Re: [fw-wiz] Is NAT in OpenBSD PF UPnP enabled or Non UPnP?

From: Chuck Swiger (chuck_at_codefab.com)
Date: 06/02/05

  • Next message: David Thiel: "Re: [fw-wiz] preventing XSS and SQL injection?"
    To: Darren Reed <darrenr@reed.wattle.id.au>
    Date: Thu, 2 Jun 2005 17:14:55 -0400
    
    

    On Jun 2, 2005, at 1:39 PM, Darren Reed wrote:
    >> On Jun 1, 2005, at 6:26 PM, Darren Reed wrote:
    >>> On Jun 1, 2005, at 7:57 PM, Chuck Swiger wrote:
    >> [ ... ]
    >>>> You shouldn't permit inbound HTTP to any box, just to machines
    >>>> which
    >>>> actually are intended to run an HTTP server. You shouldn't enable
    >>>> WebDAV and SOAP and other fancy bits unless you need them. And you
    >>>> hopefully shouldn't permit arbitrary outbound HTTP, either: forward
    >>>> those via a proxy server.
    >>>
    >>> Uh huh. But you're letting ssh out so how do you enforce any of
    >>> this?
    >>>
    >>
    >> I start by not giving logins and SSH access to users I don't trust.
    > ...
    >
    > Yawn, that was all chest beating.

    You asked a simple question, and got a simple, factual answer.
    I don't see how that could be seen as "chest beating", but whatever.

    >> That, and I encourage users to SSH port forward using a semi-trusted
    >> machine in the DMZ, just as one ought to terminate a VPN endpoint in
    >> the DMZ by preference, where you can.
    >
    > But ssh isn't a VPN technology per se, it's encrypted telnet (or
    > rlogin
    > or..) that I use from my desktop to my destination so I have some sort
    > of measurable security benefit.

    Inconsistency detected. Do you remember saying:

    > If you let that [ssh] through, with tunnelling, you may as well be
    > letting
    > through arbitrary services.

    ...or...

    > There are things I'd like to say here that I can't for reasons
    > that would cause me as much angst if I tried to explain them,
    > in public. Needless to say, you exhibit a very shallow
    > understanding of what tunnelling via ssh really means/enables.

    ...?

    I regard SSH with port forwarding as being similar in scope to VPN
    access, or IP-over-PPP tunneling, or any similar form of network
    encapsulation.

    >> [ ... ]
    >>>> No. I'd rather explicitly manage the services which are permitted
    >>>> through the firewall.
    >>>
    >>> Hmmm, you've said "no" but then gone on to say exactly what I was
    >>> saying, or is there some part of "configure" that doesn't imply
    >>> "manage" ?
    >>
    >> Sure. If some random user or guest plugs in a laptop with an 802.11
    >> card or a wireless router to a companies' internal subnet, they've
    >> configured a backdoor, a network topology which goes around the
    >> firewall and thus is a serious hole to network security.
    >
    > This is an irrelevant example, for which there are solutions.

    You are absolutely wrong that this example is irrelevent to me, or to
    anyone who uses a firewall in the hopes of obtaining useful security
    benefits:

    A firewall only blocks traffic which goes through it.

    If some random user can easily set up a route which goes around the
    firewall, much less permits untrusted traffic back through, that
    represents a serious, possibly critical weakness to your network
    security.

    >> That doesn't mean this action was "managed" as in, the person who
    >> runs the firewall and is responsible for security has approved it. I
    >> don't want a firewall I manage to open ports because some user
    >> somewhere has plugged in a new device that really thinks it ought to
    >> have access via UPnP to, well, anything that device might happen to
    >> want.
    >
    > Ok, are you deliberately choosing to view what management could be,
    > here, as different from what I'm trying to say just to be
    > argumentative
    > or do you have some other purpose from restricting its application to
    > being inclusive of fixing the problem you're clinging to?

    No. I don't "choose to view things" just to argue with people.

