что такое UPnP ? нужно ли его включать ? (те же вопросы про VPN)
не гоните читать мануал! уже читал..
======================================
[more=Universal Plug-and-Play (UPnP)]
WinRoute supports UPnP protocol (Universal Plug-and-Play). This protocol enables client applications (i.e. Microsoft MSN Messenger) to detect the firewall and make a request for mapping of appropriate ports from the Internet for the particular host in the local network. Such mapping is always temporary — it is either applied until ports are released by the application (using UPnP messages) or until expiration of the certain timeout.
The required port must not collide with any existing mapped port or any traffic rule allowing access to the firewall from the Internet. Otherwise, the UPnP port mapping request will be denied.
Configuration of the UPnP support
To configure UPnP go to the Security Settings folder in Configuration → Advanced Options.
Figure 177. IPnP settings (the Security Settings tab under Configuration → Advanced Options)
Enable UPnP
This option enables UPnP.
Warning
If WinRoute is running on Windows XP, Windows Server 2003, Windows Vista or Windows Server 2008, check that the following system services are not running before you start the UPnP function:
SSDP Discovery Service
Universal Plug and Play Device Host
If any of these services is running, close it and deny its automatic startup. In WinRoute, these services work with the UPnP protocol in Windows, and therefore they cannot be used together with UPnP.
Note: The WinRoute installation program detects the services and offers their stopping and denial.
Log packets
If this option is enabled, all packets passing through ports mapped with UPnP will be recorded in the Filter log (see chapter Filter Log)).
Log connections
If this option is enabled, all packets passing through ports mapped with UPnP will be recorded in the Connection log (see chapter Connection Log).
Warning
Apart from the fact that UPnP is a useful feature, it may also endanger network security, especially in case of networks with many users where the firewall could be controlled by too many users. A WinRoute administrator should consider carefully whether to prefer security or functionality of applications that require UPnP.
Using traffic policy (see chapter Definition of Custom Traffic Rules) you can limit usage of UPnP and enable it to certain IP addresses or certain users only.
Example:
Figure 178. Traffic rules allowing UPnP for specific hosts
The first rule allows UPnP only from UPnP Clients IP group. The second rule denies UPnP from other hosts (IP addresses).
================================================
Universal Plug and Play
From Wikipedia, the free encyclopedia
(Redirected from Upnp)
Universal Plug and Play (UPnP) is a set of networking protocols promulgated by the UPnP Forum. The goals of UPnP are to allow devices to connect seamlessly and to simplify the implementation of networks in the home (data sharing, communications, and entertainment) and in corporate environments for simplified installation of computer components. UPnP achieves this by defining and publishing UPnP device control protocols (DCP) built upon open, Internet-based communication standards.
The term UPnP is derived from plug-and-play, a technology for dynamically attaching devices directly to a computer, although UPnP is not directly related to the earlier plug-and-play technology. UPnP devices are "plug-and-play" in that when connected to a network they automatically announce their network address and supported device and services types, enabling clients that recognize those types to immediately begin using the device.
The UPnP logoContents [hide]
1 Overview
2 Protocol
2.1 Addressing
2.2 Discovery
2.3 Description
2.4 Control
2.5 Event notification
2.6 Presentation
3 UPnP AV standards
3.1 UPnP AV components
3.2 NAT traversal
4 Problems with UPnP
4.1 Lack of Default Authentication
4.2 Other Issues
5 Future developments
6 See also
7 References
8 Books
9 External links
9.1 Documentation
9.2 News
9.3 Software
[edit]
Overview
The UPnP architecture allows peer-to-peer networking of PCs, networked home appliances, CE devices and wireless devices. It is a distributed, open architecture protocol based on established standards such as TCP/IP, UDP, HTTP, XML, and SOAP.
The UPnP architecture supports zero-configuration networking. A UPnP compatible device from any vendor can dynamically join a network, obtain an IP address, announce its name, convey its capabilities upon request, and learn about the presence and capabilities of other devices. DHCP and DNS servers are optional and are only used if they are available on the network. Devices can leave the network automatically without leaving any unwanted state information behind.
