Re: [fw-wiz] Is NAT in OpenBSD PF UPnP enabled or Non UPnP?

From: Darren Reed (darrenr_at_reed.wattle.id.au)
Date: 06/02/05

  • Next message: Marcus J. Ranum: "Re: [fw-wiz] Ok, so now we have a firewall, we're safe, right?" 
    To: Chuck Swiger <chuck@codefab.com>
Date: Fri, 3 Jun 2005 03:39:51 +1000 (EST)

    > On Jun 1, 2005, at 6:26 PM, Darren Reed wrote:
    > > On Jun 1, 2005, at 7:57 PM, Chuck Swiger wrote:
    > [ ... ]
    > >> You shouldn't permit inbound HTTP to any box, just to machines which
    > >> actually are intended to run an HTTP server. You shouldn't enable
    > >> WebDAV and SOAP and other fancy bits unless you need them. And you
    > >> hopefully shouldn't permit arbitrary outbound HTTP, either: forward
    > >> those via a proxy server.
    > >
    > > Uh huh. But you're letting ssh out so how do you enforce any of this?
    >
    > I start by not giving logins and SSH access to users I don't trust.
    ...

    Yawn, that was all chest beating.

    > That, and I encourage users to SSH port forward using a semi-trusted
    > machine in the DMZ, just as one ought to terminate a VPN endpoint in
    > the DMZ by preference, where you can.

    But ssh isn't a VPN technology per se, it's encrypted telnet (or rlogin
    or..) that I use from my desktop to my destination so I have some sort
    of measurable security benefit.

    > [ ... ]
    > >>> Personally, I'd prefer to be able to configure a UPnP server than
    > >>> just
    > >>> open random ports, permanently on my firewall, wouldn't you?
    > >>
    > >> No. I'd rather explicitly manage the services which are permitted
    > >> through the firewall.
    > >>
    > >
    > > Hmmm, you've said "no" but then gone on to say exactly what I was
    > > saying, or is there some part of "configure" that doesn't imply
    > > "manage" ?
    >
    > Sure. If some random user or guest plugs in a laptop with an 802.11
    > card or a wireless router to a companies' internal subnet, they've
    > configured a backdoor, a network topology which goes around the
    > firewall and thus is a serious hole to network security.

    This is an irrelevant example, for which there are solutions.

    > That doesn't mean this action was "managed" as in, the person who
    > runs the firewall and is responsible for security has approved it. I
    > don't want a firewall I manage to open ports because some user
    > somewhere has plugged in a new device that really thinks it ought to
    > have access via UPnP to, well, anything that device might happen to
    > want.

    Ok, are you deliberately choosing to view what management could be,
    here, as different from what I'm trying to say just to be argumentative
    or do you have some other purpose from restricting its application to
    being inclusive of fixing the problem you're clinging to?

    It's like you're going out of your way to exclude "manage" from applying
    to things like UPnP because if it did (and in a useful way) then you
    wouldn't have a platform to stand on to argue that it is bad.

    Or maybe, as someone who writes software, I look at the problem and
    see ways it can be solved rather than obstacles that cannot be overcome.

    > I have nothing against Bittorrent, but I wouldn't run it, or Kazaa,
    > or Grokster, on a machine with data that I care about keeping
    > secret.

    So you're afraid of the software because of...?
    I haven't see all that many security problems for most of the bittorent
    software. I can find none for azureus (my favourite client.)

    > I might be willing to set that software up on a box in the
    > DMZ that does anonymous FTP, because I am willing to recover that
    > data from backup if need be, and because I don't worry about
    > disclosure of stuff which is already publicly available.

    That doesn't address the need of people who want to use it for
    downloads. If I'm given the choice of downloading the latest
    Linux/BSD ISO via ftp, http or bittorrent, I'll go for bittorrent.
    Every time. I expect as time rolls by we'll see more companies
    start to use it for distributing software. Windows updates would
    be a good candidate for a torrent.

    Darren
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Marcus J. Ranum: "Re: [fw-wiz] Ok, so now we have a firewall, we're safe, right?"

    Relevant Pages

    • Re: LKM Trojan: How could it have been installed?
      ... > Make sure you run the latest ssh version and I'd disable remote ... Part admins are a hack waiting to happen. ... experienced with security issues. ... I'm assuming a firewall in between too. ...
      (comp.os.linux.security)
    • Re: Rlogin doesnt work to on MDK 10.1 or FC3 systems
      ... > through your firewall you are in deep trouble anyway, ... Security is like an onion, the more layers the better, ssh gives ... > ssh port for which I require RSA authentication, ...
      (comp.os.linux.misc)
    • Re: [Full-disclosure] Why Vulnerability Databases cant do everything
      ... best to relegate programming to a ... is a big difference between these two views of information security. ... but not nearly as important as designing secure systems. ... My favorite example to illustrate this point - ssh. ...
      (Bugtraq)
    • Re: [fw-wiz] Is NAT in OpenBSD PF UPnP enabled or Non UPnP?
      ... >> I start by not giving logins and SSH access to users I don't trust. ... a network topology which goes around the ... >> firewall and thus is a serious hole to network security. ... >> have access via UPnP to, well, anything that device might happen to ...
      (Firewall-Wizards)
    • RE: Linux hacked
      ... Also, what exactly did the history file show, can you paste it into a mail ... > First let me say I'm a security novice. ... > been unsuccessful in getting root back. ... > via ssh but you could su in once logged in as one of three users. ...
      (Security-Basics)