    I don't regard my own opinions as being especially important, perhaps
    because I'm not interested in solving problems for which opinions are
    more important than facts. People who believe their own opinions are
    so important that they confuse them with facts often tend to not
    understand my position at all.

    > It's like you're going out of your way to exclude "manage" from
    > applying
    > to things like UPnP because if it did (and in a useful way) then you
    > wouldn't have a platform to stand on to argue that it is bad.

    No. It's like I have a viewpoint on how to setup, configure, and
    manage a network which was formed years before UPnP was invented.

    I think UPnP is useful for limited conditions-- mainly for individual
    users or small LANs-- where nobody is available to manage the
    network. I don't think UPnP is helpful for other situations, because
    anyone who can set up DNS or a DHCP server is already managing the
    network well enough that UPnP doesn't really add anything.

    > Or maybe, as someone who writes software, I look at the problem and
    > see ways it can be solved rather than obstacles that cannot be
    > overcome.

    Do you regard security as problem to be solved, or as an obstacle?

    >> I have nothing against Bittorrent, but I wouldn't run it, or Kazaa,
    >> or Grokster, on a machine with data that I care about keeping
    >> secret.
    >
    > So you're afraid of the software because of...?

    No, I'm not afraid of this sort of software.

    I don't choose to run it on machines where I don't need to, and
    especially I don't choose to run it on machines with data I want to
    keep secret. [1] If we could convince users *not* to run untrusted
    software, a great deal of the current disaster with emailed viruses/
    trojan horse problem would go away.

    [ Only, it's clear that we aren't able to convince users not to click
    on email attachments, which is why people now spend time and money
    filtering viruses at their MX, or even outsourcing email entirely.
    Hosting MS-Exchange offsite is a pretty big business, nowadays, which
    is almost incomprehensible to me, but companies seem to value
    calendar and Blackberry access more than they worry about all of
    their email being managed offsite by a third-party. ]

    -- 
    -Chuck
    [1]: This has nothing to do with Bittorrent.  I don't run a webserver  
    on my fileserver, either, and I wouldn't have any open ports on the  
    box if I could set it up that way and still have it serve the role  
    that it needs to.  I'm happier setting up a fileserver which does not  
    allow end-users shell access, for example, or which forbids setuid- 
    execution in the partition where user home directories are kept.
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: David Thiel: "Re: [fw-wiz] preventing XSS and SQL injection?"

    Relevant Pages

    • Re: Turning on Media Sharing in WMP11
      ... I believe it forms quite a reasonable network media device. ... Turning on SSDP (it was disabled as was uPnP) to Manual and then UPnP ... If there is a firewall, or NAT, built into your ... You need to open port s: ...
      (microsoft.public.windowsmedia.player)
    • Re: Questions on some wierd /var/log entries
      ... How do I find out if I'm on an ipv6 network? ... That is because I prefer using iptables directly. ... then you should start learning about its firewall ... Another important restriction for ssh is to authenticate by certificate ...
      (comp.os.linux.misc)
    • Re: Unique ssh/sftp requirement
      ... The network layer (where the firewall works) sees no difference in the content ... of an ssh connection vs. an scp/sftp connection. ... > Preferably at the server end, ...
      (SSH)
    • Re: Anyone doing UPNP on Fedora ?
      ... On the Android tablet I can see the shared folders using the Bubble UPNP player, ... On a Fedora laptop I can mount the server using djmount and can see the folders as well, but they appear empty as well. ... The initial connection is UDP/multicast to the entire network by the client, then each server sends the client a packet UDP/unicast with description of how to get to the server. ... there's no good firewall config. ...
      (Fedora)
    • Re: NAS Server
      ... is the only *nix system in the net then you don't need ftp, telnet or ... ssh. ... the firewall, you didn't state whether the SuSE server is also the ... If your network has other *nix systems and you want/need to serve files ...
      (alt.os.linux.suse)