Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[roseway]

I don't want to be argumentative, and it's possible that I'm wrong, but I am quite sure that only devices inside your network can open ports using uPnP. If you have no programs running which require uPnP, then no ports are open. The router may advertise itself, but it does that every time you use the internet, so that isn't of itself a security issue. I do not believe that external internet devices can use uPnP to penetrate your network without the assistance of a program running inside your network.

[silversurfer44]

I think the danger is the lack of proper authentication. Bluetooth devices operate in a similar fashion. The main difference is a device needs to pair with another and requires a push of a button to accept. If I read the documentation correctly there is no such acceptance required, or if there is it is easily circumvented.

Adjudicator please?   Else it's 

[Weaver]

> but I am quite sure that only devices inside your network can open ports using uPnP.

Indeed. If your applications need UPnP facilities to get them to work behind a NAT then you need UPnP. If you don't like what your applications get up to over the internet, then don't run those applications.

Any application can open holes in your firewall. Without such an ability, you wouldn't be able to browse the web or collect your email. A stateful firewall opens holes for inbound traffic based on _actions_ carried out by applications inside your network, and those actions might either be sending packets to destinations outside and so changing the firewall state because the firewall then regards related inbound communications as 'solicited', or by manipulating the UPnP device in a SOHO router doing NAT.

An application example: In more recent versions of Window Messenger/MSN Messenger (so called 'Live') the application opens holes to allow ipv6 over teredo tunnelling, and it does this by sending UDP packets in order to manipulate firewalls and map out the way in which your NAT, if present, operates.

I run a router with a UPnP service turned on, and have no problem with it. UPnP is not a security risk unless you are running evil applications. In that case the cure is to make certain not to run evil applications. If you are unsure about any of the software that is running in your network, then the game is already over, and firewalls won't fix your problems.

Saying UPnP is a security risk is the same as saying that having an internet connection is a security risk, as opposed to being disconnected from the internet. Why? Because applications might abuse that connection. To be quite clear about this, any app that you run can start exporting information using say HTTP or whatever method you like, and no firewall is going to make the slightest bit of difference.

A machine is not secured correctly unless it is fine to operate it with no firewall at all in operation.

[Weaver]

Another thought (after that rant :-) ) is that if you get rid of NAT then you don't need some of this nonsense and complexity. NAT is a bad thing and adding in various hacks to try and live with it, as in UPnP makes application authors' lives vastly more difficult.

Zen, Demon (Business) and AAISP are just a few of the ISPs who will give you a block of IP addresses for your LAN and at no extra charge. Zen give you a block of 8 addresses if I recall, for free, more if you wish. With Demon's business offerings and with AAISP you can have a block of whatever size you want within reason, provided you give justification and aren't too greedy.

Then it's goodbye to NAT and all the nonsense about port mappings.

This post was composed on a machine living in AAISP-land inside a block of 16 real IP addresses, and no NAT.

[torqpoc]

Greetings,

@Weaver - totally agree with 99% of your points here. As a network engineer (albeit a defunct one) NAT was something I had to implement on a daily basis, for various reasons.

UPnP I would also not classify as a security risk, it's simply an automated port mapping tool. Again I agree it only really depends on what that tool is used for, however even in the case of the more notoriously "dodgy" applications such as Vuze, BitTorrent etc.. UPnP will not be your downfall. Most of the time the real security breach in any network are ports which are opened de-facto (not UPnP ones) and Microsoft or other vendors applications.

Of course all that taken into consideration, most attacks will usually be on UPnP opened ports as they are the most commonly known/attacked.

Here's where I truly disagree though Weaver: Any machine with an external IP address is more at risk than a machine behind a NAT router, simply because that IP address is "out there", whereas the only one which will be "known" in a NAT environment will be the WAN interface on your router.

