Re: MSN Messenger ALG

["Brian J. Murrell" <80b664d7b3eb11641a57346257febc3d@interlinx.bc.ca>]

[-- Attachment #1: Type: text/plain, Size: 1718 bytes --]

On Fri, Jun 28, 2002 at 08:46:57AM -0500, Glover George wrote:
> 
> UPnP is finishing up a security mechanism to add on to the UPnP spec for
> version 1.0,

Any pointers to these mechanisms?  I can't think of anything that
would work, in real life.  The issue is who can a UPnP gateway trust?
In the definition of "who" is "who is running the app?", as well as
"what is the app?" among other quesitons.

It seems that everybody wants this UPnP gateway for MSN Messenger, but
in my security policy, MS applications are automaticlly excluded from
using the UPnP gateway due to MS's constant obvious disregard for
security in favour of doing whatever they need to to make things work.

> and version 2.0 of UPnP is not far off, so security
> mechanisms are being put in place.

Again, anything I can read?

> But for the moment, AS WITH
> ANYTHING, if you take proper precautions to ensure that your rules in
> iptables will prevent any untrusted machines

Machines is not so much the issue as apps on those machines.  I am not
giving an MS machine access to the gateway because there is a trusted
app on it that wants to use the gateway when there are also untrusted
apps on the same machine or easily installable on the same machine.

Security for a UPnP gateway needs to be more fine grained than just
trusting machines.

> from access UPnP gateway in
> the first place, then you don't have these problems.  Sure an app could
> request it, but so what?  An app could fake itself into being h.323 as
> well.  

Right.  It is this faking that needs to be addressed.  How do I
know that an app that is claiming to be "trusted app foo" really is
foo.

b.

-- 
Brian J. Murrell

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]