Port Forwarding - is it really that bad to use???

[Markgt]

Ok -so I've been pouring over previous posts (Nayr, various others) and have been searching the web. There seem to be multiple camps on the notion of port-forwarding forwarding --- ranging from "it's bad!" to "it might be bad, but not sure," to "it could be bad but it is probably not," to "it isn't bad and don't believe the hype."

The camera companies and even installers seem to brush it off as hype. I'm not so naive that I believe everything I hear but I also wonder how much is hype? The common counter argument from vendors/installers is "there isn't really any damage someone can do with access to your DVR and cameras other than seeing your video."

I'm trying to sort out:
1) how truly bad is port forwarding a residential DVR - i.e. what is the realistic worse case scenario. Can someone really do much badness with DVR access? true risks in other words.

2) is there a way to make port forwarding "less bad?" -- or am I nuts for even considering port forwarding?

Full disclosure-my network skills are really low-tech, but I'm a pretty good installer with mad drywall skills and headphones.

Thanks

 

[PSPCommOp]

Someone posted awhile ago a pretty good explanation that went something like this. Picture your router as a mall and all the things that connect to it as stores in the mall. Home computer one store, iPhone as another, Roku as another, etc etc etc.

Ports are like doors that go right to specific doors in this mall. Open one and if someone has the right know how, they can basically walk right into your network via the open port and access everything that is connected on that port. DVR with access to the exterior or even interior of your home if you have them. Main computer used to pay bills (cookies and possibly passwords stored to access bank/credit card/merchant/cloud storage accounts). Maybe they'll access family photos of you and your family at the beach or celebrating a holiday. Maybe they'll sign into Amazon if you have a password storing program and buy themselves something nice and send it to a different address.

Granted your home network is one small fish in a sea of fishes but all it takes is a few Google or yahoo searches to read about the really negative affects of network hacking and identity theft. I'm not a network guru but I did some research and watched some tutorial videos on YouTube and realized it really isn't all that hard to run a VPN on my router and make things a little more secure.

Read this article.
https://www.ipcamtalk.com/showthread.php/11292-Who-is-watching-you-Russian-website-puts-local-cameras-online?highlight=Russia
That was more then enough to make me take it a little more serious.

 

[nayr]

Your Camera and/or NVR run full blown operating systems, they are little computers in their own right.. opening a port on the internet exposes that device directly, with all its flaws.. to all the harshness of the internet.

your hacked cameras can not only be used to spy on you, they can be used to attack other people on the internet and make it look like its coming from you.. they are the ideal devices for this, hack a camera network and you'll get dozens of devices that are always on with solid connections and no local users logged in.. they can be hacked for ages without anyone noticing

Very few devices and services have been designed and proven to withstand the non stop onslaught from the internet, IP Cameras and Workstations are not.. thats why we put them behind firewalls... You dont realize it but your router is being scanned and probed constantly, non-stop.. I get bots trying to brute force into my servers in a never ending stream and they are just private servers for my own use.. Moments after you've opened a port its likely some bot somewhere has taken notice and begins to try known attacks against it..

Installing 'Security Devices' and exposing them to the internet, is equivalent to buying a shotgun and leaning it against the outside of your front door.. it just dont make much sense.. Like using a Desktop computer without anti-virus/anti-malware and proper firewalls, its not a matter of if it'll be compromised.. but when

If you dont know how to handle internet security and setup VPN's, then simply dont plan on accessing them remotely over the internet.. leave it closed circuit until your able to get a VPN Server configured.

 

[tangent]

yes.

you should see the logs from my honeypot vm.

 

[Markgt]

You guys are a huge help. My initial thoughts are confirmed by your responses. Thanks.

Remote viewing is a high priority and so I'll go the VPN route (it sounds like VPN is the best? option to minimize risk).

As as to setting up a VPN, is this a reasonable workflow plan?
Plan A---Attempt to set up openVPN on my Netgear Nighthawk on my own
Plan B-- if unsuccessful, outsource the VPN project to local IT shop that advertises VPN services?

again, I'm not super network savvy but I don't mind tinkering. I just want to have a plan B in case I'm hitting roadblocks.

