Firewall Wizards mailing list archives
Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP?
From: Darren Reed <darrenr () reed wattle id au>
Date: Fri, 3 Jun 2005 03:39:51 +1000 (EST)
On Jun 1, 2005, at 6:26 PM, Darren Reed wrote: > On Jun 1, 2005, at 7:57 PM, Chuck Swiger wrote: [ ... ]You shouldn't permit inbound HTTP to any box, just to machines which actually are intended to run an HTTP server. You shouldn't enable WebDAV and SOAP and other fancy bits unless you need them. And you hopefully shouldn't permit arbitrary outbound HTTP, either: forward those via a proxy server.Uh huh. But you're letting ssh out so how do you enforce any of this?I start by not giving logins and SSH access to users I don't trust.
... Yawn, that was all chest beating.
That, and I encourage users to SSH port forward using a semi-trusted machine in the DMZ, just as one ought to terminate a VPN endpoint in the DMZ by preference, where you can.
But ssh isn't a VPN technology per se, it's encrypted telnet (or rlogin or..) that I use from my desktop to my destination so I have some sort of measurable security benefit.
[ ... ]Personally, I'd prefer to be able to configure a UPnP server than just open random ports, permanently on my firewall, wouldn't you?No. I'd rather explicitly manage the services which are permitted through the firewall.Hmmm, you've said "no" but then gone on to say exactly what I was saying, or is there some part of "configure" that doesn't imply "manage" ?Sure. If some random user or guest plugs in a laptop with an 802.11 card or a wireless router to a companies' internal subnet, they've configured a backdoor, a network topology which goes around the firewall and thus is a serious hole to network security.
This is an irrelevant example, for which there are solutions.
That doesn't mean this action was "managed" as in, the person who runs the firewall and is responsible for security has approved it. I don't want a firewall I manage to open ports because some user somewhere has plugged in a new device that really thinks it ought to have access via UPnP to, well, anything that device might happen to want.
Ok, are you deliberately choosing to view what management could be, here, as different from what I'm trying to say just to be argumentative or do you have some other purpose from restricting its application to being inclusive of fixing the problem you're clinging to? It's like you're going out of your way to exclude "manage" from applying to things like UPnP because if it did (and in a useful way) then you wouldn't have a platform to stand on to argue that it is bad. Or maybe, as someone who writes software, I look at the problem and see ways it can be solved rather than obstacles that cannot be overcome.
I have nothing against Bittorrent, but I wouldn't run it, or Kazaa, or Grokster, on a machine with data that I care about keeping secret.
So you're afraid of the software because of...? I haven't see all that many security problems for most of the bittorent software. I can find none for azureus (my favourite client.)
I might be willing to set that software up on a box in the DMZ that does anonymous FTP, because I am willing to recover that data from backup if need be, and because I don't worry about disclosure of stuff which is already publicly available.
That doesn't address the need of people who want to use it for downloads. If I'm given the choice of downloading the latest Linux/BSD ISO via ftp, http or bittorrent, I'll go for bittorrent. Every time. I expect as time rolls by we'll see more companies start to use it for distributing software. Windows updates would be a good candidate for a torrent. Darren _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Darren Reed (Jun 01)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Chuck Swiger (Jun 01)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Darren Reed (Jun 01)
- Message not available
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Chuck Swiger (Jun 02)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Darren Reed (Jun 02)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Chuck Swiger (Jun 02)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Darren Reed (Jun 04)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Paul D. Robertson (Jun 04)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Darren Reed (Jun 04)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Paul D. Robertson (Jun 04)
- RE: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? FirewallAdmin (Jun 10)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Darren Reed (Jun 01)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Chuck Swiger (Jun 01)
- <Possible follow-ups>
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Siju George (Jun 02)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Nils Vogels (Jun 04)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Siju George (Jun 16)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Darren Reed (Jun 17)