To Port Forward or Not To Port Forward?

Eddie Current

Eddie Current

Young grasshopper
Mar 11, 2015
59
4
Texas
To Port Forward or Not To Port Forward?

This is the question; it seems that there was some talk a while back about if port forwarding was the best option or not?

If not, than what?
 
Not... If you search the forum @nayr wrote a excellent peace on VPN and how this should always be used over opening ports to cameras. Also your cameras should be blocked from accessing the internet! :paranoid:
 
Last edited:
Eddie Current said:
This is the question; it seems that there was some talk a while back about if port forwarding was the best option or not??
Click to expand...
It's not the safest option. Personally, it's the method that I use, but only because I feel reasonably confident in BI's logging and security. No way would I ever use port-forwarding for any of my other devices.

I do also have a VPN setup... I just can't get the rest of the folks in the house to use it. It's not automatic in iOS like it can be on Android devices, and everyone in my house has iOS...
 
  • Like
Reactions: giomania and BillG
aristobrat said:
It's not the safest option. Personally, it's the method that I use, but only because I feel reasonably confident in BI's logging and security. No way would I ever use port-forwarding for any of my other devices.

I do also have a VPN setup... I just can't get the rest of the folks in the house to use it. It's not automatic in iOS like it can be on Android devices, and everyone in my house has iOS...
Click to expand...

You only need to use the VPN when off your network, correct?


Sent from my iPhone using Tapatalk
 
So if your other "users" want to watch the cameras while outside the network, they need to connect to the VPN...that's it! :banghead:

Spoken like a security-conscious person in a security un-conscious house!
 
keep in mind a VPN gives access to the whole network, a port forwarded only gives access to the NVR/Camera as most NVR's will be connected to the lan to allow local access.so by disabling upnp and other cloud features to allow easy access to the cameras and correctly securing the cameras with good password practices keeping the firmware updated and only opening ports required for the remote access can be more secure that a PPTP vpn :-)

so if you look at hikvision the only port required for the mobile app is 8000 in default (this port can easily be changed to avoid people scanning for the default port), quickly looking at the "privilege escalation vulnerability" the hack require few things a default account access to a camera and access to port 554, so only allowing access to the required port for the mobile app would not allow the attack, but hacking the PPTP VPN or getting a reverse shell on a windows box would also the hack requires vulnerable devices :-) the other hik hack was more down to installers not changing defaults, opening every port mentioned in the manuals. I.E bad practices.

remember if you don't need it don't open it :-) i see a lot of routers were the installer has opened pot 80,443,554,8000,25,21,22 and a 1xxx and the customer is only using the mobile app.

so as a lot of people on here will be CCTV installers and not networking wizards there is a balance between a correctly configured CCTV install using port forwards or using a PPTP VPN, you really need to look at the whole application and what would be the best solution for the End User, good practices, password management, firmware updates, correctly configured port forwarding may be just as secure.

port forwarding is not the daemon people would like to make out though VPNs (not pptp) are always recommended over port forwarding.

try googling "is port forwarding safe" there are a lot of opinions out there :-)
 
  • Like
Reactions: Coldair and giomania
So I'm going to trust Nayr on this one, in real life he's a network security guy.
I'm sure that are lots of opinions out there, but I don't know the pedigree of the guys giving them.
Also, he doesn't recommend pptp, only recommends openvpn or L2TP/IPsec

I use AES-256-CBC encryption, I'll be amazed if anyone ever breaks into my network through it.
 
  • Like
Reactions: DavidDavid and looney2ns
randytsuch said:
So I'm going to trust Nayr on this one, in real life he's a network security guy.
I'm sure that are lots of opinions out there, but I don't know the pedigree of the guys giving them.
Also, he doesn't recommend pptp, only recommends openvpn or L2TP/IPsec

I use AES-256-CBC encryption, I'll be amazed if anyone ever breaks into my network through it.
Click to expand...

They most likely wouldn't break through the encryption itself; rather, in most cases they'd go around it or take advantage of some flaw in the implementation. Which is how they've been beaten in the past in a number of cases.

There are potential vulnerabilities in everything. Kind of the bottom line for most in this case is that generally speaking you'll be better off relying on a secured, encrypted connection using an open code base with lots of eyes watching and a quick response to issues as they arise in the case of something like OpenVPN, etc., vs relying on some unknown code and implementation with old components in the code base across a variety of different devices with directly forwarded ports as is typical for most of these cams/NVRs and/or one guy developing and maintaining security for something like BI (as good as it is).
 
Breaking into cameras is what I would be worried about. Chinese cams are well known for having backdoors and getting hacked. Gives someone a linux machine on your network if they can hack into a cam.
I have put my cams on vlans, so they can't get to the internet, and no one can get at them. But there are other ways to isolate you cams.

Randy
 
randytsuch said:
Breaking into cameras is what I would be worried about. Chinese cams are well known for having backdoors and getting hacked. Gives someone a linux machine on your network if they can hack into a cam.
I have put my cams on vlans, so they can't get to the internet, and no one can get at them. But there are other ways to isolate you cams.

Randy
Click to expand...

