ZA + uPnP (split posts)

Discussion in 'other firewalls' started by fax, May 1, 2007.

Thread Status:
Not open for further replies.
  1. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,726
    Location:
    localhost
    Re: How to set optimum settings in ZA Pro?

    Yes, good point uPnP can be a security risk. No doubts...

    However:

    1. UPnP is disabled by default in windows XP machines
    2. UPnP is disabled by default in most (if not all) router brands. At least it was in 4 different brand routers I have tried.

    and:

    3. UpnP si not prevented if you set in ZA your LAN/router to the Internet zone. I have just tested it now with MSN Messenger Live that uses UPnP. Apparently pre-condition for not allowing UpnP is to disabled it in the OS or in the router.

    So, to summarise is still unclear the concrete risk of adding the router to trusted zone granted that your router is set-up securely (as already described in previous posts). But, for the purpose of this thread I perfectly understand why you have suggested to keep it out from the trusted zone

    Fax
     
    Last edited: May 1, 2007
  2. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: How to set optimum settings in ZA Pro?

    The default setting is "Manual"(info) and will be started by svchost. You can check this yourself by re-setting the group policy (which I did at the start of this thread)
    Not from my info/findings

    uPnP requires both outbound and inbound to function. With router IP as internet, no unsolicited inbound is allowed, and therefore uPnP cannot function. If set as trusted (with default trusted zone settings) then full comms can be made, and uPnP functions.
    Note: Just to add, this is with ref to svchost making full uPnP, other programs do have this ability, and it would depend on the access given to that application (such programs as Utorrent can perform uPnP with allowed access)

    I am going from findings found from my supports of many users, with many different types of hardware. My thought on this stands
     
    Last edited: May 1, 2007
  3. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,726
    Location:
    localhost
    Re: How to set optimum settings in ZA Pro?


    I don't want to start an argument on this since I don't want to hijack the thread by Escalder.

    But:

    1. To have uPnP to work in XP, you have to install the uPnP plug-in from windows CD. Otherwise it will not work.. only Linksys routers will work without this...

    Source: http://www.microsoft.com/windowsxp/using/setup/expert/crawford_02july22.mspx

    2. Well, on uPnP enabled by default on routers its your experience I have a different one.... Belkin routers, Xyzel routers, former US robotics, SMC routers, etc.. have uPnP disabled by default. I only know some Linksys and D-links routers that have uPnP enabled.

    3. I have set my entire LAN to internet in ZA and uPnP works fine in MSN messenger live... so apparently uPnP is not blocked...

    Fax

    http://img66.imageshack.us/img66/703/image1hv2.jpg
     
    Last edited: May 1, 2007
  4. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: How to set optimum settings in ZA Pro?

    Did you read my note in my last post?
    I would need to ask as to what network access as been given to MSN for it to be able to connect via uPnP to the router.
     
  5. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,726
    Location:
    localhost
    Re: How to set optimum settings in ZA Pro?

    Yep, I have read you last post...

    MSN Messenger needs to have full access (server rights to the internet)... so it is full green checkmarks under program control.
    It needs server rights in order to work (e.g. video call). But as you can see from the screenshot... I have no trusted zone except for 127.0.0.0. Svchost has no server rights to the internet.

    So indeed, this confirm that there are programs (you mention BIT torrent) that will just use uPnP even if network is set to internet.... so justification on setting the router to internet to block uPnP is weak. My initial post still stand...

    Fax

    EDIT: NOTE that setting LAN/ROUTER to Internet zone , svchost with NO server rights to the internet and MSN messenger with NO server rights to the internet, still MSN messenger is able to connect using UPnP.... :D
     
    Last edited: May 1, 2007
  6. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: How to set optimum settings in ZA Pro?

    That is why MSN can connect to uPnP, because it has server rights in the internet zone. This was the point/note I was making.

    From the default setup we have started on, server rights are given to svchost within the trusted zone. So if we place the router as trusted, then svchost would be allowed to connect fully via uPnP to the router. Placing the router as internet would stop this,.. but, if you where then to give svchost server rights within the internet zone, svchost could then again connect.

    We are going from default installation of windows/ZA. Adding any type of server software which is allowed unsolicited inbound from the internet is a possible problem, but this point should be for another thread.
     