 

[PSPCommOp]

You guys are a huge help. My initial thoughts are confirmed by your responses. Thanks.

Remote viewing is a high priority and so I'll go the VPN route (it sounds like VPN is the best? option to minimize risk).

As as to setting up a VPN, is this a reasonable workflow plan?
Plan A---Attempt to set up openVPN on my Netgear Nighthawk on my own
Plan B-- if unsuccessful, outsource the VPN project to local IT shop that advertises VPN services?

again, I'm not super network savvy but I don't mind tinkering. I just want to have a plan B in case I'm hitting roadblocks.

http://kb.netgear.com/app/answers/detail/a_id/23854/~/how-do-i-use-the-vpn-service-on-my-nighthawk-router-with-my-windows-client??cid=wmt_netgear_organic

http://kb.netgear.com/app/answers/detail/a_id/29826/~/how-do-i-use-vpn-on-my-nighthawk-router-with-my-ios-device??cid=wmt_netgear_organic

Start here. It really is easier then it looks. If you run into any issues post back with questions before calling anyone that might charge you to set this up.

 

[nbstl68]

Dumb question time, but how do I see that my ports, open or otherwise are being scanned?
How can I see if someone was successful in doing whatever, getting through after scanning and what they may have done?

Do I need a special software to see and monitor these logs that are mentioned here and in other similar discussions about this?

I have a couple of ports open (using an iMac if it matters) for my one little cheap foscam....probably got China watching my living room right now...
Is an "open port" and a "port forwarded" port the same thing?

 

[nayr]

You need a special network configuration, plus special software to monitor your firewall for attacks.. my switch has a 'port mirroring' capability, I have it configured to mirror my cable modem port and a network sniffer is running on it.. I run https://www.snort.org/

Open Port == Port Forwarding

 

[smoothie]

http://kb.netgear.com/app/answers/detail/a_id/23854/~/how-do-i-use-the-vpn-service-on-my-nighthawk-router-with-my-windows-client??cid=wmt_netgear_organic

http://kb.netgear.com/app/answers/detail/a_id/29826/~/how-do-i-use-vpn-on-my-nighthawk-router-with-my-ios-device??cid=wmt_netgear_organic

Start here. It really is easier then it looks. If you run into any issues post back with questions before calling anyone that might charge you to set this up.

These look to be exactly what you would need to get a VPN up and running on your connection. You owe @PSPCommOp a beer since if you just follow these instructions you should be well on your way to having a more secure setup than you currently do.



There are various websites that you can use to scan your IP for open ports. Use them at your own risk as you are actively inviting a scan of your IP address. If the scan service is from a reputable "white hat" then you are likely to be fine. While I cannot speak to the reputation of a specific port scan site, this one has been around forever and seems reputable at least on the surface.

https://www.grc.com/default.htm

Scroll down to "ShieldUP!" and click, click the "proceed" button, and then choose which port or ports you want scanned, you can choose "All service ports" from the silver bars which will scan the first 1056 ports on your IP address.

Again use this at your own risk. I would suggest some google research on this site if you want to be sure it is trustworthy.



Some extra information to help understand TCP/IP ports in case you are interested:

TCP/IP is a suite of protocols that allow the modern internet to function as it does. An IP address has 65,535 ports of which the first 1024 all called the "well known ports" as they have predefined uses in the TCP/IP suite. For example sending email from a mail server to another mail server uses port 25, web browsing uses port 80, encrypted web uses port 443, etc etc. Each of those ports from 1 to 65,535 can be opened to two different protocols within TCP/IP, TCP and/or UDP. These are both transport protocols and are the workhorses of the TCP/IP suite for moving actual data around the internet. So you could have port 443 open to just UDP, just TCP, or open to both. The easy way to think of TCP vs UDP is while both move data from one IP address to another, TCP has additional checks and balances to ensure all the data it is being asked to transport arrives at the destination while UDP does not have those checks and balances. TCP was a more popular transport back many years ago when the physical links that comprise the internet were less reliable and more susceptible to packet loss. Modern internet hardware infrastructure is so much more reliable that it is almost unfair to compare them. There are still valid uses for both TCP and UDP in the modern internet.

