Philip Prindeville wrote:
On Feb 10, 2018, at 6:03 PM, Michelle Sullivan <miche...@sorbs.net> wrote:
Paul Oranje wrote:
Your aptness for seeing the possible attack vectors warrants your judgement ...
Op 10 feb. 2018, om 17:07 heeft Philip Prindeville
<philipp_s...@redfish-solutions.com> het volgende geschreven:
On Feb 10, 2018, at 3:28 AM, Paul Oranje <p...@oranjevos.nl> wrote:
Wouldn't it be appropriate to disallow password authentication on wan only and allow it
on all networks "behind" the router?
Not necessarily.
That’s why UPnP is such an issue. A machine inside a firewall gets infected by
a virus through a download or email... then the first thing the virus does is
punch holes in the firewall to allow outside scans of the remaining hosts.
Allowing password logins from an infected host just means that the virus has to
do slightly more work before it owns the router (ie run a password attack).
Not substantially more secure...
uPNP should be disabled by default and where possible as it is a security
hazard for those that understand it. For those that don't it's a compromise
waiting to happen.
Juniper doesn't support uPNP in the commercial market at all (and even given their
statement in https://kb.juniper.net/InfoCenter/index?page=content&id=KB5615 I
can point out that even in their semi-residential products - ie their small office
gear doesn't support it either I'd suggest that any support for uPNP is off by
default and gives a warning if someone tries to enable it.)
My point was simply that sometimes attack come inside your own firewall. Don’t
naively assume that all attacks are external only; that’s not “defense in
depth”.
100% agree, was just using the comments as a platform for ensuring
everyone is on the same page and adding that little more depth where we
can... :)
--
Michelle Sullivan
http://www.mhix.org/
_______________________________________________
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev
