Why port forwarding is bad?

Written on Mon, 30 May 2016

How many of our home routers have port forwarding for services like baby monitors and cameras? Maybe you set up a FTP server so that you can access your movies on-the-go.

But did you know, that is opening up your home systems for attack. It only takes 1 device to be compromised for the rest of the dominos to fall.

Why is it bad?

Devices such as baby monitors are built for the primary purpose of serving its function. It was never built as a network security device. It certainly has the basic security such as authentication, but that's usually the only thing.

On top of that, firmwares for these devices are not regularly patched, much less updated on the device itself. Any vulnerability discovered would likely stay vulnerable for a very very long time.

How do other devices get compromised?

It takes only 1 device to be compromised for the rest of the devices in the network to be compromised. Take for example, if you have a file server contain your accounting data. You have no port forwarding set for the server, thus, you assume that an incoming connection from the internet is not possible. But your port-forwarded IPCamera got compromised and it's on the same network as your file server. Since the IPCamera can connect to your fileserver, it's only a matter of time that the authentication on your file server is broken.

What should be done instead?

Instead of port forwarding directly to your devices, implement a hardware firewall in your network with VPN services. Firewalls are dedicated network security devices. They live for that one purpose and only that purpose. The software and/or the firmware of these hardware firewalls are regularly patched from vulnerabilities. Within its own settings, you are usually able to set automatic updates from the vendor. In your router, you might still need to port-forward to the firewall, which is fine if that is the only device you are port-forwarding. Hackers are stopped right at your firewall. Check your vendor if port-forwarding is required.

So how do you connect to your devices without port forwarding to it directly?

Here's where Virtual Private Network(VPN) comes into play. Most of us consumers who have used VPN before would think of it as a way to bypass country-restricted content like Netflix. But that's not the only thing VPN does. It connects your device on the internet back to your firewall, and allow it to connect to other devices as if it is on the same network.

A properly implemented VPN is extremely secure. It usually implements 2048bit RSA encryption, something that will take the current supercomputer more than 1 000 years to crack. Even if your encryption key is compromised, such as theft, you can immediately disable the encryption key to that device. The thief will no longer be able to access the VPN from that device.

So if you have baby monitors, IPcameras, or other hosting services for your personal use, use VPN.

Where do I get a hardware firewall?

There are commercial providers such as Fortinet that comes with annual subscription. It can be a tad-bit too expensive for small startups and home users, and maybe too complex to administrate for a network with less than 20 devices.

Other alternatives like Untangle offers a load more flexibility. Untangle is entirely open-sourced, so techies will love it. For the everyday consumer, you will love how easy it is to use.

The open sourced edition is free, as in beer, forever. It uses a freemium model where only enterprised services have an annual fee. The only cost you have to worry about, is the hardware. You can reuse most old hardware as Untangle firewall. You probably just need to install another network card so that you have 2 ethernet ports. You can work with 1 etherport, but it's complex to setup and less secure. Check out the minimum hardware before you build it. If that's not an option, you can buy an affordable appliance that comes with 1 year warranty. Annual subscription and extended warranty is optional.

Untangle uses OpenVPN for VPN services. It's an already proven technology that is able to bypass certain port blocks, as it uses the standard port 80 instead of specialised port that can be easily blocked by ISPs and wifi providers. Just create a client and you will be able to download the encryption certificate for your devices. If you are using Windows, it comes with the client itself. Otherwise, you might want to read the documentation for your device, such as android or iOS, on how to instead the certificates. You might need to port forward TCP/UDP 1194 on your router to your firewall, and that should ever be the only port forwarded. Check with your ISP, vendor, or network administrator if this is required.

Once you are connected back to your LAN, freely browse to your device IP address.

Why is this so important?

We are living in a world getting more connected than before. Our devices at home are more internet-enabled than before. We are already at the age of Internet of Things, where every little thing, from our kids' toys to the common refrigerator, is now connected to the internet.

The sole responsibility of network security does not lie with the manufacturers of these things. We are equally responsible for the network security of our homes. Take this simple step to secure your home or small office network.