RE: CPE equipments and stateful filters

[Christian Huitema <huitema@windows.microsoft.com>]

> > There might be a misunderstanding here. As far as I can tell, UPnP,
> NAT-PMP
> > and ALD all allow (unauthenticated) requests coming from the inside,
> and
> > discard any requests coming from the outside. In the physical world,
> most
> > locks can be undone without key from the inside, and only need a key
> from the
> > inside.
> 
> 	i mentioned about the following story:
> 	- machines inside of your organization gets infected by viruses,
> trojan
> 	  hoses or whatever and bad guys take control of the box.
> 	  this can be due to poorly-mangaged laptop with VPN
reachability
> 	  towards inside of your organization, infected laptop goes into
> your
> 	  organization after a trip to chicago, whatever.
> 	- bad guys plays with UPnP and punch holes on your firewall

All this is an issue of tradeoffs. "Stateful firewalls" are one
particular type of trade-off. They purport to augment the security of
the system by limiting the possibility of unsolicited connection. This
is a classic way to "reduce the attack surface", and provided serious
benefits when systems would have a large number of ports open by
default. 

But the stateful firewalls block desirable applications, so applications
have to develop workarounds that in turn increase the attack surface.
Controlling the NAT with UPNP is one such workaround. STUN, ICE, Teredo
are another. Services like "go to my PC" are yet another. Today, we
cannot assess the potential security benefit of stateful firewalls
without looking at the whole system, i.e. firewalls plus traversal
mechanisms. When you take into accounts that modern systems definitely
do not leave many ports open by default, the benefit appears dubious.

-- Christian Huitema