Cheers,
T

[silversurfer44]

I have also done my fair share of work on networks. NOT corporate and this may be where there may be differences. Back in the days when the world wide web was given to the millions, not a lot of this was known in the public domain. Also at that time adsl was not yet born. However viruses and exploits had already appeared in the form of emails & Bulletin Boards. Now we have progressed a long long way, and in the hands of knowledgeable persons the internet is a reasonably safe environment. Now there are many users who are just that, users and don't give a jot for firewalls, nat or anything like that. If UPnP was not a security risk the manufacturers of modems and the like would NOT disable it as default. Don't forget the modem can open ports at a request, change firewall rules at a request, usually via a web interface (http). Adobe applications are known to fall victim to specially crafted web sites, one only has to visit one of these sites with UPnP enabled and bingo another zombie machine or what ever. As I say in the hands of professionals and people that know what they are doing then UPnP is not a risk. In the hands of Joe/Jane Public then it becomes a factor.
I'm not saying it's a death ray or anything like that, but the OP did not understand what it's about. That's the kind of situation where I would always recommend disabling it if it is in fact activated.

[kitz]

Any machine with an external IP address is more at risk than a machine behind a NAT router, simply because that IP address is "out there"

Agreed.
NAT adds another layer of security and making it harder to connect to a particular machine, without that PC first sending a request. When using NAT, all initial connections must be established from inside the local network.

IMHO NAT is ia good thing - without it and a NAT router it would make home networking difficult for most users and there would be a hell of a lot of unsecured machines on the internet.

This is just my opinion, but even though I could have requested a block of IPs for free from my ISP, I can do just about anything I want behind NAT. For many years Ive happily run FTP and web servers behind NAT.   Unless you have one dedicated machine that is say purely going to act as say a webwerver only.

Ive never felt the need to take up an IP block when I can do what I want on one static IP and NAT.  I certainly feel more secure.

Port forwarding IMHO is no big deal, and its better only opening up those ports thats needed rather than having a wide open system.

[kitz]

I am quite sure that only devices inside your network can open ports using uPnP. If you have no programs running which require uPnP, then no ports are open. The router may advertise itself, but it does that every time you use the internet, so that isn't of itself a security issue.

Thats my understanding too. 

However, I prefer to leave uPnP off...  just on the off-chance that something is introduced from inside my network that could perhaps take advantage, but the reality is going to be pretty slim.
I prefer port forwarding myself then I know which ones are open. 

uPnP is a godsend to those users who may say want to send files/webcam say on MSN, but dont have a clue how port forward.   
I could just imagine my dad trying to do something like that - he wouldnt have the foggiest where to start, so Im happy to leave uPnP switched on on his router.   Saves me long phone calls or having to dash round to sort out why something isnt working.

[Weaver]

> Any machine with an external IP address is more at risk than a machine behind a NAT router

I think that's a fair point, but needs to be put in context.

Many systems administrators I know of work in a world where chaos reigns, to some degree, in terms of what might be happening _inside_ their network. They need to worry about chaotic, uncontrolled app installations, what unwise tricks users may get up to and about what kind of other machines might come to visit and live on a LAN for a while.

Now in this kind of world, things like firewalling and indeed NAT as opposed to no-NAT do definitely give an improvement in security, because in some small number of scenarios they place additional barriers in the way of getting evil apps or simply unwise apps to work.

If I lived in that kind of world, then I would have changed my remarks earlier, and would be saying something rather different. So I think kitz and the other posters have a point but they and I may be at cross purposes since I tend to keep talking from my own point of view based on the _highly controlled_ systems I work with, where random app _installation_ is made as near to impossible can be and only carefully vetted, well-behaved apps are in use.

So other posters' remarks are likely to be stemming from the more difficult situations that they have had to deal with, and their differing positions are to be respected because of the different assumptions that lie behind them.

Another point about no-NAT.


> As I say in the hands of professionals and people that know what they are doing then UPnP is not a risk.

And this is a fair point. About differing perspectives again. But I'd say that NAT is not the issue here.  If an app needs NAT and UPnP and UPnP has been disabled, then that's a way of stopping that app from working and this breaking of the app might be a security measure if you should not have been allowing this app to run in the first place. So in a roundabout way, UPnP=off does amount to being a security measure, albeit indirectly.


Kitz comments about "making it harder to connect to a particular machine, without that PC first sending a request" was something I initially felt I was going to immediately disagree with as a stateful  firewall will look to make sure inbound communications are "solicited", are happening as a result of earlier outbound messages initiating dialogue. But again I think it's about context. In one case I can think of, kitz has a point. What if a firewall is poorly configured. In the kitz scenario, NAT mapping has to be set up and this only happens if there has been an earlier sequence of action s originating from inside the LAN.

