> On Feb 10, 2018, at 6:03 PM, Michelle Sullivan <miche...@sorbs.net> wrote: > > Paul Oranje wrote: >> Your aptness for seeing the possible attack vectors warrants your judgement >> ... >> >>> Op 10 feb. 2018, om 17:07 heeft Philip Prindeville >>> <philipp_s...@redfish-solutions.com> het volgende geschreven: >>> >>> >>>> On Feb 10, 2018, at 3:28 AM, Paul Oranje <p...@oranjevos.nl> wrote: >>>> >>>> Wouldn't it be appropriate to disallow password authentication on wan only >>>> and allow it on all networks "behind" the router? >>> Not necessarily. >>> >>> That’s why UPnP is such an issue. A machine inside a firewall gets infected >>> by a virus through a download or email... then the first thing the virus >>> does is punch holes in the firewall to allow outside scans of the remaining >>> hosts. >>> >>> Allowing password logins from an infected host just means that the virus >>> has to do slightly more work before it owns the router (ie run a password >>> attack). >>> >>> Not substantially more secure... >>> > > uPNP should be disabled by default and where possible as it is a security > hazard for those that understand it. For those that don't it's a compromise > waiting to happen. > > Juniper doesn't support uPNP in the commercial market at all (and even given > their statement in > https://kb.juniper.net/InfoCenter/index?page=content&id=KB5615 I can point > out that even in their semi-residential products - ie their small office gear > doesn't support it either I'd suggest that any support for uPNP is off by > default and gives a warning if someone tries to enable it.) >
My point was simply that sometimes attack come inside your own firewall. Don’t naively assume that all attacks are external only; that’s not “defense in depth”. -Philip _______________________________________________ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