  7. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,726
    Location:
    localhost
    Re: How to set optimum settings in ZA Pro?

    Yep, an answer to Stem was due... from now on I will edit my messages no new post... Good comprimise? :D

    Sorry when things are unclear/not justified its not easy to stay silent.:gack:

    Fax
     
  8. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: How to set optimum settings in ZA Pro?

    Hello fax,
    I am certainly interested in your findings, and would certainly like to go through settings you have, the comms made etc. But as noted, the thread is digressing too much from original poster. You can start a new thread on this, and/or I can split off the posts regarding this issue. But I do have to respect the member who started this/any thread. So if you wish to continue this, which I have no problem with doing, please PM me if you would like any of the posts (by you/my reply/your reply etc) from this thread moving to one where we can continue.
     
  9. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,726
    Location:
    localhost
    Re: How to set optimum settings in ZA Pro?


    Absolutely fine with me... :)

    Cheers,
    Fax
     
  10. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,726
    Location:
    localhost
    Re: How to set optimum settings in ZA Pro?

    Thanks Gre87y for your interest and support :D

    I think I made my point on router/LAN trusted/untrusted and uPnP (i.e. theory sometimes diverge from practise), let's move forward...
    I am sure there will be issues on program control I/we could input to... just don't want to hijack this thread further unnecessarily...

    Cheers,
    Fax
     
  11. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: How to set optimum settings in ZA Pro?

    I was going to drop this and move forward. But lets make one point clear. uPnP will not work unless you allow inbound connections. If your setup is allowing uPnP, then your setup is allowing inbound connections.

    Here is some info on the windows firewall and the exceptions needed
     
  12. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,726
    Location:
    localhost
    Re: How to set optimum settings in ZA Pro?

    If you allow me and since you made your point, I will make mine (my last on this hopefully)...

    No doubt you can block uPnP however, your original statement, that triggered my reaction was:

    This is, in context of ZA, incorrect or better saying 'incomplete' information, i.e. not putting the router to the trusted zone will not prevent uPnP ports to be active, specific rules need to be set-up to block uPnP. So, thats why I have stated that (unfortunately) theory sometimes differs from practice.

    Sorry in advance to Escalader to come back on this again.

    Fax
     
  13. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: How to set optimum settings in ZA Pro?

    Placing the LAN in the internet zone will block unsolicted inbound. So uPnP will not function. I have checked and tested this with ZA before my first post on the subject.

    Simple check for you to try,
    Have windows uPnP active, and the router uPnP active. Disable all "allow server" software in the internet zone. Place the LAN in the internet zone: re-boot. uPnP will not connect. Change the LAN to trusted, and have the trusted zone set to default(medium): re-boot. uPnP will connect.

    NOTE:
    Due to request, I have split these post from this thread
     
    Last edited: May 2, 2007
  14. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,726
    Location:
    localhost
    Re: How to set optimum settings in ZA Pro?

    I think there is no use of continuing this discussion anymore... I much more prefer to continue to follow (hopefully silently) the other thread.

    Of course, tuning up whatever settings, blocking server rights to the internet, and specific setting within MSN...etc... will block uPnP.

    The original issue, as already mentioned, is different. ie.
    placing the router into the ZA internet zone is a necessary but not sufficient conditions to block uPnP. At least in ZA....

    Not allowing server rights across all programs cannot always been applied. There are (unfortunately) applications that needs server rights to work and also uPnP (if available) to control router connections and ensure smooth communications. MSN Messenger Live is an example.

    In the framework of ZA, adding the router to the trusted zone is not per se a risk if the router is set-up correctly . Using uPnP to justify why the router should not be trusted is rather weak.

    I prefer your other theoretical idea that the router is seen as an additional layer in your security thus isolated and set to the internet. This is fine with me.

    Please also consider that (in ZA) new/unknown programs accessing the NET will need to ask for permission (both simple access and server rights to the internet) giving full control to the user on how programs will interact with the system.

    I hope we can close this discussion here now.
    Thank you very much for your time and dedication.

    Fax
     
  15. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Re: How to set optimum settings in ZA Pro?