So a lot rather depends on your default assumptions. And I suspect that some of my defaults are not helpful to others! :-)

[roseway]

I think in a more simplistic fashion I would say that NAT is a very great benefit to the ordinary non-technical user. They don't have to do anything to make their systems pretty well impervious to break-ins from outside. Such users probably come into your 'chaotic' group because they may be inadequately protected against viruses, and are quite likely to install randomly chosen programs which they've picked up from the net, or from friends.

NAT is also very useful to users who do have a good technical capability, but have no need of more complex protection. If I wanted to, I could probably make my Linux systems as secure as Fort Knox without any NAT capability in the router, but I have no need of such extreme measures. For me, the NAT capability of my router, and its SPI firewall, effectively give me total protection from the outside world.

I do also have uPnP enabled, for the simple reason that I often use Bittorrent to download Linux distros. For sure, I could use explicit port forwarding instead, but uPnP does the job without any setting-up being needed. The only uPnP-aware programs which I use are from official distro sources, so I can have confidence that they are well behaved.

So yes, I agree, it's a case of horses for courses; but it's my opinion that for the mass of home users, the use of NAT in the router, together with uPnP when needed, is likely to be the best option.

[Weaver]

I'll make one more 'devil's argument' against my own earlier posts, to show both sides of the argument.

My well-loved Netgear DG834v3 (and I'm fairly sure the v4, which is a completely different hardware platform) has horrendous bugs in the firewalling when set into non-NAT mode. Also quite a bit the web UI makes no sense when in non-NAT mode.

NAT is a necessary evil for many because of an accident of history. Let's not pretend that for home users it is something that was developed _for_ security (as far as home user networking goes, corporate network designs excepted). We got to where we are because ISPs started out with dial-up and dial-up modems not dial-up routers and then after that the explosion in PC numbers meant that >1 PC per household became very frequent, yet all the while ISPs were still allocating only 1 IPv4 address per customer (=per customer site). The looming IPv4 address space crisis, plus the considerations of the marketing department meant that 1 IP per site remained the norm.

I think it's fair to say [?] that NAT is an evil kludge in that the internet was designed to have proper end-to-end connectivity and NAT was a latecomer, and if IPv6 succeeds long term then NAT will go away, as after all restoring end-to-end connectivity one of the main aims of IPv6 as evidenced by the fact that applications such as Windows Live Messenger and Vista's Windows Meeting Space use IPv6 + Teredo in order to get out of the hell that is double NAT (at each end).

With genuine respect for the other esteemed posters, an evil app can export information through HTTP even through an HTTP proxy gateway on a network that has no direct connectivity to the internet at all if users can browse the web. Firewalls to my mind are not primarily about security and it's dangerous to think of them as a panacea and start using them as a band-aid for chaos inside your world. To me firewalls are necessary because of DOS attacks and for this there's no substitute and I mean _hardware_ firewalls are needed. Software firewalls on PCs have their place too, as a kind of access control list. But it's absolutely vital to be in control of what software gets installed and what configuration changes can get made.

A decent SPI firewall will do the job it's suppose to do and doesn't need NAT to work well. But heed my warnings about non-NAT scenarios and popular routers, as the Netgear DG834 might not be the only model that is bad bad bad. Test your network with the excellent "Shields Up" tool at grc.com - ask for advice before using this tool though.

I think my own views on the matter should be fairly regarded as peculiar because my default assumptions - of very highly secured, clean, locked down boxes - are not necessarily right for you. So there are valid reasons why a room full of sages may differ in these respects.

[Weaver]

Having defended UPnP, I'll put the other side of the argument - interesting reading at :-
    http://forum1.netgear.com/showthread.php?t=20632
    http://www.channelregister.co.uk/2008/01/15/home_router_insecurity/
    http://www.nist.org/news.php?extend.125

So "update Adobe/Macromedia Flash" or disable it [hooray].

And as kitz says turn UPnP off if you think you don't need it, or if you're unsure, but remember to re-test certain apps, comparing with it turned off and then on. Some apps will need UPnP for more advanced functions but not for basic functions. The kind of thing might be simple chat in an instant messaging app, but file transfer or audio or sharing of files and so on might need a more open networking configuration.