Paul Oranje wrote:
Your aptness for seeing the possible attack vectors warrants your judgement ...
Op 10 feb. 2018, om 17:07 heeft Philip Prindeville
<philipp_s...@redfish-solutions.com> het volgende geschreven:
On Feb 10, 2018, at 3:28 AM, Paul Oranje <p...@oranjevos.nl> wrote:
Wouldn't it be appropriate to disallow password authentication on wan only and allow it
on all networks "behind" the router?
Not necessarily.
That’s why UPnP is such an issue. A machine inside a firewall gets infected by
a virus through a download or email... then the first thing the virus does is
punch holes in the firewall to allow outside scans of the remaining hosts.
Allowing password logins from an infected host just means that the virus has to
do slightly more work before it owns the router (ie run a password attack).
Not substantially more secure...
uPNP should be disabled by default and where possible as it is a
security hazard for those that understand it. For those that don't it's
a compromise waiting to happen.
Juniper doesn't support uPNP in the commercial market at all (and even
given their statement in
https://kb.juniper.net/InfoCenter/index?page=content&id=KB5615 I can
point out that even in their semi-residential products - ie their small
office gear doesn't support it either I'd suggest that any support for
uPNP is off by default and gives a warning if someone tries to enable it.)
--
Michelle Sullivan
http://www.mhix.org/
_______________________________________________
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev
