ZA + uPnP (split posts)

Yes, but little by little we get to the facts.

My initial statement (post#1) remains (this was posted as a full statement, do not take parts out of context)

From default windows installation, there are no programs that require server rights within the Internet zone for the OS to function correctly. You yourself have added server rights for an application within the Internet Zone.

You are now contradicting yourself.
We could now go through how windows performs DHCP and what is needed, but basically, with a firewall that is SPI(pseudo UDP), only outbound DHCPboot is required. So what is "but otherwise"?

I allow outbound to my DHCP/DNS servers, be it on LAN/Internet. Why should I allow unsolicited inbound connections from these.

 

Hi Oldshep:

Your experience matches mine! That is what I'm doing as well.

There is no reason to dumb down your security in ZA Pro based on opinions (I say Pro only because I use it).

Stronger security has always been inconvenient, you know the odd block and so on but that is just the tool doing what it was designed to do! If it is recommended for cafe's and wireless that point speaks for itself.

There are different world views on FW security. The points have been made, the experiments and tests run by Stem and others (me for example)

My router is on Internet ever since our FW moderator proved his case over many posts and actual tests. So that's good enough for me.

Other debating posts may appear but for me, I'm done with this.

Enjoy your setting it works for you it's safer so you are in good shape.

 

Hi Escalader,

Good to know I'm not the only one seeing warning logs w/ my router in the internet zone .

Its weird but I don't recall any problems with this issue on my desktop when I was using ZAISS V6.5 for ~ 1 year. And my laptop has no such warnings either (ZAISS V7 and SS 5.3).

I've left the loopback adapter as trusted but the rest of the LAN is set to internet. I'll post if any problems develop.

 

Hi!
not sure what you are trying to achive apart confusing the reader about statements taken out of context and network explanations per book.

The facts here are almost not existent... users may (or may be not) have connections problems that will need to be solved via specific rules.

The original question still stands: What are the CONCRETE risk of having the router set to trusted if the router is configured correctly? Can you compromise my system given that I set my router as trusted? I really don't think so!

Don't reply back about uPnP that is a non-issue and is actually a useful features for complex programs that needs full control on ports. Reminds me about the Steve Gibson outcry, some years ago, on windows xp and uPnP.

I am surprised you asking about the "otherwise". If you do not allow broadcast how the hell you can get your IP and connection from the router?
You block outbound, you block inbound and you expect everything is working fine with the router managing DNS and DHCP?

Oh... well this is getting ridicolous...

Cheers,
Fax

 

As shown, admitted by yourself, and I know, DHCP broadcasts are allowed by ZA in the Internet "high" settings (unless, by findings, that problems exist due to bugs within ZA). Do I need to show/teach you on how DHCP functions, I would actually find this a waste of time, as you put forward that you know everyting, but then contradict yourself. I will leave my time for those who like to learn, and find actual facts rather than fiction.

Your own setup, from the use of the programs you use may require unsolicited inbound. This does not infer that all users are the same. You should base on ALL users, not your own personal needs/ or problems with your connection. I have spent many hours/days/weeks/months/years on checking setups and needs for firewalls, I base this on many setups/tests over the years, and on info gained from feedback of many users.
You should not blinker.

 

You are actually not answering the main question..Thats a pity... I would really like to know your answer given that you have spent hours/days/weeks/months/years on routers, users, etc...

Should we exchange our CVs? (just joking!)

AND ZA allow broadcast on high settings... YES! I have said that thanks to that you have no connection problems (most of the time) "otherwise" if you do not allow broadcast and the router is on internet then you effectively do not allow outbound and inbound. So, it should not work if your router control DHCP and DNS. If it works its a ZA bug or another hidden option in ZA...

By the way, if you remember, the user had difficulties in connecting and communicating with the router once that option was unchecked (allow broadcoast/multicast) and he added an additional rule to resolve the issue...

Cheers,
Fax

 

Stem,

more I think about this more I don't find any rationale and logic in your principle of setting the router as untrusted. Let's try to go back to the basics

Where would you need to focus your attention in terms of security of your communications? Two main areas:

1. Communications from the internet to your system and;
2. Communications from programs on your system to the internet

The router is not in 1 or 2. The router is part of your security measures. Depending on your configuration, it plays an important role in dropping unsolicited inbound connections from the internet and ensure your connection to the internet.

Would blocking communications between the router and your system and vice versa improve your security, quality of service, communication, stability, speed?? NO... absolutely not...

Any particular reasons for blocking outgoing calls to port 53 or port 67 from your system to your router apart from having your LOGs in ZA filled in by these calls? Why would you consider these legitimate calls from your system as untrusted?

Having said this, I am more and more convinced that your basic starting point, security wise, is fundamentally flawed or at least unjustified.