The only way is to unplug your cameras from the network, As if a vlan = security :-)

VLAN Hopping
Switches implement virtual LANs (VLAN). Users connect to access ports that are members of a VLAN as specified in the switch configuration. VLAN hopping is where a user can gain access to a VLAN not assigned to the switch port to which the user connects.

A user can achieve this in two ways against the default configuration of a Cisco switch port. The first and most commonly used VLAN hopping method is where the attacker makes his workstation act as a trunk port. Most switches, in the default configuration, need only one side of a connection to announce themselves as a trunk; then the switch automatically trunks all available VLANs over the switch port. This results in the attacker seeing all traffic across all VLANs.

The second way an attacker can hop VLANs is by using double tagging. With double tagging, the attacker inserts a second 802.1q tag in front of the existing 802.1q tag. This relies on the switch stripping off only the first 802.1q tag and leaving itself vulnerable to the second tag. This is not as common a method of VLAN hopping as using trunking.
Click to expand...
 
For some reason, this made me think about a joke where two guys are running from a bear or lion or some wild beast.
One guys asks the other guy if he really thinks he can outrun the bear. Other guy responds I don't have to, I just have to outrun you.

My home security doesn't have to be perfect, just has to be good enough so anybody trying to break into my network will decide its not worth the trouble, and go find an easier target.

Thanks for the vlan hopping info, guess its a good thing I don't have a cisco switch :)
 
Last edited:
  • Like
Reactions: Weather_Junkie and aristobrat
  • Like
Reactions: aristobrat and randytsuch
randytsuch said:
For some reason, this made me think about a joke where two guys are running from a bear or lion or some wild beast.
One guys asks the other guy if he really thinks he can outrun the bear. Other guy responds I don't have to, I just have to outrun you.

My home security doesn't have to be perfect, just has to be good enough so anybody trying to break into my network will decide its not worth the trouble, and go find an easier target.

Thanks for the vlan hopping info, guess its a good thing I don't have a cisco switch :)
Click to expand...

maybe you should take your own advice :-) "So I'm going to trust Nayr on this one, in real life he's a network security guy." but you have no idea who i am :-)

the topic is vlans or port forwarding, my post dose not reference Nayr or any other types of vpn apart from PPTP. as a reference to Nayr's guide was already posted by Cyberwolf uk. if you want to post why port forwarding is so bad please do so.

vlan hopping is not only limited to Cisco routers and is easily resolved, my point is incorrectly configured network security can give a false scene of security, this may not be a issue for a real life he's a network security guy, but not everyone is a network security guy.

for example removing the gateway form a network camera can be just as secure as a vlan but may not be the solution for every one. having a NVR with a inbuilt POE switch that isolates the camera network from the LAN using best practice with port forwarding, it this really so bad?

"easy of use" Vs "risk" Vs "security" its just finding the correct balance. if i have offended you in any way i can only offer my apologizes..........
 
copex said:
. having a NVR with a inbuilt POE switch that isolates the camera network from the LAN using best practice with port forwarding, it this really so bad?
Click to expand...
Yes it is,...the NVR generally suffers from the same vulnerabilities as the camera...so you are back as square 1. Plus you now have to deal with all the inconveniences of built in poe including, noise, having to homerun each cable, and hoping your NVR has virtual host.
 
Port forwarding exposed internal/private services on your LAN, to the internet. Sometimes it's required to make certain resources on your LAN...available from out on the internet. Web servers (port 80, 443), remote desktop (port 3389 or 443 tsgateway), mail servers (port 25)...etc etc.

Having such services exposed to the internet opens up security risks...as now you have thousands and thousands of wanna-be hackers finding them and trying to hack into them. So you must take extra care in keeping the systems updated, patched, user accounts with good secure passwords.

"old style" camera systems require port forwarding of lots of ports for remove administration and viewing...so you could view them with your browser, or a special program on your computer, and/or from smart phones with viewing apps. However, some brands have newer systems that require NO port forwarding on your firewall, you don't even have to know your WAN IP address, or resort to using those cheesy dynamic dns services. Many brands now offer a secure "cloud account" which you bind (attach) your local NVR to. You log into your cloud account..and select the NVR you have connected to it..and BOOM...you're now viewing your local NVR through a secure tunnel it proxies you through. Example...I can log into my account at video.ubnt.com and see all the Ubiquiti Unifi NVRs I have attached to that account..and remote into those. From my computer (via Chrome browser)...or from my smart phone. Free! Works great!

Hopefully more brands will do this, it's great, easy, secure, and no clunky VPNs to deal with. makes it wonderfully easy to use.
 
YeOldeStonecat said:
Hopefully more brands will do this, it's great, easy, secure, and no clunky VPNs to deal with. makes it wonderfully easy to use.
Click to expand...
Dahua and Hikvision do that. It's just that after seeing the glaring vulnerabilities in their cameras and NVR, many folks here have little trust that their proxy service is any better secured. Unlike with Ubiquiti, security doesn't seem to be a priority for the camera makers, at least not in the consumer market.
 
You must log in or register to reply here.
Top Bottom