UPnP was published as a 73-part International Standard, ISO/IEC 29341, in December, 2008.[1][2][3]
Other UPnP features include:
Media and device independence
UPnP technology can run on many media that support IP including Ethernet, FireWire, IR (IrDA), home wiring (G.hn) and RF (Bluetooth, Wi-Fi). No special device driver support is necessary; common protocols are used instead.
User interface (UI) Control
UPnP architecture enables devices to present a user interface through a web browser (see Presentation below).
Operating system and programming language independence
Any operating system and any programming language can be used to build UPnP products. UPnP does not specify or constrain the design of an API for applications running on control points; OS vendors may create APIs that suit their customer's needs.
Programmatic control
UPnP architecture also enables conventional application programmatic control.
Extensibility
Each UPnP product can have device-specific services layered on top of the basic architecture. In addition to combining services defined by UPnP Forum in various ways, vendors can define their own device and service types, and can extend standard devices and services with vendor-defined actions, state variables, data structure elements, and variable values.
[edit]
Protocol
[edit]
Addressing
The foundation for UPnP networking is IP addressing. Each device must have a Dynamic Host Configuration Protocol (DHCP) client and search for a DHCP server when the device is first connected to the network. If no DHCP server is available, that is, the network is unmanaged, the device must assign itself an address. The process by which a UPnP device assigns itself an address is known within the UPnP Device Architecture as "AutoIP". In UPnP Device Architecture Version 1.0[4], AutoIP is defined within the specification itself; in UPnP Device Architecture Version 1.1[5], AutoIP references IETF RFC 3927[6]. If during the DHCP transaction, the device obtains a domain name, for example, through a DNS server or via DNS forwarding, the device should use that name in subsequent network operations; otherwise, the device should use its IP address.
[edit]
Discovery
Given an IP address, the first step in UPnP networking is Discovery. The UPnP discovery protocol, defined in Section 1 of the UPnP Device Architecture, is known as the Simple Service Discovery Protocol (SSDP). When a device is added to the network, SSDP allows that device to advertise its services to control points on the network. Similarly, when a control point is added to the network, SSDP allows that control point to search for devices of interest on the network. The fundamental exchange in both cases is a discovery message containing a few, essential specifics about the device or one of its services, for example, its type, identifier, and a pointer to more detailed information.
[edit]
Description
After a control point has discovered a device, the control point still knows very little about the device. For the control point to learn more about the device and its capabilities, or to interact with the device, the control point must retrieve the device's description from the URL provided by the device in the discovery message. The UPnP description for a device is expressed in XML and includes vendor-specific, manufacturer information like the model name and number, serial number, manufacturer name, URLs to vendor-specific web sites, etc. The description also includes a list of any embedded devices or services, as well as URLs for control, eventing, and presentation. For each service, the description includes a list of the commands, or actions, to which the service responds, and parameters, or arguments, for each action; the description for a service also includes a list of variables; these variables model the state of the service at run time, and are described in terms of their data type, range, and event characteristics.
[edit]
Control
Having retrieved a description of the device, the control point can send actions to a device's service. To do this, a control point sends a suitable control message to the control URL for the service (provided in the device description). Control messages are also expressed in XML using the Simple Object Access Protocol (SOAP). Much like function calls, the service returns any action-specific values in response to the control message. The effects of the action, if any, are modeled by changes in the variables that describe the run-time state of the service.
[edit]
Event notification
The next step in UPnP networking is event notification, or "eventing". The event notification protocol defined in the UPnP Device Architecture is known as GENA, an acronym for "General Event Notification Architecture". A UPnP description for a service includes a list of actions the service responds to and a list of variables that model the state of the service at run time. The service publishes updates when these variables change, and a control point may subscribe to receive this information. The service publishes updates by sending event messages. Event messages contain the names of one or more state variables and the current value of those variables. These messages are also expressed in XML. A special initial event message is sent when a control point first subscribes; this event message contains the names and values for all evented variables and allows the subscriber to initialize its model of the state of the service. To support scenarios with multiple control points, eventing is designed to keep all control points equally informed about the effects of any action. Therefore, all subscribers are sent all event messages, subscribers receive event messages for all "evented" variables that have changed, and event messages are sent no matter why the state variable changed (either in response to a requested action or because the state the service is modeling changed).
