ZyXEL Communications P-335WT Manual do Utilizador descarregar pdf (Página 12)

Because no devices implement it, it means that there is currently no ﬁne grained

solution available that only allows for certain devices or applications to request

services.

7 Counter measures

It is obvious that on many (business) networks UPnP should not be allowed. There

are various ways you can do this, depending on whether or not you only want to

prevent others from reaching your LAN from the outside using methods as described

above, or to completely eradicate UPnP usage on your LAN.

7.1 Disabling UPnP portmapping only

The most eﬀective solution for the problems described in this paper is to simply

disable UPnP on all Internet Gateway Devices in your network. On some devices,

such as the Linksys WRT54G, this can be done via the web interface. On other

devices, such as the Alcatel/Thomson Speedtouch 510 this can only be done via the

commandline interface. Disabling the UPnP functionalitity on an Internet Gateway

Device does not disrupt other the working of other UPnP devices on the local LAN.

7.2 Disabling UPnP completely

If you want to disable any form of UPnP functionality on your network some drastic

measures have to be taken. This is not an easy task and maybe it’s not even possible.

7.2.1 Step 0: Addressing

Even if you only give known clients an IP address on your network with DHCP,

UPnP auto-addressing might be used to circumvent this mechanism. All machines

should be attached to a router directly, which can be conﬁgured to block certain

addresses. No direct connection between UPnP enabled machines, for example via

switches, should be allowed.

All IP addresses in the 169.254/16 range should be null-routed by the router. It

should be noted that this might also disrupt the correct working of ZeroConf based

applications, such as Apple’s “Bonjour”.

On Wireless Access Points an extra step can be taken, namely MAC address control

and not allowing unknown devices to associate with an access point.

7.2.2 Step 1: Discovery

Discovery messages are sent to a well-known address and port, namely port 1900 on

239.255.255.250 via UDP. Speciﬁcally null-routing this port and address combi-

nation will prevent control points from receiving discovery messages from devices.

To disable notiﬁcation the same step has to be taken as for discovery: null-route

UDP packets to port 1900 on 239.255.255.250.

1 2 ... 7 8 9 10 11 12 13 14 15 16 17 18

Sem comentários

ZyXEL Communications P-335WT Manual do Utilizador Página 12