Unsafe at any Speed: Firewalls once more!

N

nononsense

Hi All,

We had already a few threads on firewalls before. I kind of shared the opinion expressed by several that an external hardware solution was the best solution.

Last week I got the latest version D-Link DI-624 (vC2) firewall router (with wireless) and a few DWL-g650 (vC2) cardbus wireless. As an aside, trying to get these to work is ludicrous. The software as shipped simply doesn't work. It only enables you to do wireless WITHOUT ENCRYPTING. Googling around, I managed to download Fujitsi software from a Japanese hacker's site that correctly supported the D-Link DWLg650.

Now on to more serious matters:
Feeling great that the whole thing finally worked, I began to look seriously at the firewall stuff. To my astonishment I saw that two rules had been added for each XP based computer connected. I tried to remove these but the fields were even grayed out making all change impossible. Each rule, one TCP, one UDP opened access from the outside WAN to the supposedly 'protected or firewalled' LAN widely: a range of about 25,000 ports was open! Each line of the spooky rules carried a name containing 'msmsg' which kind of reminded be of our great sugardaddy of us all: BG.

Probing a bit further I got some more 'education' and learned about the UPNP stuff. Never heard about this yet? At least not on ET threads. It seems that as a little favor to big BG all these firewall gadgets come with this great UPNP feature in order to bring the great benefits of M$ messenger to simple people like nononsense. In fact manufacturers, at least D-Link, turn this UPNP 'on' without warning you about this creating big gaping holes into your splendid steelclad firewall.

The whole thing is another 'plug and play' goodie that allows external good doers like M$ to tamper with your firewall through UPNP to enable these guys to shove their stuff right down your throat. I thought I better put this in a little thread. This all reminded me of good old Nader's book: 'Unsafe at any Speed'.

If you put your trust in firewall boxes, watch out for default UNPN!

Be good,

nononsense
 
FWIW, you can buy an app to disable UPnP:

http://grc.com/UnPnP/UnPnP.htm

I don't use this at all, have no affiliation with these guys and know nothing about it.

The holes would still be in your firewall, but you may have less of a security problem if you disabled P&P on all your boxes.
 
Just so it's clear - UPnp is not about opening gaping holes in your firewall just for MS Messenger.

UPnP is Universal Plug and Play and there's an industry sponsor group with working committees that help define coorperative architectures (it's lead by Microsoft - which makes sense since Windows has a 95%+ marketshare of all home networks - but 680+ companies participate) and even the MS-hater's cherished Linux implements UPnP support:

"...UPnP™ technology is all about making home networking simple and affordable for users so the connected home experience becomes a mainstream experience for users experience and great opportunity for the industry. UPnP™ architecture offers pervasive peer-to-peer network connectivity of PCs of all form factors, intelligent appliances, and wireless devices. UPnP™ architecture leverages TCP/IP and the Web to enable seamless proximity networking in addition to control and data transfer among networked devices in the home, office, and everywhere in between. UPnP™ technology can be supported on essentially any operating system and works with essentially any type of physical networking media - wired or wireless - providing maximum user and developer choice and great economics..."

Working committees are :

Home Automation and Control Working Committee
This committee is focused on identifying and defining the services and control protocols for UPnP™ devices that are building blocks for providing lighting, security, HVAC, energy management, etc. systems for homes.

Audio / Video Working Committee
This committee is focused on identifying and defining the services needed to build UPnP™ audio and video devices: TVs (Tuner and Display), Tape Players/Recorders, Disc Players, Stereos, and DV Cameras.

Internet Gateway Working Committee
This committee is focused on identifying and defining the services needed to build UPnP™ devices which reside between the home network and the Internet, allowing an Internet connection to be shared by multiple devices within the home.

Imaging Working Committee
The initial focus for this committee is to develop usage scenarios, requirements, a printing model and ultimately the Device Description Document for the UPnP™ printing service.

Mobile Devices Working Committee
This committee is focused on identifying and defining the services needed to build UPnP™ mobile devices.

Appliances Working Committee
This committee is initially focused on identifying and defining services needed to build UPnP™ appliances in the home.

Security Working Committee
The Security Working Committee, the newest working committee, is defining security requirements for the UPnP™ architecture.

The list of companies participating -http://www.upnp.org/membership/members.asp
 
Quote from TGregg:

FWIW, you can buy an app to disable UPnP:

http://grc.com/UnPnP/UnPnP.htm

I don't use this at all, have no affiliation with these guys and know nothing about it.

The holes would still be in your firewall, but you may have less of a security problem if you disabled P&P on all your boxes.
More...

You don't have to buy it; it's free. I used it. It works.
 
