Firewall Wizards mailing list archives
Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP?
From: Chuck Swiger <chuck () codefab com>
Date: Wed, 1 Jun 2005 22:10:08 -0400
[ This post has been editted per moderator request. While I support the idea of keeping a polite discussion, the moderator's timing was a bit late, perhaps... ]
On Jun 1, 2005, at 6:26 PM, Darren Reed wrote: > On Jun 1, 2005, at 7:57 PM, Chuck Swiger wrote: [ ... ]
You shouldn't permit inbound HTTP to any box, just to machines which actually are intended to run an HTTP server. You shouldn't enable WebDAV and SOAP and other fancy bits unless you need them. And you hopefully shouldn't permit arbitrary outbound HTTP, either: forward those via a proxy server.Uh huh. But you're letting ssh out so how do you enforce any of this?
I start by not giving logins and SSH access to users I don't trust. I don't give user access to servers and infrastructure like firewalls and switches that users don't need to have shells on. I also perform network monitoring, process monitoring on important servers, etc and look for traffic patterns which shouldn't be there to help catch the unexpected.
That, and I encourage users to SSH port forward using a semi-trusted machine in the DMZ, just as one ought to terminate a VPN endpoint in the DMZ by preference, where you can.
[ ... ]
Personally, I'd prefer to be able to configure a UPnP server than justopen random ports, permanently on my firewall, wouldn't you?No. I'd rather explicitly manage the services which are permitted through the firewall.Hmmm, you've said "no" but then gone on to say exactly what I was saying, or is there some part of "configure" that doesn't imply "manage" ?
Sure. If some random user or guest plugs in a laptop with an 802.11 card or a wireless router to a companies' internal subnet, they've configured a backdoor, a network topology which goes around the firewall and thus is a serious hole to network security.
That doesn't mean this action was "managed" as in, the person who runs the firewall and is responsible for security has approved it. I don't want a firewall I manage to open ports because some user somewhere has plugged in a new device that really thinks it ought to have access via UPnP to, well, anything that device might happen to want.
If I cared about the security of the box in question, it wouldn't be running bittorrent or any other flavor of peer-to-peer networking.Ok, so you're doing some gratuitious fishing for more personal remarks?Because I can't take what you've said seriously.
I have nothing against Bittorrent, but I wouldn't run it, or Kazaa, or Grokster, on a machine with data that I care about keeping secret. I might be willing to set that software up on a box in the DMZ that does anonymous FTP, because I am willing to recover that data from backup if need be, and because I don't worry about disclosure of stuff which is already publicly available.
However, I surely wouldn't run that kind of software on a mission- critical fileserver or database, and I surely won't advise anyone else to do so, either.
-- -Chuck _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Darren Reed (Jun 01)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Chuck Swiger (Jun 01)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Darren Reed (Jun 01)
- Message not available
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Chuck Swiger (Jun 02)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Darren Reed (Jun 02)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Chuck Swiger (Jun 02)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Darren Reed (Jun 04)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Paul D. Robertson (Jun 04)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Darren Reed (Jun 04)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Paul D. Robertson (Jun 04)
- RE: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? FirewallAdmin (Jun 10)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Darren Reed (Jun 01)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Chuck Swiger (Jun 01)
- <Possible follow-ups>
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Siju George (Jun 02)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Nils Vogels (Jun 04)
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Siju George (Jun 16)