Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP?

[Chuck Swiger <chuck () codefab com>]

[ This post has been editted per moderator request.  While I support  
the idea of keeping a polite discussion, the moderator's timing was a  
bit late, perhaps... ]

On Jun 1, 2005, at 6:26 PM, Darren Reed wrote:
> On Jun 1, 2005, at 7:57 PM, Chuck Swiger wrote:
[ ... ]
> > You shouldn't permit inbound HTTP to any box, just to machines which
> > actually are intended to run an HTTP server.  You shouldn't enable
> > WebDAV and SOAP and other fancy bits unless you need them.  And you
> > hopefully shouldn't permit arbitrary outbound HTTP, either: forward
> > those via a proxy server.
>
> Uh huh.  But you're letting ssh out so how do you enforce any of this?

I start by not giving logins and SSH access to users I don't trust.   
I don't give user access to servers and infrastructure like firewalls  
and switches that users don't need to have shells on.  I also perform  
network monitoring, process monitoring on important servers, etc and  
look for traffic patterns which shouldn't be there to help catch the  
unexpected.

That, and I encourage users to SSH port forward using a semi-trusted  
machine in the DMZ, just as one ought to terminate a VPN endpoint in  
the DMZ by preference, where you can.

[ ... ]
> > > Personally, I'd prefer to be able to configure a UPnP server than  
> > > just
> > > open random ports, permanently on my firewall, wouldn't you?
> >
> > No.  I'd rather explicitly manage the services which are permitted
> > through the firewall.
>
> Hmmm, you've said "no" but then gone on to say exactly what I was
> saying, or is there some part of "configure" that doesn't imply
> "manage" ?

Sure.  If some random user or guest plugs in a laptop with an 802.11  
card or a wireless router to a companies' internal subnet, they've  
configured a backdoor, a network topology which goes around the  
firewall and thus is a serious hole to network security.

That doesn't mean this action was "managed" as in, the person who  
runs the firewall and is responsible for security has approved it.  I  
don't want a firewall I manage to open ports because some user  
somewhere has plugged in a new device that really thinks it ought to  
have access via UPnP to, well, anything that device might happen to  
want.

> > If I cared about the security of the box in question, it wouldn't be
> > running bittorrent or any other flavor of peer-to-peer networking.
>
> Ok, so you're doing some gratuitious fishing for more personal  
> remarks?
> Because I can't take what you've said seriously.

I have nothing against Bittorrent, but I wouldn't run it, or Kazaa,  
or Grokster, on a machine with data that I care about keeping  
secret.  I might be willing to set that software up on a box in the  
DMZ that does anonymous FTP, because I am willing to recover that  
data from backup if need be, and because I don't worry about  
disclosure of stuff which is already publicly available.

However, I surely wouldn't run that kind of software on a mission- 
critical fileserver or database, and I surely won't advise anyone  
else to do so, either.

--
-Chuck



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards