Re: [fw-wiz] Is NAT in OpenBSD PF UPnP enabled or Non UPnP?

From: Chuck Swiger (chuck_at_codefab.com)
Date: 06/02/05

Next message: Carson Gaspar: "Re: [fw-wiz] Ok, so now we have a firewall, we're safe, right?"

Previous message: Bill McGee (bam): "RE: [fw-wiz] Ok, so now we have a firewall, we're safe, right?"
Maybe in reply to: Darren Reed: "Re: [fw-wiz] Is NAT in OpenBSD PF UPnP enabled or Non UPnP?"
Next in thread: Darren Reed: "Re: [fw-wiz] Is NAT in OpenBSD PF UPnP enabled or Non UPnP?"
Reply: Darren Reed: "Re: [fw-wiz] Is NAT in OpenBSD PF UPnP enabled or Non UPnP?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: firewall-wizards@honor.icsalabs.com
Date: Wed, 1 Jun 2005 22:10:08 -0400

[ This post has been editted per moderator request. While I support
the idea of keeping a polite discussion, the moderator's timing was a
bit late, perhaps... ]

On Jun 1, 2005, at 6:26 PM, Darren Reed wrote:
> On Jun 1, 2005, at 7:57 PM, Chuck Swiger wrote:
[ ... ]
>> You shouldn't permit inbound HTTP to any box, just to machines which
>> actually are intended to run an HTTP server. You shouldn't enable
>> WebDAV and SOAP and other fancy bits unless you need them. And you
>> hopefully shouldn't permit arbitrary outbound HTTP, either: forward
>> those via a proxy server.
>
> Uh huh. But you're letting ssh out so how do you enforce any of this?

I start by not giving logins and SSH access to users I don't trust.
I don't give user access to servers and infrastructure like firewalls
and switches that users don't need to have shells on. I also perform
network monitoring, process monitoring on important servers, etc and
look for traffic patterns which shouldn't be there to help catch the
unexpected.

That, and I encourage users to SSH port forward using a semi-trusted
machine in the DMZ, just as one ought to terminate a VPN endpoint in
the DMZ by preference, where you can.

[ ... ]
>>> Personally, I'd prefer to be able to configure a UPnP server than
>>> just
>>> open random ports, permanently on my firewall, wouldn't you?
>>
>> No. I'd rather explicitly manage the services which are permitted
>> through the firewall.
>>
>
> Hmmm, you've said "no" but then gone on to say exactly what I was
> saying, or is there some part of "configure" that doesn't imply
> "manage" ?

Sure. If some random user or guest plugs in a laptop with an 802.11
card or a wireless router to a companies' internal subnet, they've
configured a backdoor, a network topology which goes around the
firewall and thus is a serious hole to network security.

That doesn't mean this action was "managed" as in, the person who
runs the firewall and is responsible for security has approved it. I
don't want a firewall I manage to open ports because some user
somewhere has plugged in a new device that really thinks it ought to
have access via UPnP to, well, anything that device might happen to
want.

>> If I cared about the security of the box in question, it wouldn't be
>> running bittorrent or any other flavor of peer-to-peer networking.
>>
>
> Ok, so you're doing some gratuitious fishing for more personal
> remarks?
> Because I can't take what you've said seriously.

I have nothing against Bittorrent, but I wouldn't run it, or Kazaa,
or Grokster, on a machine with data that I care about keeping
secret. I might be willing to set that software up on a box in the
DMZ that does anonymous FTP, because I am willing to recover that
data from backup if need be, and because I don't worry about
disclosure of stuff which is already publicly available.

However, I surely wouldn't run that kind of software on a mission-
critical fileserver or database, and I surely won't advise anyone
else to do so, either.

-- 
-Chuck
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Next message: Carson Gaspar: "Re: [fw-wiz] Ok, so now we have a firewall, we're safe, right?"

Previous message: Bill McGee (bam): "RE: [fw-wiz] Ok, so now we have a firewall, we're safe, right?"
Maybe in reply to: Darren Reed: "Re: [fw-wiz] Is NAT in OpenBSD PF UPnP enabled or Non UPnP?"
Next in thread: Darren Reed: "Re: [fw-wiz] Is NAT in OpenBSD PF UPnP enabled or Non UPnP?"
Reply: Darren Reed: "Re: [fw-wiz] Is NAT in OpenBSD PF UPnP enabled or Non UPnP?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

<< SBS News of the week - Sept 26 >>
... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
(microsoft.public.backoffice.smallbiz)
<< SBS News of the week - Sept 26 >>
... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
(microsoft.public.backoffice.smallbiz2000)
<< SBS News of the week - Sept 26 >>
... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
(microsoft.public.windows.server.sbs)
Re: need help re. office network install
... > and their network is a mess, the result of years of neglect. ... they have a gateway server w/ no special ... > firewall rules on it, they have a large DMZ that serves no purpose ... install anymore software on the firewall machine than is absolutely ...
(comp.os.linux.networking)
Re: oops again
... open on the Firewall, and the default should be none. ... Since you intend to install IIS purely as a test server for your ASPX pages ... Make sure that IIS is only listening on the local network (192.168.x.y ...
(microsoft.public.inetserver.iis)