Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP?

[Chuck Swiger <chuck () codefab com>]

On Jun 2, 2005, at 1:39 PM, Darren Reed wrote:
> > On Jun 1, 2005, at 6:26 PM, Darren Reed wrote:
> > > On Jun 1, 2005, at 7:57 PM, Chuck Swiger wrote:
> > [ ... ]
> > > > You shouldn't permit inbound HTTP to any box, just to machines  
> > > > which
> > > > actually are intended to run an HTTP server.  You shouldn't enable
> > > > WebDAV and SOAP and other fancy bits unless you need them.  And you
> > > > hopefully shouldn't permit arbitrary outbound HTTP, either: forward
> > > > those via a proxy server.
> > >
> > > Uh huh.  But you're letting ssh out so how do you enforce any of  
> > > this?
> >
> > I start by not giving logins and SSH access to users I don't trust.
> ...
>
> Yawn, that was all chest beating.

You asked a simple question, and got a simple, factual answer.
I don't see how that could be seen as "chest beating", but whatever.

> > That, and I encourage users to SSH port forward using a semi-trusted
> > machine in the DMZ, just as one ought to terminate a VPN endpoint in
> > the DMZ by preference, where you can.
>
> But ssh isn't a VPN technology per se, it's encrypted telnet (or  
> rlogin
> or..) that I use from my desktop to my destination so I have some sort
> of measurable security benefit.

Inconsistency detected.  Do you remember saying:

> If you let that [ssh] through, with tunnelling, you may as well be  
> letting
> through arbitrary services.

...or...

> There are things I'd like to say here that I can't for reasons
> that would cause me as much angst if I tried to explain them,
> in public.  Needless to say, you exhibit a very shallow
> understanding of what tunnelling via ssh really means/enables.

...?

I regard SSH with port forwarding as being similar in scope to VPN  
access, or IP-over-PPP tunneling, or any similar form of network  
encapsulation.

> > [ ... ]
> > > > No.  I'd rather explicitly manage the services which are permitted
> > > > through the firewall.
> > >
> > > Hmmm, you've said "no" but then gone on to say exactly what I was
> > > saying, or is there some part of "configure" that doesn't imply
> > > "manage" ?
> >
> > Sure.  If some random user or guest plugs in a laptop with an 802.11
> > card or a wireless router to a companies' internal subnet, they've
> > configured a backdoor, a network topology which goes around the
> > firewall and thus is a serious hole to network security.
>
> This is an irrelevant example, for which there are solutions.

You are absolutely wrong that this example is irrelevent to me, or to  
anyone who uses a firewall in the hopes of obtaining useful security  
benefits:

A firewall only blocks traffic which goes through it.

If some random user can easily set up a route which goes around the  
firewall, much less permits untrusted traffic back through, that  
represents a serious, possibly critical weakness to your network  
security.

> > That doesn't mean this action was "managed" as in, the person who
> > runs the firewall and is responsible for security has approved it.  I
> > don't want a firewall I manage to open ports because some user
> > somewhere has plugged in a new device that really thinks it ought to
> > have access via UPnP to, well, anything that device might happen to
> > want.
>
> Ok, are you deliberately choosing to view what management could be,
> here, as different from what I'm trying to say just to be  
> argumentative
> or do you have some other purpose from restricting its application to
> being inclusive of fixing the problem you're clinging to?

No.  I don't "choose to view things" just to argue with people.

I don't regard my own opinions as being especially important, perhaps  
because I'm not interested in solving problems for which opinions are  
more important than facts.  People who believe their own opinions are  
so important that they confuse them with facts often tend to not  
understand my position at all.

> It's like you're going out of your way to exclude "manage" from  
> applying
> to things like UPnP because if it did (and in a useful way) then you
> wouldn't have a platform to stand on to argue that it is bad.

No.  It's like I have a viewpoint on how to setup, configure, and  
manage a network which was formed years before UPnP was invented.

I think UPnP is useful for limited conditions-- mainly for individual  
users or small LANs-- where nobody is available to manage the  
network.  I don't think UPnP is helpful for other situations, because  
anyone who can set up DNS or a DHCP server is already managing the  
network well enough that UPnP doesn't really add anything.

> Or maybe, as someone who writes software, I look at the problem and
> see ways it can be solved rather than obstacles that cannot be  
> overcome.

Do you regard security as problem to be solved, or as an obstacle?

> > I have nothing against Bittorrent, but I wouldn't run it, or Kazaa,
> > or Grokster, on a machine with data that I care about keeping
> > secret.
>
> So you're afraid of the software because of...?

No, I'm not afraid of this sort of software.

I don't choose to run it on machines where I don't need to, and  
especially I don't choose to run it on machines with data I want to  
keep secret. [1]  If we could convince users *not* to run untrusted  
software, a great deal of the current disaster with emailed viruses/ 
trojan horse problem would go away.

[ Only, it's clear that we aren't able to convince users not to click  
on email attachments, which is why people now spend time and money  
filtering viruses at their MX, or even outsourcing email entirely.   
Hosting MS-Exchange offsite is a pretty big business, nowadays, which  
is almost incomprehensible to me, but companies seem to value  
calendar and Blackberry access more than they worry about all of  
their email being managed offsite by a third-party. ]

--
-Chuck

[1]: This has nothing to do with Bittorrent.  I don't run a webserver  
on my fileserver, either, and I wouldn't have any open ports on the  
box if I could set it up that way and still have it serve the role  
that it needs to.  I'm happier setting up a fileserver which does not  
allow end-users shell access, for example, or which forbids setuid- 
execution in the partition where user home directories are kept.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards