[VOIPSEC] IPv6 and the demise (or not) of NAT (was Re:Interactive Connectivity Establishment (ICE))
Robert Moskowitz
rgm at icsalabs.com
Mon Nov 14 17:56:20 CST 2005
At 03:03 PM 11/14/2005, Simon Horne wrote:
>At 05:52 AM 15/11/2005, Bipin_Mistry at 3com.com wrote:
>So I agree with you Phillip. There should be a standard way of telling
>the Firewall which ports it needs to open and close and not rely on
>session border controllers.
>
>There is, it is called UPnP IGD or Universal Plug 'n Play (Internet Gateway
>Device) refer www.upnp.org and most home/small office routers now support it.
>
>
>The biggest problem is that it potentially adds a security risk to the
>network, other malicious programs running on the LAN can open ports up as
>they wish, there is no security to filter which programs can us it . For
>this reason a lot of people are very hesitant to turn it on in their routers.
Other security risks as well.
As you imply, Malcode on a PC can take advantage of PnP to set up all
sorts of covert channels.
I have seen some rather nasty uses of PnP in attacks on physical
security. I hope we don't punt on this one.
Robert Moskowitz
Senior Technical Director
ICSA Labs, a division of Cybertrust, Inc.
W: 248-968-9809
F: 248-968-2824
VoIP: 248-291-0713
E: rgm at icsalabs.com
There's no limit to what can be accomplished if it doesn't matter who
gets the credit
More information about the Voipsec
mailing list