ZyXEL Communications P-335WT Bedienungsanleitung PDF herunterladen (Seite 2)

incoming port on the ﬁrewall could be opened in advance, or opened once the SIP

negotiation has ended and before the RTP streams are set up. There are several

phones with built-in support for UPnP, for example, the snom220 phone (which is

no longer available), although for phones other NAT traversal mechanisms seem to

be more popular these days.

An advantage of using UPnP is that there does not have to be a predeﬁned well-

known port for every protocol. It allows for multiple simultanious connections for

the same program by diﬀerent users. With dynamically allocated ports user A uses

diﬀerent ports on the ﬁrewall than user B for the same protocol. Ports can be closed

again after usage by the program or device itself, so there should be no resource

hogging.

2 Universal Plug and Play protocol ﬂaws

While UPnP is convenient from a user point of view – programs that need to dy-

namically have ports allocated or need special ports on the ﬁrewall to be forwarded

to them to work correctly can do this automatically – there is, unfortunately, a

price to pay. As it is deﬁned in the current standard, UPnP has no default security

mechanism. There is add-on functionality which adds security but devices that im-

plement this functionality are very scarce, if they even exist beyond the prototype

stage.

With the current UPnP protocol there is an implicit trust relationship between all

UPnP capable devices on the same network. Every device is a peer and there is no

policy mechanism in place to check whether or not a device is allowed to make use

of a speciﬁc service.

A few simple scripts that implement only a small subset of commands that are used

in UPnP are enough in certain situations to make it possible to expose machines

and services on an internal network to the outside world. This is done by abusing

a device that implements the UPnP Internet Gateway Device proﬁle and forward

ports on the outside interface of the Internet Gateway Device to machines on the

inside network. This makes the internal machine accessible for everyone on the

outside network, for example the Internet. Many ADSL routers and wireless access

points on the market nowadays implement this particular proﬁle and of those devices

many are, in various ways, vulnerable to various “attacks”.

The UPnP Internet Gateway Device speciﬁcations speciﬁcally mention that it should

be possible to forward ports to internal multicast and broadcast addresses, so de-

vices can share broadcast/multicast streams, for example a TV stream. The beneﬁt

for the sender and receiver is that only one stream has to be sent to the gateway,

which will resend it to the LAN so it can be shared between machines on the LAN,

saving bandwidth. But forwarding ports to broadcast addresses also opens up a

whole new range of attacks. To name two possible targets: the NetBIOS Naming

Service used by Windows network ﬁle sharing and the Internet Printing Protocol,

used by many printers and CUPS, both use broadcasting. It is trivial to announce

fake printers on the network and possibly divert printing traﬃc to oﬀ site printers.

Opening and forwarding ports in ﬁrewalls via UPnP poses a serious threat. While

at ﬁrst this might seem to only aﬀect home users and not businesses – no enterprise

range products seem to support UPnP – I tend to think otherwise. It could very

well aﬀect business users as well, for a number of reasons:

• Many (small) businesses are connected via normal “consumer grade” ADSL

lines and have the same ADSL modem as normal home users. For a long time

1 2 3 4 5 6 7 ... 17 18

Kommentare zu diesen Handbüchern

Keine Kommentare

ZyXEL Communications P-335WT Bedienungsanleitung Seite 2

Kommentare zu diesen Handbüchern

Verwandte Produkte und Handbücher für Vernetzung ZyXEL Communications P-335WT