    If you had left your reply to uPnP, then yes, as I have shown that uPnP requires inbound connections. Your posts did indicate that only outbound is needed for this, which is incorrect, although you have not mentioned this (to confirm/deny), and the fact that your setup would of been allowing this inbound.

    I look at this, as with other issues, but I will keep with uPnP(for now). A lot of users should now be aware of possible problems of allowing an applications ability of "server" within the "Internet Zone" (This is to allow unsolictited inbound connections to an application), so I do hope now that most members will know of the possible implications of allowing unsolicted inbound. Now for what most see,.. unsolicited from the internet: this should be looked at, as at most times it is un-needed. Unsolicted from the trusted zone: most see this as allowed without question, so for me, anything that is added to this "Trusted" zone should be looked at very carefully.
    possible: An application is allowed out/in within trusted zone, and out in internet. With the router as "trusted" this application as ability of control via uPnP, for me this is a possible problem. OK, call me paranoid, but I am here to be paranoid for the members who do not think of such (or should I not?).

    Do not misinterpret, I am looking at end user.


    Interaction for any program on a users PC with external sources should be carefully looked at. This can be to any external IP, be it the DNS servers(which may change), to DHCP(which may change).
    I personally do not see why trust in anything external to the users PC should be trusted.
    I have seen post/advice in setting the DHCP/DNS as trusted to alleviate connection problems, why,.. Outbound DHCP/DNS should not be blocked. I would prefer that these problems would/should be resolved by ZA. Yes, workarounds can be use(trusted), but why not have these problem brought out/shown, and maybe ZA will fix.
    I have posted myself on making rules within a firewall(rules based) where the DNS servers should be included,.. this as been seen as a possible problem if the DNS servers change,.. and yes, a possible problem,.. but consider, if you have placed these servers as trusted within ZA, and they change, then what IP you have placed as trusted remains?(you will have un-known trusted IP`s)
     
  16. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,726
    Location:
    localhost
    Re: How to set optimum settings in ZA Pro?

    Not sure I follow what you are trying to say. The best for you is to try it. Set up your router and OS with uPnP, install MSN messenger live with default settings (server rights to the internet) and put your usual sniffer in between....

    Perfectly fine, but some application need server rights to work correctly... its like driving a car but not using its stability control because under certain conditions can be a risk.... anything can be a risk if misused.


    The problems you/users are experiencing with ZA are related to being depended on the router for the IPs and DNS resolving while at the same time keeping the router as untrusted.

    Fax
     
  17. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Hi All:

    "The problems you/users are experiencing with ZA are related to being dependant on the router for the IPs and DNS resolving while at the same time keeping the router as untrusted."

    Where is the detailed list off exactly what problems should be occurring? My router has been set to untrusted for the last week.

    Why is router setting as untrusted so "difficult" for ZA? or is it just 1 honestly held view? There is a difference. Does the success of ZA software depend on this setting issue? Can someone provide the ZA technical reference link on this matter?

    What I'm wondering now is what do other top of the line software FW tools expect for router settings? We need input on that for comparison or as before it is just statements back and forth with no data.
     
  18. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,726
    Location:
    localhost
    Hi!
    like all problems related to failed IP allocation or failed DNS resolving. E.g. loss of connection or difficulties on the net reaching web sites. ZA has no difficulties in dealing with the router, but by default, with ZA security level set to HIGH, DNS and DHCP outgoing should be blocked. So, if you relay on the router for DNS and DHCP, you could have difficulties.

    Actually I consider an anomaly in ZA that you have no problem in connecting considering that you do not have any custom rule for DNS or DHCP.

    Technical reference? I think it is self explaining. May be looking into DNS +DHCP could help. Basic info are easily available on the NET.

    Like http://en.wikipedia.org/wiki/Domain_name_system
    or this
    http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol

    And sorry in advance for spelling mistakes, I am not native english speaker..... ;)

    Fax
     
    Last edited: May 8, 2007
  19. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Do you think from your long experience with ZA products that this does supports the idea of putting router in internet? It says use trusted only if you need to share files and printers which I don't want to do!
     
  20. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I know very well that having those settings for a uPnP program will allow the uPnP connections, I tried to explain this to you for a couple of posts on this thread, your main reply being
    I Have made my point on the difference the user sees between server rights in the internet zone and the trusted zone. It is far safer for the end user to place the router as internet. If a user is going to simply allow an application any unsolicited internet inbound on any port, then that is a problem made by themselves. But such possible problems should be made very clear.

