.

When ISP router is in Router Mode, it has a UPnP function toggle and it does not appear to be working, at least not for LAN, because running TCPDump on my personal router shows that ISP router keeps sending inbound packets to IGMP IP 224.0.0.22 and UPnP 239.255.255.250 IP. I don't know if my ISP is dumb enough to not only allow UPnP on LAN, but also on WAN. My personal router filters all those packets.

Therefore I am not sure what is worse - UDM being the only router and leaking LLDP OR taking chances with ISP router allowing UPnP on WAN... UPnP is a significantly heavier threat for security than LLDP. LLDP helps with security at the cost of reducing device privacy, which in turn, decreases security. Just like most ISP's, my ISP uses Cisco switches, which use their own LLDP protocol.

Ubiquti is aware of the issue and disabling LLDP is as easy on their Edge routers as logging into UDM via SSH and editing a config file, but UDM uses its own OS and doesn't give the option to do that yet.

 

[SamirD]

I know LLDP has its own MAC address, its Layer 2, does not get an IP, cannot be blocked by any NAT Firewall rules and/or custom IPTables because they don't apply to Layer 2. UDM EBTables, which function on Layer 2, don't recognize LLDP EtherType 0x88cc and custom EBTables don't block it.

UDM allows to spoof WAN MAC addres and as such, my LLDP packets don't identify my WAN MAC address, but they identify what LLDP is supposed to identify - device specifics. Nobody else on WAN advertises anything other than ARP, making my router stand out.

Crazy why the UDM would do that. Is it not a feature that can be shut off?

 

[SamirD]

When ISP router is in Bridged Mode, I can run TCPDump in WAN and I can see the LLDP leak. I assume if I can see everyone's ARP requests on WAN along with my LLDP leak, then everyone else on WAN can see the same, including that LLDP leak.

When ISP router is in Router Mode, LLDP packets from my UDM cannot be routed past ISP router because LLDP is non-routable. Since I didn't see anyone else on WAN leaking LLDP, I assume ISP router does not send out its own LLDP frames to WAN, but I can't know that because ISP router is locked for users and won't allow SSH access.

When ISP router is in Router Mode, it has a UPnP function toggle and it does not appear to be working, at least not for LAN, because running TCPDump on my personal router shows that ISP router keeps sending inbound packets to IGMP IP 224.0.0.22 and UPnP 239.255.255.250 IP. I don't know if my ISP is dumb enough to not only allow UPnP on LAN, but also on WAN. My personal router filters all those packets.

Therefore I am not sure what is worse - UDM being the only router and leaking LLDP OR taking chances with ISP router allowing UPnP on WAN... UPnP is a significantly heavier threat for security than LLDP. LLDP helps with security at the cost of reducing device privacy, which in turn, decreases security. Just like most ISP's, my ISP uses Cisco switches, which use their own LLDP protocol.

Ubiquti is aware of the issue and disabling LLDP is as easy on their Edge routers as logging into UDM via SSH and editing a config file, but UDM uses its own OS and doesn't give the option to do that yet.

I can't even see all my arp requests on my own lan, lol. I think you'd be fine because if the isp is allowing arp between customers, that's going to be a security issue on their end for sure.

I don't think your LLDP requests are going to get far, but it is still unnerving to have them out there and I would definitely stick to your double-nat to get rid of them.

And going back to your original question--you're definitely smart enough to know if data is leaking in/out of your network and having the additional IPS/IDS will only help you.

 

[Shockey]

Can you turn LLDP off on UDM?

 

[Nicklebon]

I can't even see all my arp requests on my own lan, lol. I think you'd be fine because if the isp is allowing arp between customers, that's going to be a security issue on their end for sure.

I don't think your LLDP requests are going to get far, but it is still unnerving to have them out there and I would definitely stick to your double-nat to get rid of them.

And going back to your original question--you're definitely smart enough to know if data is leaking in/out of your network and having the additional IPS/IDS will only help you.

LMAO ... sarcasm ?

Maybe the OP should consider why they are not seeing any other lldp on the sniffed wire. A compliant bridge will not forward packets with lldp dest mac.

 

[EnthusiastXYZ]

Can you turn LLDP off on UDM?

There is a config file that can be accessed via WinSCP. It has LLDP entries set to True. You can set them to False, restart the UniFi OS, and LLDP will be off until the router re-provisions, which sets LLDP entries back to True. If those entries are set to False, UDM tends to re-provision itself after UniFi OS reboot within 1-2 minutes... Ubiquiti is aware of the problem. I wonder if that config file can be set to Read-Only (for UniFi OS, not user), but I don't know how to do that... It

With Double NAT, IGMP leaks somehow. TCPDump shows that one of my client devices sends IGMP packets directly to ISP router, bypassing UDM router. That client device and ISP router are not on the same subnet. I don't understand that... IGMP protocol is disabled for every single interface via both GUI and SSH-based IPTables, which include disabling loopback interface. When ISP router is in Bridged Mode, UDM router connects directly to WAN (without Double NAT) and there is no IGMP leak and there are no IGMP packets detected anywhere (LAN or WAN). How can ISP router force IGMP to work and to have one of my client devices connect to 224.0.0.22 on ISP router without UDM router acting as proxy?

LMAO ... sarcasm ?

Maybe the OP should consider why they are not seeing any other lldp on the sniffed wire. A compliant bridge will not forward packets with lldp dest mac.

So nobody else on the wire can see my LLDP packets, except the ISP? If such is the case, then why do I see a ton of ARP requests for other public IP's on WAN?

 

[Nicklebon]

So nobody else on the wire can see my LLDP packets, except the ISP? If such is the case, then why do I see a ton of ARP requests for other public IP's on WAN?

The bridge, read cable modem, should not be forwarding the LAN side LLDP to the WAN side at all. This means not even the ISP should see it. You see the ARP because that's how IP works. No idea why you're conflating lldp and arp.

 

[ComputerBox34]

Seeing ARP requests from other addresses in the same subnet is normal.

What is leading you to believe that LLDP is being passed on by the ISP? Why can't you just completely disable LLDP protocol on the Ubiquiti device? With enterprise devices, you can do this on a per-port basis.

 

[EnthusiastXYZ]

Seeing ARP requests from other addresses in the same subnet is normal.

What is leading you to believe that LLDP is being passed on by the ISP? Why can't you just completely disable LLDP protocol on the Ubiquiti device? With enterprise devices, you can do this on a per-port basis.

No, you cannot disable LLDP in UDM. You can only disable LLDP-Med, but not LLDP itself...