Cheers,
Fax

 

Using verify and compare here is a question and the answer from BD User Forum. (where the vendor reps read about customer concerns )

"I think you are saying BD FW doesn't assume that the router should be trusted as with ZA design. and using the BD wizard will set up rules for my set up based on what it finds? Is that correct?" by escalader

"That is correct. BitDefender doesn't assume anything. It asks you the connection type and, based on that information, it sets the proper Firewall Default settings." answer poster private.

If BD FW is okay and Stem is okay, I for one am convinced that your position is how to put this .... fuzzy.

 

I think you missed the point... the issue here is why should the router set to untrusted and what are the concrete security risk of having the router set to trusted granted that the router is configured correctly...

Fax

 

Why do you think you are always right about what the issues are and who has to prove what and if that proof that is provided is valid?

Your blinkered style is, If others disagree with you, and thus the Z world view design, you state they must be wrong, misguided and/or they have a special broken PC or a copy of ZA that has unique bugs then ".... and you say they missed the point".

What a joke. Well at least you provide entertainment for the reader.

So for all you ZA newbies out there here is Fax's advice in one line to save you reading:

"Follow his dictum's here and elsewhere don't question his logic and mention ZA bugs or test results he gets upset and HJ's your thread."

Oh and BTW don't listen to knowledgeable FW experts like Stem who carry out real tests and provide science based results, change your ZA based systems to trust your routers.

In case anyone was in doubt my own router is still set to Internet as it is not inside my PC.

 

You have no other arguments than personal attacks, you simply want understand what I am talking about. Looks like you want to put users one against another... thats childish... Please stop spamming this thread!

Stem is doing a great job and I thank him for his dedication and time in supporting wilders users.... My question was/is very simple and I got no convincing answer. As simple as that.

There is no concrete security risk to set up my router as trusted (details in previous posts) and I would be happy to see my system compromised because my router is set this way.

Cheers,
Fax

 

The point of this is from the view of all users, not one single setup/ user needs. Not all users on a LAN are on a trusted LAN.
If we look at a setup, lets say for a college/campus, where many users are on LAN, non would be trusted (certainly from my stand point), the gateway(router) would then have a question for trust. The router may well be capable of protection againts inbound attack (from Internet), but from within the LAN it could be compromised.
So, would you agree that simply saying add the router as trusted in all setups is not always the best approach?

You have mentioned your problems with DHCP/DNS when the router is set to Internet. I have found on base setup no such problems (but changing NIC card did shown some outbound DHCP being blocked). So, from this, there is a bug within ZA. From the help file, DHCP broadcasts are allowed within the Internet zone. So would it not be better for all to attempt to find this bug, so that ZA can be informed and correct this?

 

yep, absolutely agree... but we are not talking about campus, otherwise I would have mentioned it. And I am not talking about LAN trusted but only the router. In the specific case, the user (Escalader) has even a firewall in front of the router. And in my case indeed I have a LAN but with trusted and controlled/closed PCs.

You mean DHCP broadcasting blocked or DHCP 53 blocked? At hight setting, DHCP and DNS are blocked (UDP 53, 67) and under certiain circumtances this may create problems if the router is managing DNS and DHCP and I have seen this many times (yes, broadcasting is not blocked, this is a necessary but not sufficient condition to avoid issues) . It depends also on the provider of the service (ISP), specific software like streaming, messenger, teleconference, and complex/multi connection can create huge and unnecessary logs in the firewall. Is it justifed to close connection from PC to router and vice versa from a security point of view? Not really....

But going back to the main question ... "what are the concrete security risk of having the router set to trusted granted that the router is configured correctly" ?

When thinking about optimal setting within ZA, I am thinking about the optimal combination between usability and security ..... To be clear: the issue is not... everything is working well or is not working well with the router as internet... I would like to see some concrete justifications for it to be set as it is. Otherwise is just personal preferences and I can't see any good reason for doing so apart from having ZA busy logging harmless connections.

Fax

 

This thread was split off originally to look at uPnP, that is why the "title" made.

You do keep going back to personal setup/needs which was never my point. If I was to advise to all questions based on my own setup/needs, then this would be incorrect.

This would infer a bug that allows this outbound. As this outbound is allowed on my setup. A bug that allows outbound is a major problem.


For me personally: If setting the router as "Trusted" could put "1 in 100" at risk due to setup (untrusted LAN) Then I discourage setting LAN as trusted by default.

As stated, it depends on the LAN.

Please do not look at this as a single setup, all setups differ, forget a single user and think of what would be best as default. (for all user needs)

 

Yes, I agree, if you have to give a generic setting that is valid for most users the LAN should not set to trusted. Unless the LAN is just one PC or few controlled PCs.

Ok, got some sort of answer to the router issue. So, you are not so against a router as trusted depending on the specific case. For you its more a concern the LAN as trusted. If I understood well....

