Re: UPNP/SSDP
From: francis gerard (dekerf_at_hotmail.com)
Date: 07/19/04
- Next message: Mike Williams [MVP]: "Re: Anyone tried XP SP2 post RC2 build 2162 ??"
- Previous message: ?? Ben: "Re: Writing to cd"
- In reply to: CZ: "Re: UPNP/SSDP"
- Next in thread: CZ: "Re: UPNP/SSDP"
- Reply: CZ: "Re: UPNP/SSDP"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 19 Jul 2004 00:39:39 -0400
"CZ" <CZ@no99spam.com> wrote in message
news:e%23fZCuTbEHA.2812@tk2msftngp13.phx.gbl...
> Re: UPnP
>
> From:
> http://techupdate.zdnet.com/techupdate/stories/main/Linksys_routers_and_DDoS.html
>
> "I asked Gibson whether UPnP-compliance could be the answer to the sort of
> on-the-fly port adjustments that he likes. Gibson responded,
> "Firewall/routers with UPnP enabled by default will be the next major
> security problem." Why? Systems on the inside of a UPnP-compliant firewall
> are given the authority to dynamically change a port's status. However,
> the difference between UPnP and the ZoneAlarm-sort of flexibility that
> Gibson likes is that in the latter situation, the flexibility is hardwired
> to some known problems. With UPnP, the dynamism is more encompassing of
> all ports. Firewalls aren't simply for keeping the bad stuff out, but also
> for keeping both bad and confidential stuff from getting out. Gibson cites
> the example of e-mail borne viruses. "Once a virus is inside the firewall,
> nothing prevents it from using UPnP to open up a port in your firewall and
> exposing your network."
while i respect most of steve's (grc.com) thoughtful opinions and careful
research, at times he can be just a tad alarmist, particularly about
microsoft products, not without good reason though, i'm sure. he's even
more cynical about microsoft practices than i am... and that's saying a lot.
;-)
in any case, with regard to this topic of discussion, UPnP NAT Routers and
Firewalls...
a firewall and a NAT-based UPnP-compliant router are distinctly different
entities, the firewall does stateful inspection of packets traversing the
host's network interface(s), and if done at the application level, can
provide a reasonable level of protection against unsolicited inbound traffic
and block unauthorized outbound traffic, based on whatever application and
port rules have been configured.
the NAT router is a packet filter that routes packets b/w the LAN
interface(s) of each host on the internal network and the WAN gateway (the
internet in this case). the NAT, network address translation, functionality
provides the first level of security because the WAN interface is isolated
from the LAN interface(s) because private IPs are used on the internal LAN
side and are not routeable on the WAN (internet) side and vice versa.
because the router operates at the network level, it's not the job of a UPnP
NAT router to block the type of outgoing traffic (although some routers do
have this feature), the application-level firewall is intended for that
purpose. keep in mind, we're talking about consumer grade home-based
routers, not the industrial type used to route traffic on public networks,
like the internet.
so, to encapsulate what i'm trying to say, firewalls and routers are not the
same thing, and to have a reasonable level of protection against unsolicited
inbound traffic and block unauthorized outbound traffic, you should have
*both* a router and a firewall in place, but the application-level firewall
is more important to guard against the types of traffic leaving your
machine, that perhaps shouldn't be.
as for UPnP, i like the idea that an application can dynamically open/close
ports, that's certainly better than leaving ports open when not in use, and
not such a pain in the arse when, on the other hand, you are required to
manually configure your router to open a port to allow application X to work
properly. the firewall can take care of the rest, ie, deciding whether or
not application X is allowed to open ports. you realize that with a
firewall in place, the UPnP component of Windows does not even see the
request to change a port's status on the router unless the firewall has
allowed the application to do so in the first place.
-- francis
- Next message: Mike Williams [MVP]: "Re: Anyone tried XP SP2 post RC2 build 2162 ??"
- Previous message: ?? Ben: "Re: Writing to cd"
- In reply to: CZ: "Re: UPNP/SSDP"
- Next in thread: CZ: "Re: UPNP/SSDP"
- Reply: CZ: "Re: UPNP/SSDP"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
|