[edit]
Presentation
The final step in UPnP networking is presentation. If a device has a URL for presentation, then the control point can retrieve a page from this URL, load the page into a web browser, and depending on the capabilities of the page, allow a user to control the device and/or view device status. The degree to which each of these can be accomplished depends on the specific capabilities of the presentation page and device.
[edit]
UPnP AV standards
UPnP AV stands for UPnP Audio and Video. On 12 July 2006 the UPnP Forum announced the release of version 2 of the UPnP Audio and Video specifications (UPnP AV v2), with new MediaServer version 2.0 and MediaRenderer version 2.0 classes. These enhancements are created by adding capabilities to the UPnP AV MediaServer and MediaRenderer device classes that allow a higher level of interoperability between MediaServers and MediaRenderers from different manufacturers. Some of the early devices complying with these standards were marketed by Philips under the Streamium brand name.
The UPnP AV standards have been referenced in specifications published by other organizations including Digital Living Network Alliance Networked Device Interoperability Guidelines[7], International Electrotechnical Commission IEC 62481-1 [8], and Cable Television Laboratories OpenCable Home Networking Protocol [9].
[edit]
UPnP AV components
UPnP MediaServer DCP - which is the UPnP-server (a 'master' device) that media library information and streams media-data (like audio/video/picture/files) to UPnP-clients on the network.
UPnP MediaServer ControlPoint - which is the UPnP-client (a 'slave' device) that can auto-detect UPnP-servers on the network to browse and stream media/data-files from them.
UPnP MediaRenderer DCP - which is a 'slave' device that can render (play) content.
UPnP RenderingControl DCP - control MediaRenderer settings; volume, brightness, RGB, sharpness, and more).
UPnP Remote User Interface (RUI) client/server - which sends/receives control-commands between the UPnP-client and UPnP-server over network, (like record, schedule, play, pause, stop, etc.).
Web4CE (CEA 2014) for UPnP Remote UI[10] - CEA-2014 standard designed by Consumer Electronics Association's R7 Home Network Committee. Web-based Protocol and Framework for Remote User Interface on UPnP Networks and the Internet (Web4CE). This standard allows a UPnP-capable home network device to provide its interface (display and control options) as a web page to display on any other device connected to the home network. That means that you can control a home networking device through any web-browser-based communications method for CE devices on a UPnP home network using ethernet and a special version of HTML called CE-HTML.
QoS (Quality of Service) - is an important (but not mandatory) service function for use with UPnP AV (Audio and Video). QoS (Quality of Service) refers to control mechanisms that can provide different priority to different users or data flows, or guarantee a certain level of performance to a data flow in accordance with requests from the application program. Since UPnP AV is mostly to deliver streaming media that is often near real-time or real-time audio/video data which it is critical to be delivered within a specific time or the stream is interrupted. QoS (Quality of Service) guarantees are especially important if the network capacity is limited, for example public networks, like the internet.
QoS (Quality of Service) for UPnP consist of Sink Device (client-side/front-end) and Source Device (server-side/back-end) service functions. With classes such as; Traffic Class that indicates the kind of traffic in the traffic stream, (for example, audio or video). Traffic Identifier (TID) which identifies data packets as belonging to a unique traffic stream. Traffic Specification (TSPEC) which contains a set of parameters that define the characteristics of the traffic stream, (for example operating requirement and scheduling). Traffic Stream (TS) which is a unidirectional flow of data that originates at a source device and terminates at one or more sink device(s).
[edit]
NAT traversal
One solution for NAT (Network Address Translation) traversal, called the Internet Gateway Device (IGD) Protocol, is implemented via UPnP. Many routers and firewalls expose themselves as Internet Gateway Devices, allowing any local UPnP controller to perform a variety of actions, including retrieving the external IP address of the device, enumerate existing port mappings, and adding and removing port mappings. By adding a port mapping, a UPnP controller behind the IGD can enable traversal of the IGD from an external address to an internal client.
[edit]
Problems with UPnP
[edit]
Lack of Default Authentication
The UPnP protocol, as default, does not implement any authentication, so UPnP device implementations must implement their own authentication mechanisms, or implement the Device Security Service.[11] There also exists a non-standard solution called UPnP-UP (Universal Plug and Play - User Profile)[12] which proposes an extension to allow user authentication and authorization mechanisms for UPnP devices and applications.
