;D ;D ;D
(I LOVE linux…)
You mean “a good interactive firewall”. There is no way for a “normal” firewall to do this. IMHO you’re talking about a small subset of firewalling.
Not according to the field of Security Engineering:
Threat: someone wants to get info from inside your LAN out
Measure: you have to stop info being read, or stop it from being transmitted
Evaluation: UPNP is only one of many ways that it can be transmitted. Others that are arguably easier include:
- piggyback on some well-known program that is bound to get run sooner or later. IM clients are good for this, assuming you are too lazy to go read up some of the Outlook hacks
- set your process name to “internet explorer” and dial-out. I’d consider this the easiest by far. ZoneAlarm says “internet explorer is trying to access a site”. What do you think most people will do?
You didn’t have any in the first place; be diligent and methodical, look at the attacks and the counter-measures and you’ll see this is de facto true, unless you have put many other things in place (several of which are going to prevent the UPNP class of attacks anyway, at which point the whole UPNP issue becomes moot. )
I don’t want to put a fine point on this, but I can only say your security expert friends differ substantially in their opinions from my “security expert” friends, people such as Ross Anderson.
By that argument, to put it simply, since your going to die anyway if something, you migth as well smoke and drink to excess. Or more directly ,noone shoudl have a firewall, period, because there are other security risks besides the one it covers.
Pretty clearly and obviously faulty reasoning.
No, that’s twisting my words. I was saying “You are already dead. A few more bullets aren’t going to make a difference.”
But part of it rings true… a chain is only as strong as the weakest link. Firewalls DO help, but in my opinion they are far overrated. People treat them like some magic bullet but they are no better than the virus scanners and that you found so ineffective…
I disagree to some degree. yes there are limits to firewalls but the big advantage they have is that they run on seprate uncompromisable hardware (a dedicated box.)
The same is NOT true of any virus scanner or firewall that runs on the target machine.
That probably makes my oibjection to UPnP the clearest as with UPnP the firewall CAN now be compromised by mal-ware running on the target machine. SO I agree with you they are no better then the virus scanner IF you allow UPnP, but they are a lot more secure if you dont.
So there is malicious code on my machine and it uses http: and connects to port 80 of an external server to share my secrets (hardly a limitation). Getting an outbound connection from behind the firewall is rarely a problem. Once the connection is made the information flows in BOTH directions. How will UPnP protect me from that?
Depends on how tight your fiewalll is.
You dont have to let any 80 tcp connection out. You can proxy web connections through a proxy server (which is what we do at SSSun for our corporate network). Besides, you are still ignoring the use of your machine to launmch attacks on OTHER systems. That generally requires an inbound connection. UPnP makes it possible for malware to open op your firewall and allow that inbound connection.
Nothing ia 100% secure, the question is how many threats do you want to be secure against? If you enable UPnP youve made the answer to that “none”.
Not many home users use a proxy server. And even if they did, I’m not sure it would solve the problem without making a lot of sacrifices to the whole surfing experience.
[quote] Besides, you are still ignoring the use of your machine to launmch attacks on OTHER systems.
[/quote]
Yes, intentionally. That’s a secondary effect that only comes about AFTER my computer is compromised. If I protect my computer from being compromised, then I eliminate that threat as well.
[quote]That generally requires an inbound connection.
[/quote]
Keyword “generally”, that is, until someone takes four or five minutes and writes some code to find instructions (and lists of servers in case the main one gets taken down) using polling, it wouldn’t have to poll frequently.
[quote]UPnP makes it possible for malware to open op your firewall and allow that inbound connection.
[/quote]
Not JUST malware, useful stuff that I WANT to run. I tend to avoid running malware 
so that leaves UPnP as a useful feature for the stuff I want to run.
[quote]Nothing ia 100% secure, the question is how many threats do you want to be secure against? If you enable UPnP youve made the answer to that “none”.
[/quote]
“none” ?
Enabling UPnP means you will be secure against absolutely NO threats whatsoever? Disabling UPnP is the ONLY thing protecting your computer?
A bit of a stretch don’t you think?
You are more likely to get your machine taken over by visiting a web site with I.E., or opening an email in Outlook Express that has HTML content. Unless you’ve configured I.E. and Outlook to not be able to access the internet… but that is hardly useful.
Are you saying that most OS’s come with malware pre-installed that will use UPnP to open up the ports and turn my machine into a zombie? You DO have to get that malware on your machine in the first place of course, and that is the basis of my point. You need to protect your system as much as you can so that the malware can’t get installed. Once the system is compromised, whatever barriers you have left are going to offer you significantly diminishing returns… to the point where I feel disabling UPnP is not worth the inconvenience.