[ previous ] [ next ] [ threads ]
 
 From:  Daniele Guazzoni <daniele dot guazzoni at gcomm dot ch>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] UPnP is bad, mmkay?
 Date:  Tue, 15 Jan 2008 12:31:37 +0100
My 2 cts:

1) UPnP (Universal plug and pray) is a M$ invention so don't expect it to be secure.
2) UPnP is for lazy guys, you can do the same in other ways.
3) UPnP over a firewall = firewall piercing.

Basically you can use UPnP within a LAN segment but don't try to go over firewalls, proxies or
gateways.
On all "active" devices allowing UPnP is like loosing control over the flows as you really don't
know what UPnP does...

Call me an extremist but UPnP is beside PPTP pretty on the top of my personal "list of protocols the
world doesn't need".

Daniele

Oliver Ladner wrote:
> On Di, 15 Jan 2008, Lee Sharp wrote:
> 
>> How many times did people want UPnP added to m0n0wall?  How many times
>> did we say it was bad?  Surprise!  It is bad.  Feel free to gloat,
>> because I am. :)
> 
> Yes, it seems to be pretty evil. Further reading: "UPnP security in 
> Internet gateway devices" [1].
> 
> Nonetheless I'd like to ask a question related to uPnP: Is it possible 
> to access a uPnP streaming server on the DMZ interface from a hardware 
> media player located behind the LAN interface?
> Of course I'd prefer a standard CIFS/NFS share mountable in the media 
> player, but it seems as uPnP is quite common in audio/video streaming.
> 
> Regards,
> 
> Oli
> 
> [1] http://www.tml.tkk.fi/Publications/C/21/Selen_ready.pdf
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
> 

-- 


regards


-------------------------------------------------------------
Daniele Guazzoni
Senior Network Engineer, CCNP, CCNA


Linux and AMD-x86_64 or do you still with Windows and Intel ?

-- 
This message has been scanned for viruses and
dangerous content by MailGate, and is
believed to be clean.