Unfortunately, many UPnP device implementations lack authentication mechanisms, and by default assume local systems and their users are completely trustworthy.[13][14]
Most notably, routers and firewalls running the UPnP IGD protocol are vulnerable to attack since the framers of the IGD implementation omitted a standard authentication method. For example, Adobe Flash programs are capable of generating a specific type of HTTP request. This allows a router implementing the UPnP IGD protocol to be controlled by a malicious web site when someone with a UPnP-enabled router simply visits that web site.[15] The following changes can be made silently by code embedded in an Adobe Flash object hosted on a malicious website:[16]
Port forward internal services (ports) to the router external facing side (i.e. expose computers behind a firewall to the Internet).
Port forward the router's web administration interface to the external facing side.
Port forwarding to any external server located on the Internet, effectively allowing an attacker to attack an Internet host via the router, while hiding their IP address.
Change DNS server settings so that when victims believe they are visiting a particular site (such as an on-line bank), they are redirected to a malicious website instead.
Change the DNS server settings so that when a victim receives any software updates (from a source that isn't properly verified via some other mechanism, such as a checking a digital certificate has been signed by a trusted source), they download malicious code instead.
Change administrative credentials to the router/firewall.
Change PPP settings.
Change IP settings for all interfaces.
Change WiFi settings.
Terminate connections.
This only applies to the "firewall-hole-punching"-feature of UPnP; it does not apply when the IGD does not support UPnP or UPnP has been disabled on the IGD. Also, not all routers can have such things as DNS server settings altered by UPnP because much of the specification (including LAN Host Configuration) is optional for UPnP enabled routers[17].
[edit]
Other Issues
UPnP uses HTTP over UDP (known as HTTPU and HTTPMU for unicast and multicast), even though this is not standardized and is specified only in an Internet-Draft that expired in 2001. [1]
UPnP does not have a lightweight authentication protocol, while the available security protocols are complex. As a result, some UPnP devices ship with UPnP turned off by default as a security measure.
[edit]
Future developments
UPnP continues to be actively developed. In fall 2008, the UPnP forum ratified the successor to UPnP 1.0, UPnP 1.1[18]. See [19] for documents destribing the published standard.
The standard DPWS was a candidate successor for UPnP, but UPnP 1.1 was selected by the forum.
UPnP InternetGatewaydevice's[20] WANIPConnection service do have competitive solution known as NAT-PMP, is an IETF draft introduced by Apple Inc. in 2005. However, NAT-PMP is focused only in NAT traversal. UPnP InternetGatewayDevice is currently being evolved to version 2 which preliminary content can be found from [21]
[edit]
See also
Devices Profile for Web Services
Digital Living Network Alliance (DLNA)
UPnP AV MediaServers A list of Media Servers and Players
Zeroconf and Bonjour
[edit]
References
^ International Electrotechnical Commission "ISO/IEC standard on UPnP device architecture makes networking simple and easy", 2008-12-09. Retrieved on 2009-05-07.
^ International Organization for Standardization "ISO/IEC standard on UPnP device architecture makes networking simple and easy", 2008-12-10. Retrieved on 2009-05-07.
^ UPnP Forum "UPnP Specifications Named International Standard for Device Interoperability for IP-based Network Devices", 2009-02-05. Retrieved on 2009-05-07.
^ UPnP Forum, UPnP Device Architecture version 1.0, 2008-04-24
^ UPnP Forum, UPnP Device Architecture version 1.1, 2008-10-15
^ Cheshire, S., et al, IETF RFC 3927, "Dynamic Configuration of IPv4 Link-Local Addresses", May 2005
^ Digital Living Network Alliance, DLNA Networked Device Interoperability Guidelines, 2006-10
^ International Electrotechnical Commission, IEC 62481-1,"Digital living network alliance (DLNA) home networked device interoperability guidelines - Part 1: Architecture and protocols", 2007-08-30
^ Cable Television Laboratories, OpenCable Home Networking Protocol, 2006-06-30
^ "Web4CE (CEA 2014) for UPnP Remote UI (www.ce.org/standards)".
