Hi Mike,
On 10/27/16 11:04 AM, Mike Meredith wrote: > On Thu, 27 Oct 2016 07:59:00 +0200, Eliot Lear <l...@ofcourseimright.com> > may have written: >> Well yes. uPnP is a problem precisely because it is some random device >> asserting on its own that it can be trusted to do what it wants. Had > From my own personal use (and I'm aware that this isn't a general > solution), I'd like a device that sat on those uPnP requests until I logged > into the admin interface to review them. Now if you could automate _me_ > then it might become more generally useful :- You need to go further. It is no longer enough to tackle this problem simply as a firewall problem, because there are too many reflection-style attacks. Not only do you want to prevent devices from opening pinholes to the Internet, but you really want to know what they're going to be doing inside the home. And Quite frankly, I disagree that you want to nag the user unless it is absolutely necessary. To me, that means authorizing the device in the first place, and the access point having access to enough intelligence to know what sort of access is necessary for a device, given its purpose. > As someone who manages an application-based firewall, every problem looks > like it would be easier to solve using an application-based firewall :) I don't generally prefer application firewalls except in limited circumstances. Eliot
signature.asc
Description: OpenPGP digital signature
