Re: [m0n0wall] UPnP is bad, mmkay?

From:	mtnbkr <waa dash m0n0wall at revpol dot com>
To:	m0n0wall <m0n0wall at lists dot m0n0 dot ch>
Subject:	Re: [m0n0wall] UPnP is bad, mmkay?
Date:	Tue, 15 Jan 2008 10:32:48 -0500

Lee Sharp wrote:
> How many times did people want UPnP added to m0n0wall?  How many times
> did we say it was bad?  Surprise!  It is bad.  Feel free to gloat,
> because I am. :)
> 
> http://www.channelregister.co.uk/2008/01/15/home_router_insecurity/

LOL... I remember when I first read about UPnP on a "firewall" device. I
think I fell off my chair laughing... Not sure though since I think I
hit my head too. ;)

I also laugh (well... cringe is more like it) when I see the "DMZ"
check-box on other 'firewalls' that simple create a 1:1 map from the
INTERNET to an INTERNAL LAN MACHINE!   sigh...

Seriously. Who in their right mind thinks allowing any device inside a
network to open up arbitrary communications channels to the Internet is
a smart and/or secure way to network?

From the wikipedia page:
http://en.wikipedia.org/wiki/Upnp

--[snip]--
UPnP IGD assumes that all local systems and their users are completely
trustworthy, and that no local system is infected with any worm or trojan.

If either of these assumptions are not true then UPnP can be used to
totally defeat a UPnP-supporting firewall by allowing incoming
connections to arbitrary local systems on any port.
--[snip]--

Ok, so a show of hands... Who has completely trustworthy users on their
network AND can guarantee 100% that the Windows machines they are using
are 100% trojan/virus/worm free?

Oh yeah... No one.

--
Bill Arlofski
Reverse Polarity, LLC