Fax

 

Thank you,

Now you see my point on this,
But, for the DHCP/DNS problems. do you think this needs to be looked at?

 

If problems will arise to the user, yes... like loss of connection, problems or slow connection, difficulties in renewing IPs, etc. If instead everything is working fine and there are no problems... No need of fine tuning DHCP/DNS.

Did I understood correctly your question?

Fax

 

fax,

Well, what we need to look at is the DHCP/DNS connection problems users have, and why.

If we look at your statement:

Most new users of ZA will be installing onto a setup that as a direct connection to the Internet, so the DHCP/DNS server will be in the Internet zone with high setttings. So from your above statement, if correct, then those users simply would not be able to connect to the Internet after installing ZA. So is there a need for all users of ZA to set the DHCP/DNS servers as "Trusted"?

Outbound DHCP broadcasts are all that is needed (with a firewall with UDP (pseudo) SPI) for DHCP, Yes, renewal DHCP will attempt outbound to IP stored for DHCP server, but if this connection cannot be made, then windows will broadcast to renew.

We have agreed that setting the LAN/Router as trusted will depend on the users setup, from your posts I see the main reason you set your router as trusted is due to intermittent connection problems

Now if we look at this. If as you say, DNS is blocked on Internet (as this is default to high settings), then you would not be able to connect out at all when you have the router as internet. Would you agree with this?

 

Well, I don't know the origin of the problem... ZA or not ZA fault.
I however seen hundreds of cases with connection problems due to DNS and DHCP IPs not in the trusted zone.

Thus my original reccomandation of having the router (that in that case was/is responsible for DNS and DHCP) in the trusted zone.

This setting, regardless of ZA bug or not, will avoid any potential problem and does not constitute a security risk per se.

Fax

 

Then should not the end user who has these problems report them directly to ZA, rather than have a "Workaround"?

But you have already agreed that the LAN cannot always be trusted, if you simply "Trust" the router in an untrusted LAN then there is a very real possiblilty of compromise.

 

Good we are finally getting to the point I am interested in... so baseline: 1. LAN NOT trusted; 2. Router: Trusted. Which security risk in concrete terms? I would really look forward to this answer, since was the bottom line of all these posts.

By the way, you know that most seriouos vulnerabilities are indipendent from the trusting of the router, like the DNS spoofing.

On the reporting to ZA, no ones here have disputed that, if there is a problem, this cannot be sent to ZA. Was it?
Actually, more then once I have suggested to report/ask to ZA (e.g. calling home).

EDIT: reading back your message I think there is a baseline misunderstanding... when I say not trusted, I mean set to INTERNET in ZA. Not untrusted in general terms. You untrusted seems more the campus example where you actually set ZA to trust the LAN. This is clearly not secure....

Bottom line: Can we all agree that: if in ZA the LAN is set to Internet, the risk of setting the router to TRUSTED is minimal or negligible?
(Indeed there is always a risk with whatever settings.... 100% security does not exist)

Fax

 

IP spoofing.
Attacks against svchost which is allowed server rights (unsolicited inbound) in the trusted zone

 

Both of these are indipendent from setting the router as internet in ZA...
With Spoofing you can jump any router/firewall (trusted/not-trusted) its just a builtin weakness of system. I think I have mentioned already the "elchapo router context" that compromised a system with spoofing. But you need some help to get into the machine before.

Uuhm...svchost can be compromised without the server right, vulnerabilities are a fact of life... don't need the help of the router.

I mean.... I can follow your arguments but in real life 99% of the risks to be compromised are not coming from the router... there are far easier ways to compromise systems without the need of touching the router.

Fax

 

IP spoofing against an SPI firewall where unsolicited inbound is blocked is quite difficult (although not impossible). When you setup a "Trusted IP, such as the router, then unsolicited inbound will be allowed from that IP, so to make bypass/attack (with IP spoof as router) is much easier (even simple at times), and in such a setup I could/can easily DOS/DDOS another node on LAN(as example)

.

 

uuuhm.... interesting... just trying to follow.
Router does NAT and have a SPI. It is trusted in ZA.

First: How can you jump over the router? Spoofing works if your system will send a call and get back the answer... without a call from the system (my PC) and a spoofed replied by the internet ... no spoofing.

So regardless of the router in the ZA trusted zone or internet the spoofing will work, since ZA will allow the incoming that is an answer from a 'legitimate' previous call...

Spoofing can simply jump all defences.... it is difficult but possible. If I find back the DNS spoofing example I put the link here...

Found it:
"......Could this method get packets past a software firewall, yes.
Could this method get packets past a high end firewall, yes.
Does this method require a lot of planets to line up, yes....."

A very interesting reading...
http://www.dslreports.com/forum/remark,14723926
Complete post here:
http://www.dslreports.com/forum/remark,14719484

Fax