What's wrong with opening a port on the firewall?

"Jason Edwards" wrote in news: snipped-for-privacy@individual.net:

I disagree. If you ask 10 home users you will get 1 quasi-informed answer and 9 blank stares.

Okay, this is what I'm looking for. Is the problem the operating system, the app, or both. Do you know of any reliable sources that says this is true (ie reliable != some guy in the internet told me).

Interesting little device.

Okay, here's my scenario. Let's say I want to run a little web server on my home computer to serve pictures to my friends and family. I do this by opening a port on the firewall, and whatever's listening is going to try to do some kind of authentication of whoever tries to connect. The process to try to authenticate is not trivial, and will take a small bit of computing power. Now if someone has a personal vendetta against me and set up some sort of attack where lots of connections are being tried against my poor little home computer that runs the server, it will be toast in no time.

I've tried to read the documentation on UPnP, but must admit that I don't fully understand it. If I want to change the settings on my router at home, I must first log into it and authenticate myself before it lets me do things like muck around with the firewall. Given that, why would the router allow some unknown app to come in completely unauthenticated and allow it to change the very same thing. Doesn't make sense to me. Anyone with any ideas??

Sander

Human nature. Fear of the unknown. Media hype. Misunderstanding.

Ask 10 home users what an open port is. Get 10 contradictory answers.

Possibly. It depends on what this application is offering to other people on the Internet and whether it has any vulnerabilities such as a buffer overrun or misconfiguration which allows anyone to use it instead of only the intended person.

There isn't one if you know what you're doing.

This is true. Set up Windows 2000 RTM as a web server listening to the Internet. It will get owned in a matter of hours. Days at most.

I have various Windows boxes with up to four ports listening to the Internet. I've had no problem in six years. I also have one of these listening to the Internet

It depends on what you mean be a DOS attack. If you get a real Denial of Service attack then it's likely that you already know why you are getting such an attack. Ask yourself whether or not anyone might have any reason to send a DOS attack your way. In most cases there is not likely to be any reason and therefore no need to worry about DOS attacks. If you're turning away anyone who can't authenticate then I can see no reason to worry as long as it's not trivial to crack or obtain passwords or other useful information.

Many people view UPnP as a security risk but this may be partly due to hype over certain Windows vulnerabilities which were fixed long ago.

I don't use UPnP but you're not going to be prompted for anything if you do use it, as far as I know.

Jason

Yes that is a good way to put it. Everyone is telling me to close my ports so no way am I opening any and I don't care whether or not I have a clue what a port is.

Jason

Hmm well maybe I have to concede but we don't know where this sample of 10 was chosen from so it could be that all will give blank stares or all will give quasi-informed answers :)

If someone has a personal vendetta against you and they are capable of arranging a DOS attack then you may find yourself unable to use the Internet for a while. One possible answer to that from a home user point of view is to have (If you can afford it) two or more completely separate Internet connections with unrelated IP addresses.

I think that is a very good question, to which I don't have an answer myself.

Jason

The problem is the user who, understandably, doesn't want to open things he doesn't understand. If the operating system has all available updates and if the app is properly configured then there _may_ be no reason to worry. But I am not aware of any operating systems or apps which have been mathematically proven to be correct.

Jason

-snip-

correct.

with any ideas??

The crux is that UPNP is intended for automated use, and as such the authentication is omitted. Now if this was not the case, every time you opened a program requesting internet connectivity, you'd get prompted for a password, so that's not very appealing either. (If you had a stored password for the query/response dialog, it would be easy for malware to find & use it too.)

Apart from this insecurity in upnp, I found it does has some functional benefits in managing the limited rulesets on many home routers; the upnp-aware applications can allocate ports at use & release them at termination, without filling the limited rules list when not in use.

For example, on my home NAT router, it having only some 10 rules/ranges for forwarding, I have sometimes been forced to delete existing rules, in order to create rules for some new program I want to run, while upnp can do this on the fly.

I thought about having a wrapper for non-upnp aware programs, like a launcher, that could be configured to allow more sw use upnp, but then the authentication problem cropped up...how to sort out the upnp-aware programs I _don't_ want to get out, since upnp (as implemented) does not need to ask for permission to change the rules.

I've seen there is upnp-aware malware (e.g. robots-r-us) out there already, so I'd rather live with the manual hassle, and let upnp functionality be turned off for the time being.

/Rolf

I would add: user logic: Windows is not secure and it is important to close all ports so that nobody can read my files or a worm can come through the RPC service. Thus closing is good. The opposite must be bad, then!?

Gerald