Hi All,

Thank you for your replies. As to disabling UPNP, this is a settable option on the newest firewall boxes. I have it turned off now. You don't need any additional software to do this. My main gripe was with the stealthy nature of this option. It's ON by default and nowhere does a warning make a user aware of the gaping holes it creates in a tool that he acquired for protection - at least not with the D-Link DI-624. They are certainly doing the UPNP beneficiaries a big favor.

Archangel, in spite of the respectability of the long list of UNPN sponsoring guys which are certainly not in the charity and benevolent trades, my point was the sneaky way in which these UNPN guys impose themselves on the unwitting user. I address here exclusively the UPNP tampering with firewall security!

Isn't security the reason we look at firewalls? If I want security, I most certainly want to keep things as lucid and straightforward as possible. I can't see what added value the UPNP crew would bring me toward my goals as their sole purpose is to tamper and weaken my basic security setup so that their commercial sh*t can be piped in ad libitum. At the same time, unsavory hackers get a huge turnpike entry to your treasures for free! All the UPNP committees and standards only weaken my basic aims.

Be good,

nononsense
 
I have a Linksys firewall router which includes UPnP forwarding and I'm going to guess it probably works the same as your Dlink.

The feature does allow specific ports to be open to the internet (for those wanting to open public services from internal internal LAN to the internet) - however, you have to specifically define to the router the external port to internal port AND internal LAN IP address that you want the port forwarding to happen for. Without, it's a deadend.

For instance, the standard ports (21=FTP, 23=Telnet, etc.) are defined in the UPnP forwarding definitions for my router - BUT, since I didn't define a valid internal IP address to the router for any of them, there's no place to route any traffic coming into the router for those ports, so it hits a brick wall.

The whole UPnp feature provides a mechanism for those who want to use it, but doesn't actually leave a hole (gaping or otherwise) in your overall security if you don't use it.
 
Quote from ArchAngel:

I have a Linksys firewall router which includes UPnP forwarding and I'm going to guess it probably works the same as your Dlink.

The feature does allow specific ports to be open to the internet (for those wanting to open public services from internal internal LAN to the internet) - however, you have to specifically define to the router the external port to internal port AND internal LAN IP address that you want the port forwarding to happen for. Without, it's a deadend.

For instance, the standard ports (21=FTP, 23=Telnet, etc.) are defined in the UPnP forwarding definitions for my router - BUT, since I didn't define a valid internal IP address to the router for any of them, there's no place to route any traffic coming into the router for those ports, so it hits a brick wall.

The whole UPnp feature provides a mechanism for those who want to use it, but doesn't actually leave a hole (gaping or otherwise) in your overall security if you don't use it.
More...

Hi Archangel,

I agree, if you don't want (or need) it, turn it off. Although I may say that I have some experience in the field, I was totally tricked in having it on! The result was not that a few selected ports were open, but 4 firewall rules had been created behind my back labelled "msmsg" opening a range of 20,000 to 40,000 ports! I didn't touch anything in port forwarding. It was simply on by default out of the box. Bang, no warning whatsoever. Good thing I checked this rather quickly. I can imagine many users being tricked into this situation unwittingly. Lets face it, many have never heard of or taken the time to find out how firewall rules work.

I can't say wether this is particular to the DI-624. Maybe your Lynksys is safer in this respect.

Be good,

nononsense
 
Quote from nononsense:
I agree, if you don't want (or need) it, turn it off. Although I may say that I have some experience in the field, I was totally tricked in having it on! The result was not that a few selected ports were open, but 4 firewall rules had been created behind my back labelled "msmsg" opening a range of 20,000 to 40,000 ports! I didn't touch anything in port forwarding. It was simply on by default out of the box. Bang, no warning whatsoever. Good thing I checked this rather quickly. I can imagine many users being tricked into this situation unwittingly. Lets face it, many have never heard of or taken the time to find out how firewall rules work.
More...
Never used the Dlink gear but just wondering if maybe it's a nomenclature thing for it.

When you say that the ports were "open" - were they assigned an internal IP address in the firewall to forward activity on the ports to or were general ports forwarding rules just defined?

If there wasn't a valid internal IP assigned to the forwarding rules, then DLink may have just automatically created templates - similar to my Linksys having UPnp templates already defined for the typical services like FTP, Telnet, HTTP, etc. but the templates didn't have a valid IP address defined for the rules - so even though it might look like the ports were "open" by virtue of the template forwarding rules having been defined, but without an actual internal IP address assigned to them, the rules are effectively just inactive templates (presumably created for some perceived user convenience should the user need to later activate them).

Now on the other hand, if DLink actually assigned a valid internal IP address (i.e., the internal IP of a machine you have running on your LAN) to each of the template rules AND enabled them - then they're definitely not following the standard guidelines.
 
You must log in or register to reply here.
Back
Top