^ "Device Security and Security Console V 1.0".
^ "UPnP-UP - Universal Plug and Play - User Profile".
^ "Shorewall firewall author on UPnP security". Retrieved 2007-09-30.
^ "Linux-IGD authors on UPnP security". Retrieved 2007-09-30.
^ "Flash UPnP attack".
^ "Flash UPnP Attack FAQ". gnucitizen.org. January 14, 2008.
^ "Internet Gateway Device (IGD) V 1.0". UPnP Forum. November 12, 2001.
^ "UPnP 1.1 - designing for performance & compatibility (Consumer Electronics, IEEE Transactions on)".
^
http://www.upnp.org/resources/documents.asp ^ "UPnP InternetGateway:1".
^ "UPnP Forum Gateway Working Committee: IGD:2 Improvements over IGD:1".
[edit]
Books
Golden G. Richard: Service and Device Discovery : Protocols and Programming, McGraw-Hill Professional, ISBN 0-07-137959-2
Michael Jeronimo, Jack Weast: UPnP Design by Example: A Software Developer's Guide to Universal Plug and Play, Intel Press, ISBN 0-9717861-1-9
[edit]
External links
UPnP Forum Universal Plug and Play Device Standards
upnp-database.info Community-based database of UPnP/AV Devices.
[edit]
Documentation
ISO/IEC 29341
UPnP Forum's single file of UPnP documents
UPnP Forum
DLNA (Digital Living Network Alliance)
The Jini, Vision
technique comparison
Microsoft WHDC UPnP webpage & links
Universal Plug and Play in Windows XP
Programmatically Controlling a UPnP-Capable Firewall is a document providing some basic information about coding UPnP software controllers (VBScript example source code included).
Hacking with UPnP
DLNA certified: how your computer, cellphone, games console, media streamer and other devices can play nicely together
Universal Plug and Play
[edit]
News
Vulnerability Note VU#347812 - UPnP enabled by default in multiple devices at United States Department of Homeland Security - Computer Emergency Readiness Team (Wednesday, 9 April 2008).
Security firm predicts Microsoft Windows UPnP exploit by the end of the week at The Inquirer (Wednesday, 11 April 2007).
Microsoft security updates for April 2007 to fix the above Microsoft Windows UPnP security issue.
How to use Flash and UPnP to punch holes in most home firewalls at GNUCITIZEN (Saturday, 12 January 2008).
[edit]
Software
Developer Tools for UPnP Technologies is an open source set of stack creation and testing tools.
Foo_UPnP, UPnP/DLNA client and server for Foobar2000
UPnP Port Works (alias UPnPPW) is a software implementation to configure UPnP IGD devices via commandline and graphical user interface.
BRisa BRisa is written in Python for Internet Tablet OS or platforms. It enables to create UPnP devices and services, allowing users to share and search content from UPnP A/V devices. It offers a plugin architecture enabling new services such as Flickr to be added as UPnP services.
GUPnP is an object-oriented open source framework for creating UPnP devices and control points, written in C using GObject and libsoup.
Portable SDK for UPnP Devices provides an API and open source code for building control points, devices, and bridges compliant with UPnP Device Architecture Specification v1.0 and support operating systems like Linux, *BSD, Solaris and others.
Platinum SDK Cross-Platform SDK written in C++ for building UPnP Devices and Control Points.
Barracuda UPnP Device and Control Point SDK for embedded devices.
Unplug n' Pray Utility to disable unnecessary UPnP servers running on home Windows machines.
Coherence Some free DLNA/UPnP tools (MediaServer/MediaRender) with a python framework. Running on Linux/BSD/Windows
AdoubleU IntelligentShare UPnP SDK for J2SE / J2ME / MIDP 2.0 Running on Linux/BSD/Windows/Mobile Devices
J. River Media Center includes a UPnP server (aka UPnP Device) for its library.
MiniUPnP Project includes a UPnP IGD device implementation (ie server) and a library and tool to control UPnP IGD devices.
Jamcast is a UPnP AV MediaServer software implementation for Windows platforms.
iSSDPTester is an iPhone OS App for testing SSDP clients and servers.
