Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP?

[Darren Reed <darrenr () reed wattle id au>]

> On Jun 1, 2005, at 6:26 PM, Darren Reed wrote:
>  > On Jun 1, 2005, at 7:57 PM, Chuck Swiger wrote:
> [ ... ]
> > > You shouldn't permit inbound HTTP to any box, just to machines which
> > > actually are intended to run an HTTP server.  You shouldn't enable
> > > WebDAV and SOAP and other fancy bits unless you need them.  And you
> > > hopefully shouldn't permit arbitrary outbound HTTP, either: forward
> > > those via a proxy server.
> >
> > Uh huh.  But you're letting ssh out so how do you enforce any of this?
>
> I start by not giving logins and SSH access to users I don't trust.
...

Yawn, that was all chest beating.

> That, and I encourage users to SSH port forward using a semi-trusted
> machine in the DMZ, just as one ought to terminate a VPN endpoint in
> the DMZ by preference, where you can.

But ssh isn't a VPN technology per se, it's encrypted telnet (or rlogin
or..) that I use from my desktop to my destination so I have some sort
of measurable security benefit.

> [ ... ]
> > > > Personally, I'd prefer to be able to configure a UPnP server than
> > > > just
> > > > open random ports, permanently on my firewall, wouldn't you?
> > >
> > > No.  I'd rather explicitly manage the services which are permitted
> > > through the firewall.
> >
> > Hmmm, you've said "no" but then gone on to say exactly what I was
> > saying, or is there some part of "configure" that doesn't imply
> > "manage" ?
>
> Sure.  If some random user or guest plugs in a laptop with an 802.11
> card or a wireless router to a companies' internal subnet, they've
> configured a backdoor, a network topology which goes around the
> firewall and thus is a serious hole to network security.

This is an irrelevant example, for which there are solutions.

> That doesn't mean this action was "managed" as in, the person who
> runs the firewall and is responsible for security has approved it.  I
> don't want a firewall I manage to open ports because some user
> somewhere has plugged in a new device that really thinks it ought to
> have access via UPnP to, well, anything that device might happen to
> want.

Ok, are you deliberately choosing to view what management could be,
here, as different from what I'm trying to say just to be argumentative
or do you have some other purpose from restricting its application to
being inclusive of fixing the problem you're clinging to?

It's like you're going out of your way to exclude "manage" from applying
to things like UPnP because if it did (and in a useful way) then you
wouldn't have a platform to stand on to argue that it is bad.

Or maybe, as someone who writes software, I look at the problem and
see ways it can be solved rather than obstacles that cannot be overcome.

> I have nothing against Bittorrent, but I wouldn't run it, or Kazaa,
> or Grokster, on a machine with data that I care about keeping
> secret.

So you're afraid of the software because of...?
I haven't see all that many security problems for most of the bittorent
software.  I can find none for azureus (my favourite client.)

> I might be willing to set that software up on a box in the
> DMZ that does anonymous FTP, because I am willing to recover that
> data from backup if need be, and because I don't worry about
> disclosure of stuff which is already publicly available.

That doesn't address the need of people who want to use it for
downloads.  If I'm given the choice of downloading the latest
Linux/BSD ISO via ftp, http or bittorrent, I'll go for bittorrent.
Every time.  I expect as time rolls by we'll see more companies
start to use it for distributing software.  Windows updates would
be a good candidate for a torrent.

Darren
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards