uPNP is a terrible solution.
First, it will allow any worm-like program that goes into your network to actually create a whole for itself in your firewall. It's almost like you don't have one!
Second, it only supports a single host forwarding a single port. What if the same program lives on two separate machines? Both can't do it. Meanwhile, an introducer server solves that problem, because it doesn't rely on fixed port numbers.
Programming a connection to a user on a private network
Quote:Original post by hplus0603
uPNP is a terrible solution.
First, it will allow any worm-like program that goes into your network to actually create a whole for itself in your firewall. It's almost like you don't have one!
Second, it only supports a single host forwarding a single port. What if the same program lives on two separate machines? Both can't do it. Meanwhile, an introducer server solves that problem, because it doesn't rely on fixed port numbers.
but generally (and unfortunately) for the average home user, convenience > security.
Author
Soooo... i know it's terrible of Windows to implement such a horrible, no-good, very bad thing as uPNP... but that shouldn't stop me from taking full advantage of it, should it?
Quote:Original post by ben11587
Soooo... i know it's terrible of Windows to implement such a horrible, no-good, very bad thing as uPNP... but that shouldn't stop me from taking full advantage of it, should it?
as was earlier made clear, I'm not exactly an expert on uPNP, but I would assume (damn my assuming) that using uPNP will only be effective if
A) the router supports it,
and B) It's enabled on the router.
after what the knowledgeable hplus has written, it is no longer enabled on my router.
Quote:Original post by hplus0603
First, it will allow any worm-like program that goes into your network to actually create a whole for itself in your firewall. It's almost like you don't have one!
The whole idea of a firewall is to keep threats out. If your computer is compromised, you're already hosed, regardless of whether you can create a listening port. Besides which, relatively few things that hackers use zombie machines for involve the need to create a listening port.
Quote:The whole idea of a firewall is to keep threats out.
Actually, firewalls can be instrumental in keeping compromises to small levels. I know of several production sites that only allow very specific ports in and out, and where this has helped reduce impact in the case of compromise. If you can't put up a torrent server, for example, your home is less likely to be raided by the FBI :-)
Even the word "firewall" comes from construction: if there are fire-resistant walls between apartment buildings, then a fire in one building will not spread to the next building. Using firewalls only to prevent a first-order attack means not taking advantage of all the protection you can get, IMO.
Then again, most home users probably only use a firewall to allow them to connect multiple hosts to a single internet connection, and don't really know anything about security :-(
This topic is closed to new replies.
Advertisement
Popular Topics
Advertisement