[UPnP-SDK-discuss] UPNP Server/Application Gateway for Linux
Brian J. Murrell
Sun, 7 Apr 2002 18:28:01 -0400
Content-Type: text/plain; charset=us-ascii
On Sun, Apr 07, 2002 at 03:33:23PM +0200, Henrik Nordstrom wrote:
> A firewall who gives no access is very effective, but not likely to=20
> make you very famous as it also inhibits any communication to take=20
Understood. But a firewall that takes "orders" as to what to open and
close without and understanding of what it's for is next to useless.
Firewalls are put in place precisely because OSes and applications
cannot be trusted on the network. To then give them the permission to
modify the security policy as they wish makes them next to useless.
> netfilter is both. Depends on how you use it.
> And yet allow users to connect computers you do not trust to the=20
> network? And surf the web or read email on those?
Well some arguments are just never going to be won. :-)
> I would say you have other higher priority goals than security. There=20
> is always a balance to be found between security and functionality.
Of course. I think my goal in bringing up this discussion was just to
alert anyone who was not quite thinking it through, what a UPnP server
will allow clients to do. That is not to say it should not be
developed, just that it should be used with caution.
> This is what you define when defining a security policy. Only=20
> applications fitting the security policy can be used by your users.
Right! But my impression is that you have no idea which application
is requesting the access through the UPnP server. A security policy
of "allow whatever the clients ask for" is no security policy at all,
and unless the firewall/UPnP server knows which application each
request is for (without having to resort to trusing the application
asking to tell it truthfully) then how do you implement a security
policy around this?
> So is IRC DCC more or less.
Right, and a good reason to disallow it, but in contrast, and IRC DCC
has to go along with an IRC usage. If a trojan wants to emulate the
IRC protocol then yes it will get it's port open but that's an amount
of work to go to get a trojan listening on the network.
> To me the basis of the rant is to show that you have other priorities=20
> than maximum security, or else you would not allow those OS:es to be=20
> connected to your network.
Like I said, some arguments are just not winnable. I would love to
replace those OSes but the reality of life is that there is no
> Providing UPnP is about providing a security capability
I disagree with this characterization. I have seen nothing to suggest
UPnP has anything to do with security but rather is about getting
access through firewalls. But this opinion is only based on what I
have read here. I have not read the UPnP spec. Feel free to correct
me if you know different.
> to your=20
> users, as is providing the ability to run desktops with insecure=20
All OSes can be in-secure. Some are more prone to it than others. I
am not really trying to pick on an OS when I characterize
firewalls/filters as protecting OSes.
> What you provide is based on your security policy. If your policy do=20
> not allow insecure OS:es or the use of UPnP then it is not allowed.
> The point of providing an UPnP service is that you can make a more=20
> flexible policy,
I am not sure I see it as being more "flexible" but rather lax.
> allowing use of various kinds of protocols
But it's not a choice of "various" protocols. From my understanding,
once you turn on UPnP, any application that knows how to ask the
server can have whatever access (listening ports, sending port, any
numbers of these) it wants gets it. So if a single UPnP using
application has been determined to have a vulnerability, there is no
way to disable the use of that one application without disabling all
UPnP enabled apps. That does not seem flexible to me.
> having to have each of these protocols fully understood by your=20
> security gateway.
But if you firewall understands the protocols, you can choose which
applications are allowed access and which are not.
> Obviously you need a policy defining the conditions on when/why/how=20
> UPnP may be used. Any sane security gateway administrator would not=20
> give unlimited UPnP permissions to all users with no sanity checking.=20
So UPnP allows one to differentiate applications making requests for
access? I.e. Messenger is allowed but NetMeeting is not? How does
the UPnP server know which application on a machine is making the
requests for ports?
> Then don't. The choice is yours.
Of course. Like I said, I will make my choices. I just want to
ensure that others understand the ramifications of something like a
Brian J. Murrell
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----