Firewall Wizards mailing list archives
Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP?
From: Darren Reed <darrenr () reed wattle id au>
Date: Sat, 4 Jun 2005 01:45:24 +1000 (EST)
On Jun 2, 2005, at 1:39 PM, Darren Reed wrote:That, and I encourage users to SSH port forward using a semi-trusted machine in the DMZ, just as one ought to terminate a VPN endpoint in the DMZ by preference, where you can.But ssh isn't a VPN technology per se, it's encrypted telnet (or rlogin or..) that I use from my desktop to my destination so I have some sort of measurable security benefit.Inconsistency detected. Do you remember saying:
Indeed I do. And I said the above with full knowledege of what I'd said. Primarily because you evolved your argument to find a way to counter the tunnel aspect.
I regard SSH with port forwarding as being similar in scope to VPN access, or IP-over-PPP tunneling, or any similar form of network encapsulation.
And it's part of the same product, it isn't seperate. You're expecting people to treat it differently depending on how they use it. I use it like many others do - for the combined functionality at the same time and there's no sacrificing one for the other.
[ ... ]Sure. If some random user or guest plugs in a laptop with an 802.11 card or a wireless router to a companies' internal subnet, they've configured a backdoor, a network topology which goes around the firewall and thus is a serious hole to network security.This is an irrelevant example, for which there are solutions.
..
If some random user can easily set up a route which goes around the firewall, much less permits untrusted traffic back through, that represents a serious, possibly critical weakness to your network security.
Well then secure your LAN. This can be done. This is why your example is irrelevant. If you (or anyone else) chooses to run an insecure LAN then you take on these risks. If you've signed up for that then don't complain about it. LANs do not need to be insecure.
It's like you're going out of your way to exclude "manage" from applying to things like UPnP because if it did (and in a useful way) then you wouldn't have a platform to stand on to argue that it is bad.No. It's like I have a viewpoint on how to setup, configure, and manage a network which was formed years before UPnP was invented.
Right and now that viewpoint is growing stale. The IT industry is very dynamic, you need to grow and move with the times or get left behind. ..
I don't think UPnP is helpful for other situations, because anyone who can set up DNS or a DHCP server is already managing the network well enough that UPnP doesn't really add anything.
I disagree and we'll have to agree to disagree.
Or maybe, as someone who writes software, I look at the problem and see ways it can be solved rather than obstacles that cannot be overcome.Do you regard security as problem to be solved, or as an obstacle?
A problem to be solved.
I don't choose to run it on machines where I don't need to, and especially I don't choose to run it on machines with data I want to keep secret. [1] If we could convince users *not* to run untrusted software, a great deal of the current disaster with emailed viruses/ trojan horse problem would go away.
This begats a whole other conversation about whether or not software is trustworthy and what makes it one way or another. I could try and preempt the entire discussion by saying unless you've got signed executables from your vendor and your OS verifies them, as well as those for drivers, then you've no guarantee that you're only running trusted software. But I think it's best summed up by referring back to Marcus who recently (on this list :) noted that perhaps the Orange Book guys got it write...after how many years of saying it was pointless ? :) Oh, and just because *you* compile something yourself does not make it trustworthy. Go read about the .. worm(?) .. in one of the original C compilters. But the real problem is that today, to get the most out of what the Internet and computers have to offer, we're generally _forced_ to run 'something' that is not completely trustworthy.
I'm happier setting up a fileserver which does not allow end-users shell access, for example, or which forbids setuid- execution in the partition where user home directories are kept.
*yawn* More chest beating. These things are "old hat". Darren _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Darren Reed (Jun 01)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Chuck Swiger (Jun 01)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Darren Reed (Jun 01)
- Message not available
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Chuck Swiger (Jun 02)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Darren Reed (Jun 02)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Chuck Swiger (Jun 02)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Darren Reed (Jun 04)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Paul D. Robertson (Jun 04)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Darren Reed (Jun 04)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Paul D. Robertson (Jun 04)
- RE: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? FirewallAdmin (Jun 10)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Darren Reed (Jun 01)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Chuck Swiger (Jun 01)
- <Possible follow-ups>
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Siju George (Jun 02)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Nils Vogels (Jun 04)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Siju George (Jun 16)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Darren Reed (Jun 17)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Ben Lindsey (Jun 18)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Darren Reed (Jun 17)