On Sun, Apr 07, 2002 at 03:33:23PM +0200, Henrik Nordstrom wrote: > > A firewall who gives no access is very effective, but not likely to > make you very famous as it also inhibits any communication to take > place.
Understood. But a firewall that takes "orders" as to what to open and close without and understanding of what it's for is next to useless. Firewalls are put in place precisely because OSes and applications cannot be trusted on the network. To then give them the permission to modify the security policy as they wish makes them next to useless. > netfilter is both. Depends on how you use it. Indeed. > And yet allow users to connect computers you do not trust to the > network? And surf the web or read email on those? Well some arguments are just never going to be won. :-) > I would say you have other higher priority goals than security. There > is always a balance to be found between security and functionality. Of course. I think my goal in bringing up this discussion was just to alert anyone who was not quite thinking it through, what a UPnP server will allow clients to do. That is not to say it should not be developed, just that it should be used with caution. > This is what you define when defining a security policy. Only > applications fitting the security policy can be used by your users. Right! But my impression is that you have no idea which application is requesting the access through the UPnP server. A security policy of "allow whatever the clients ask for" is no security policy at all, and unless the firewall/UPnP server knows which application each request is for (without having to resort to trusing the application asking to tell it truthfully) then how do you implement a security policy around this? > So is IRC DCC more or less. Right, and a good reason to disallow it, but in contrast, and IRC DCC has to go along with an IRC usage. If a trojan wants to emulate the IRC protocol then yes it will get it's port open but that's an amount of work to go to get a trojan listening on the network. > To me the basis of the rant is to show that you have other priorities > than maximum security, or else you would not allow those OS:es to be > connected to your network. Like I said, some arguments are just not winnable. I would love to replace those OSes but the reality of life is that there is no replacement. > Providing UPnP is about providing a security capability I disagree with this characterization. I have seen nothing to suggest UPnP has anything to do with security but rather is about getting access through firewalls. But this opinion is only based on what I have read here. I have not read the UPnP spec. Feel free to correct me if you know different. > to your > users, as is providing the ability to run desktops with insecure > OS:es. All OSes can be in-secure. Some are more prone to it than others. I am not really trying to pick on an OS when I characterize firewalls/filters as protecting OSes. > What you provide is based on your security policy. If your policy do > not allow insecure OS:es or the use of UPnP then it is not allowed. Right. > The point of providing an UPnP service is that you can make a more > flexible policy, I am not sure I see it as being more "flexible" but rather lax. > allowing use of various kinds of protocols But it's not a choice of "various" protocols. From my understanding, once you turn on UPnP, any application that knows how to ask the server can have whatever access (listening ports, sending port, any numbers of these) it wants gets it. So if a single UPnP using application has been determined to have a vulnerability, there is no way to disable the use of that one application without disabling all UPnP enabled apps. That does not seem flexible to me. > without > having to have each of these protocols fully understood by your > security gateway. But if you firewall understands the protocols, you can choose which applications are allowed access and which are not. > Obviously you need a policy defining the conditions on when/why/how > UPnP may be used. Any sane security gateway administrator would not > give unlimited UPnP permissions to all users with no sanity checking. So UPnP allows one to differentiate applications making requests for access? I.e. Messenger is allowed but NetMeeting is not? How does the UPnP server know which application on a machine is making the requests for ports? > Then don't. The choice is yours. Of course. Like I said, I will make my choices. I just want to ensure that others understand the ramifications of something like a UPnP service. b. -- Brian J. Murrell
msg00585/pgp00000.pgp
Description: PGP signature
