[VOIPSEC] IPv6 and the demise (or not) of NAT (was Re:Interactive Connectivity Establishment (ICE))

Hallam-Baker, Phillip pbaker at verisign.com
Tue Nov 15 00:37:05 GMT 2005 

There is a moral here.

Try to enforce security by refusing to provide needed functionality in a safe fashion only leads to someone else providing it insecurely.

My firewall gives me an all or nothing choice... Control individual ports by micromanagement or throw it all open... Not a good choice.

 -----Original Message-----
From: 	Robert Moskowitz [mailto:rgm at icsalabs.com]
Sent:	Mon Nov 14 16:02:06 2005
To:	Voipsec at voipsa.org
Subject:	Re: [VOIPSEC] IPv6 and the demise (or not) of NAT (was Re:Interactive Connectivity Establishment (ICE))

At 03:03 PM 11/14/2005, Simon Horne wrote:

>At 05:52 AM 15/11/2005, Bipin_Mistry at 3com.com wrote:
>So I agree with you Phillip.  There should be a standard way of telling
>the Firewall which ports it needs to open and close and not rely on
>session border controllers.
>
>There is, it is called UPnP IGD or Universal Plug 'n Play (Internet Gateway
>Device) refer www.upnp.org and most home/small office routers now support it.
>
>
>The biggest problem is that it potentially adds a security risk to the
>network, other malicious programs running on the LAN can open ports up as
>they wish, there is no security to filter which programs can us it . For
>this reason a lot of people are very hesitant to turn it on in their routers.

Other security risks as well.

As you imply, Malcode on a PC can take advantage of PnP to set up all 
sorts of covert channels.

I have seen some rather nasty uses of PnP in attacks on physical 
security.  I hope we don't punt on this one.


Robert Moskowitz
Senior Technical Director
ICSA Labs, a division of Cybertrust, Inc.
W:      248-968-9809
F:      248-968-2824
VoIP:   248-291-0713
E:      rgm at icsalabs.com

There's no limit to what can be accomplished if it doesn't matter who 
gets the credit



_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list