Re: [fw-wiz] Is NAT in OpenBSD PF UPnP enabled or Non UPnP?

From: Chuck Swiger (chuck_at_codefab.com)
Date: 06/02/05

  • Next message: Carson Gaspar: "Re: [fw-wiz] Ok, so now we have a firewall, we're safe, right?"
    To: firewall-wizards@honor.icsalabs.com
    Date: Wed, 1 Jun 2005 22:10:08 -0400
    
    

    [ This post has been editted per moderator request. While I support
    the idea of keeping a polite discussion, the moderator's timing was a
    bit late, perhaps... ]

    On Jun 1, 2005, at 6:26 PM, Darren Reed wrote:
    > On Jun 1, 2005, at 7:57 PM, Chuck Swiger wrote:
    [ ... ]
    >> You shouldn't permit inbound HTTP to any box, just to machines which
    >> actually are intended to run an HTTP server. You shouldn't enable
    >> WebDAV and SOAP and other fancy bits unless you need them. And you
    >> hopefully shouldn't permit arbitrary outbound HTTP, either: forward
    >> those via a proxy server.
    >
    > Uh huh. But you're letting ssh out so how do you enforce any of this?

    I start by not giving logins and SSH access to users I don't trust.
    I don't give user access to servers and infrastructure like firewalls
    and switches that users don't need to have shells on. I also perform
    network monitoring, process monitoring on important servers, etc and
    look for traffic patterns which shouldn't be there to help catch the
    unexpected.

    That, and I encourage users to SSH port forward using a semi-trusted
    machine in the DMZ, just as one ought to terminate a VPN endpoint in
    the DMZ by preference, where you can.

    [ ... ]
    >>> Personally, I'd prefer to be able to configure a UPnP server than
    >>> just
    >>> open random ports, permanently on my firewall, wouldn't you?
    >>
    >> No. I'd rather explicitly manage the services which are permitted
    >> through the firewall.
    >>
    >
    > Hmmm, you've said "no" but then gone on to say exactly what I was
    > saying, or is there some part of "configure" that doesn't imply
    > "manage" ?

    Sure. If some random user or guest plugs in a laptop with an 802.11
    card or a wireless router to a companies' internal subnet, they've
    configured a backdoor, a network topology which goes around the
    firewall and thus is a serious hole to network security.

    That doesn't mean this action was "managed" as in, the person who
    runs the firewall and is responsible for security has approved it. I
    don't want a firewall I manage to open ports because some user
    somewhere has plugged in a new device that really thinks it ought to
    have access via UPnP to, well, anything that device might happen to
    want.

    >> If I cared about the security of the box in question, it wouldn't be
    >> running bittorrent or any other flavor of peer-to-peer networking.
    >>
    >
    > Ok, so you're doing some gratuitious fishing for more personal
    > remarks?
    > Because I can't take what you've said seriously.

    I have nothing against Bittorrent, but I wouldn't run it, or Kazaa,
    or Grokster, on a machine with data that I care about keeping
    secret. I might be willing to set that software up on a box in the
    DMZ that does anonymous FTP, because I am willing to recover that
    data from backup if need be, and because I don't worry about
    disclosure of stuff which is already publicly available.

    However, I surely wouldn't run that kind of software on a mission-
    critical fileserver or database, and I surely won't advise anyone
    else to do so, either.

    -- 
    -Chuck
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Carson Gaspar: "Re: [fw-wiz] Ok, so now we have a firewall, we're safe, right?"

    Relevant Pages

    • << SBS News of the week - Sept 26 >>
      ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
      (microsoft.public.windows.server.sbs)
    • << SBS News of the week - Sept 26 >>
      ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
      (microsoft.public.backoffice.smallbiz)
    • << SBS News of the week - Sept 26 >>
      ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
      (microsoft.public.backoffice.smallbiz2000)
    • Re: need help re. office network install
      ... > and their network is a mess, the result of years of neglect. ... they have a gateway server w/ no special ... > firewall rules on it, they have a large DMZ that serves no purpose ... install anymore software on the firewall machine than is absolutely ...
      (comp.os.linux.networking)
    • Re: oops again
      ... open on the Firewall, and the default should be none. ... Since you intend to install IIS purely as a test server for your ASPX pages ... Make sure that IIS is only listening on the local network (192.168.x.y ...
      (microsoft.public.inetserver.iis)