Think of TCP and UDP as fleets of 18 wheelers on the highways. They have a finite capacity to carry their cargo to their destination and what they do after delivering their cargo is different between the two. TCP with all its checks and balances would be like an 18 wheeler that requires a signature upon delivery of its contents and additionally the driver would call headquarters and tell them that he just successfully delivered his cargo and got the signature and that he inspected the cargo completely before handing it off to the recipient to make sure it was all there and undamaged. UDP on the other hand it more like FedEx or UPS residential service, no signature, just drop the package and sprint back to the truck and move on.

 

[mark4470]

Oh my, this is too much for an old man.. I'm worried now. Haven't had time to look at the links yet. I have a top of the line Linksys Router with open ports. I hope this isn't too hard.

 

[nayr]

its not really hard, if your router already has an VPN Server installed.. all you have to do is basically enable it, add some users, and perhaps open the VPN through your firewall.. then you setup the VPN Software on your phone to connect to your router and use the user credentials you created on the router.

each router is different, there is no one guide fits all strategy.. but if you have a popular model with built in support you can easily find videos and other walkthroughs using just a tiny bit of Google Fu.

Ive seen many instances where setting up the built in VPN Server was easier and quicker than forwarding ports.. it all depends on how smart of a interface they created for your router.

pro-tip: when creating users for the VPN, create a user for each device.. not individual, ie: nayr-phone, nayr-laptop, nayr-work and use randomly generated passwords or certificates for each, have the device save the password and if it ever forgets it just create a new one.. This way if your phone gets stolen, you just have to delete that user to prevent that device from ever accessing your network again.. instead of changing the passwords on all your devices because you used 1 login for all of em.. When I get a new phone I just create a new password for the new phone and the old phone no longer has access.

 

[Markgt]

I will owe lots of people on this forum beers over the next few years, I bet. The problem is I won't know where to send them because all your ports are closed! Seriously, though - thanks for helping me guys.

 

[nbstl68]

@nayre.."then you set up software on your phone...".

What software?
I have a Asus router for example I am about to try to set up the VPN on this weekend thanks to yours and other guidance here..But I don't find an Asus specific companion VPN app for my phone or whatever device.....

Can you explain or recommend what software app to use for the phone, tablet etc. other device that I would use, or maybe I'm still misunderstanding this part...

 

[tangent]

"then you set up software on your phone...".

What software?
I have a Asus router for example I am about to try to set up the VPN on this weekend thanks to yours and other guidance here..But I don't find an Asus specific companion VPN app for my phone or whatever device.....

Can you explain or recommend what software app to use for the phone, tablet etc. other device that I would use, or maybe I'm still misunderstanding this part...

In most cases the VPN client is built in to the OS of the phone. Just google the software version of your phone and how to setup a vpn.

 

[PSPCommOp]

@nayre.."then you set up software on your phone...".

What software?
I have a Asus router for example I am about to try to set up the VPN on this weekend thanks to yours and other guidance here..But I don't find an Asus specific companion VPN app for my phone or whatever device.....

Can you explain or recommend what software app to use for the phone, tablet etc. other device that I would use, or maybe I'm still misunderstanding this part...

OpenVPN if thats the VPN ur adding to ur Router. What model Asus do u have?

 

[nbstl68]

Asus RT-N56U

 

[nbstl68]

OpenVPN if thats the VPN ur adding to ur Router. What model Asus do u have?

Adding to my router?...I was thinking there is already a VPN built into my particular router...
Do I need to somehow upload additional software onto the router itself?

 

[PSPCommOp]

OpenVPN if thats the VPN ur adding to ur Router. What model Asus do u have?

http://www.smallnetbuilder.com/other/security/security-howto/32538-setting-up-and-using-openvpn-on-asus-routers

Follow this tutorial. Its for the 66U but the interface is basically the same.

I have the 68p and followed a similar tutorial. I have iOS and use the OpenVPN app and it works exactly as it should.

 

[nbstl68]

Great thanks!