    That is not correct. From one of my main setups, gateway logs posted here. The first log was made during boot, LAN as internet, broadcast option disabled, you will note the allowed bootdhcp. (I know the returned bootdhcp was allowed by ZA, as the IP was resolved, and ZA made DNS lookup for zonelabs)
    Now I changed my setup, only with a change of NIC, I then had problems due to outbound DHCP being blocked, this is a bug and is probably the same bug as others are seeing who have outbound DHCP broadcasts blocked.

    This would infer that ZA will not allow DHCP/DNS within an internet zone set at high, so all users who connect directly to the internet will not be able to connect after installing ZA, as they would first need to place the DHCP/DNS servers as trusted (the internet zone is set at high by default)

    But if we look at the user manual:-
    dhcp_ZA.jpg
    This states that DHCP broadcasts are allowed at "High" setting. It also states that only ports not being used by programs with access will be blocked, so with default DNS client active and svchost allowed internet outbound, then DNS lookups should be allowed.
     
  21. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,726
    Location:
    localhost
    I think we are going around in cicles here.... :D

    What I have tried to explain you is that your initial statement was not correct. You have then, in followup messages, corrected it. First with svchost permissions then with MSN messenger permission.... :D

    Can I recall you the original 'motives' for suggesting not to set the router as trusted?

    I can't still recognise this is as a valid justification for placing the router as internet. For sure, you need more then the above to block uPnP communication (as we have seen). And there are better and simpler options to block uPnP without messing up with programs rules and the router.

    On DNS/DHCP, yes... you are saved by the multicast rule, so you are actually finding the router and then dhcp can begin... but otherwise.....:D

    And if you want to keep the router isolated, why you give to it two essential and critical tasks such as the DNS and DHCPo_O

    Cheers,
    Fax
     
  22. oldshep

    oldshep Registered Member

    Joined:
    Dec 19, 2006
    Posts:
    139
    That's for sure. Your messages appear to be argument for the sake of arguing. I think escalader and stem make good points about setting the router as internet. What would you do if you had your laptop connecting to an unknown network? Would you set the router as trusted?

    I have changed my desktop (ZAAS V7) router IP to internet and web browsing appears unaffected. I have got a several warnings in the log about service host UDP out to the router getting blocked. But other than that, no affect in performance.

    My laptop (ZAISS V7) has my LAN set to internet as well and is working fine.

    So why is it better to set the router to trusted?

    Oldshep
     
  23. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,726
    Location:
    localhost
    Hi Oldshep!
    The question that originated all this mess is: which are the concrete risks of setting the router as trusted granted that the router is configured correctly and securily (long passwords, WPA2, etc...)?

    The answer was: here we apply an approach that says: everything that is outside my PC is not trusted. And setting the router as trusted can allow uPnP.

    If the above is the only risk that is reported, I am happily setting my router as trusted, since the valule added of setting it as internet doesn't pay back on potential problems I could experience with my connection. Moreover, setting the router as internet does not prevent uPnP to work (at least with ZA)

    Yes, you can keep the router as internet and experience no problems but why you would do so?

    Fax
     
  24. oldshep

    oldshep Registered Member

    Joined:
    Dec 19, 2006
    Posts:
    139
    Indeed. Why do one or the other? This is the point I have been trying to discern from the discussion here but apparently to no avail. Perhaps my own ignorance of internet communication stands in my way... Or maybe I just need a couple more beers to understand this in more detail:D

    I will leave my setups as is for now and continue to monitor performance.

    Regards,

    Oldshep
     
  25. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,726
    Location:
    localhost
    Yep, LOL
    When I had the router on internet I have experienced problems in connecting to specific websites and sometime loosing connection or slow connection... plus a lot of firewalls logs (don't like to see internal LAN IPs being blocked without any reasons). Most of the time is OK but sometimes not...

    So, the easiest and safest options was to set the router as trusted. The other would have been to create rules for allowing communication to specific services/ports....

    So, unless I get a clear explanation on why I should not keep the router as trusted I will leave it as it is...:D

    Fax
     
Loading...
Thread Status:
Not open for further replies.