On Mon, Apr 08, 2002 at 04:27:11AM +0200, Henrik Nordstrom wrote: > > The UPnP server do not officially know the application no, but in > each portmap request there is at least a connection description / > comment describing the use connection,
Which a security adminstrator has to trust. Bad! Never trust what the other side is telling you without being able to verify it. > and due to the leverage ontop > of HTTP there should also be a User-Agent header. I have never seen the "User-Agent" header used for idenfitication or security purposes. To do so would be crazy. Just as trusing a UPnP client to tell the truth about what it is. > Further, if your UPnP device (i.e. the NAT:ing firewall) requires > authentication then it is not likely a trojan gets very far unless it > can persuade the user to provide the needed credentials. We all know this is trivial. Look at the number of users that "click this link for a funny animation" type of thing in their e-mails. Users can be talked into doing just about anything for little return. My trojan would tell the user, "put in your password when it asks to download this cool new game". Wanna give me $5 for every user that does? > Only within the limitations of what the UPnP device accepts. But that is the question. If apps are just asking for mappings on the UPnP device (i.e. listen TCP port 456) how can the device impose any limitiations. There is nothing security wise for it to determine what it should allow and what it should deny. > Not unless there is a fingerprint of this application of some sort > no. However, in most cases I expect applications to be easily > fingerprinted. You are more optimistic than I. :-) > And in such case you do not have a need for UPnP port forwarding. Right! > UPnP port forwarding as such do not guarantee that you can > differentiate the applications, or that the you can trust whatever > the applications claim to be. But due to the richness of information > in the protocols involved you are extremely likely to make rules > differentiating these applications. Perhaps. But that point, perhaps you have already have implemented a conntracking/natting helper. b. -- Brian J. Murrell
msg00595/pgp00000.pgp
Description: PGP signature