Categories: Network protocols | Windows administration | Windows communication and services
====================================================
Support Center » Knowledgebase » WinRoute Firewall and UPnP (Universal Plug and Play)
WinRoute Firewall and UPnP (Universal Plug and Play)
Solution
Answer
UPnP is short for Universal Plug and Play. UPnP is a method of having networks "just work" without the user having to configure the firewall. A UPnP application running on a LAN can define its own NAT translation rule in the firewall, allowing computers on the outside world to contact it. The only application that we are aware of that uses UPnP is Microsoft's MSN Messenger.
UPnP has security implications -- make sure that you understand them before you enable it.
Discussion
How do I configure WinRoute Firewall for UPnP?
Open the Kerio Administration Console and connect to your firewall.
Go to Advanced Options under Security Settings.
Put a check next to "Enable UPnP."
Also note that according to the UPnP standard, a UPnP-compatible firewall must allow ALL outbound traffic. It is up to the user to configure their firewall for this setting, which is not recommended for high-security environments.
Why use UPnP?
When UPnP was designed, it was supposed to allow consumers to use complicated networks without any understanding of the technology behind them. UPnP is supposed to make networks "plug and play."
However, the only major application that uses UPnP is Microsoft's MSN Messenger.
What does UPnP do in Kerio WinRoute Firewall?
The UPnP protocol itself is very, very complicated. It takes a lot of time to make a product that uses UPnP. At this time, WinRoute Firewall's UPnP support is limited to Microsoft's MSN Messenger, the only major application known to use UPnP.
MSN Messenger communicates with the UPnP firewall in two situations:
When you start MSN Messenger, and it connects to the central MSN system.
When a secondary connection is needed, like voice or file transfer.
MSN Messenger "searches" for a UPnP-enabled firewall.
WinRoute "advertises" that it is a UPnP-capable firewall.
MSN Messenger talks to the WinRoute computer, and requests that a random inbound port be opened and forwarded to the compter that MSN Messenger is running on.
WinRoute opens these ports and forwards them to that computer. This is equivalent to making the following rule in the Traffic Policy:
Source: [Internet]
Destination: Firewall host
Service: [Specific TCP or UDP port opened by MSN Messenger]
Action: Permit (Green Check)
Translation: Detination NAT, Translate To: [IP Address of computer running MSN Messenger]
WinRoute tells MSN Messenger which ports were opened.
MSN Messenger "advertises" (through the firewall) that it is available to be connected to. This connection can be used for things like sending files or images across MSN Messenger, or just for communicating with the MSN central server (so that you can see your friends and talk to them).
Does UPnP pose a security risk?
Yes and no.
The full UPnP protocol allows a LAN computer to become an Internet server, without the approval of the system administrator. That can be seen as a security risk.
It also "advertises" what services are available on the local network (provided those services are UPnP-compatible, which most aren't). This can be seen as both a privacy and security problem.
However, the only program that WinRoute's UPnP works with is MSN Messenger. If you trust MSN Messenger, then you can trust UPnP. Of course, if a virus were ever written that pretended to be MSN Messenger, it would be allowed to do all the things that MSN Messenger can do.
In environments where security is a priority, we recommend that you disable UPnP.
Article DetailsArticle ID: 48
Created On: 15 Dec 2003 09:08 PM
Author:
Last Edit:
This answer was helpful This answer was not helpful
User Comments Add a Comment
Posted By: Pavel Dobry On: 30 Dec 2003 01:25 PM
To make Windows Messenger properly working, there must be permitted outgoing TCP/1863 and UDP/7001 connections at the firewall.
Posted By: Makoto On: 02 Jul 2004 06:39 PM
The current version of Azuereus, a BitTorrent p2p client, also takes advantage of the UPnP feature.
Posted By: Kristian (kjunkov80@hotmail.com) On: 07 Oct 2004 02:03 PM
To check if you are actually running a UPnP connection with MSN, open MSN, Tools, Options, Connection and where the Advanced Connnection Information will tell you if you are connected through a UPnP symmetic NAT
Posted By: MacroN On: 16 Sep 2005 11:01 PM
...and the latest versions of eMule, eDonkey2000 P2P client, uses UPnP too.
===============================================
[/more]