Port forwarding \ open ports bad, VPN Good...What about DDNS?

[nbstl68]

Hi,
Been reading a lot around here of the possible security implications of opening ports \ port forwarding, P2P connections (same \ similar thing?)
which can present security access issues aka people being able to access my camera or computer or entire home network as I understand it?!
It seems this is the go-to method though in many camera instructions like my crappy little Foscam.
I then started reading about using DDNS, (esp because I do not have a statip IP from my crappy DSL provider).

Honestly all I know is this and\or the port forwarding,(maybe both are required together anyway) were the only way I could get external internet connection to my camera, via their Android phone app.

A personal VPN setup still confuses and eludes me, which is why I assume the other routes are always suggested by the mfg.


Reading a lot of posts here, esp like some good but hard to understand at my level, explanations (Nayr), now leave me very uneasy about my current set-up.


So, I guess what I am asking is does using the password controlled DDNS to connect to my camera offer any real security at all or is figuring out how to to a proper personal VPN, (via my router...that's a different concept than those paid site VPNs right??) the only way to be really safe and ensure my cam does not end up on one of those Russian cam sharing sites or China hacking into my computer files?

...Has reading all these forums just made overly paranoid?

 

[bp2008]

Heh. Well DDNS does not make your system less secure. It is just a way for you to keep track of your changing address.

You are correct, those paid VPN sites are something entirely different, and not relevant here.

A proper VPN would be more secure than port forwarding directly to your cameras. I recommend using OpenVPN, if you have the means to run an OpenVPN server. Otherwise if your router has any VPN server built-in, use that. It probably will be a PPTP vpn if it is built into your router, and PPTP was proven hackable years ago, but it is still better than exposing a foscam directly.

 

[klasipca]

Might help http://www.smallnetbuilder.com/lanwan/lanwan-howto/33000-how-to-remotely-connect-safely-and-securely

 

[smoothie]

The way to think about these different concepts is like this. You have 3 parts to this scenario; first the private network at your home with your cameras and home computers on it, second the outside world and the entirety of the Internet, and third the firewall or router that is the device between the first and second parts.

The job of the a Firewall is in its most basic form, such as most home networks, is to be a one way valve. A normal unmodified basic firewall allows your home computers to speak to the Internet but does NOT allow the Internet to speak to your home computers. Think of the allowed flow of information back and forth by which device starts the conversation. If your home PC starts the conversation such as opening a web browser and going to google.com that is allowed. If teslamotors.com tried to call to your computer to tell you about the model 3 without your home computer asking first the connection is denied.

Remotely viewing your cameras is essentially "the Internet (your phone somewhere on the cellular network) initiating a conversation with your home network" so the firewall does what it does best and denies that connection.

How you can access your cameras remotely:

TCP/IP is the language of the Internet that all devices speak to each other, TCP/IP has ports ranging from 1 to 65535. Think of these ports like entrances to a building, like a large shopping mall will have multiple entrances that serve different parking lots or even different levels of the same parking lot. The first 1024 ports in the range are called the "Well Known Ports" as they have defined uses, port 80 is for web browsing (http), port 443 is for secure web browsing (Https), port 25 is for sending email between servers (smtp), etc etc etc. Ports above 1024 are know as "high ports" and do not have predefined rolls in the standard TCP/IP communications and can be officially used for anything you like. Each of these ports can be closed or open, if these ports were doors to a building then each door could be locked or unlocked respectively.

The simplest way to access your cameras remotely is port forwarding but it is also the least secure and the most vulnerable. Port forwarding is like saying this particular door to the building (for example port 80 http web browsing) doesn't go into the mall in general but specifically to Macy's. So if you were to walk into this door at the mall you would find yourself inside Macy's which is inside the Mall. But this also means anyone else who walks in that door would also find themselves in Macy's. Your camera system has a password on it but various cameras and DVR/NVR units are known to have vulnerabilities. Passwords are like barricades erected at Macy's where the passageway from the door gets to Macy's. A week password would make that barricade out of tissue paper such that someone could just walk thru it with little to no effort, a strong password would make that barricade out of 6" plate steel. The vulnerabilities of a camera or NVR/DVR might replace half of that plate steel barricade with tissue paper or even open space. But even without the vulnerabilities that strong password could eventually be broken, just as given enough time someone could cut their way thru 6" plate steel.

A VPN:

A VPN or Virtual Private Network is a secure encrypted tunnel that exists between two points on the Internet. A VPN in this scenario is between your phone/tablet/laptop out on the open Internet somewhere and your home private network via your firewall. A VPN is like having your own private entrance to the mall that has a barricade on the outside. If you walk into this entrance you are inside the mall in general and can go to any store you like in the mall freely. A basic VPN will have a password, in some form be it pre-shared secret and/or password, which again you can represent as different materials presenting more challenge to get past as password complexity increases, tissue to steel and beyond. Because some VPN setups can use multiple means to secure the traffic you can make it much more secure that simple port forwarding. You can essentially make the barricade much thicker that 6" plate steel. A very secure VPN technology is x509 certificates, these are digitally signed certificates that must be installed on each device that is to access the VPN. This certificate is used by the firewall to recognize individual devices on the open Internet that the firewall should talk to in order to form the VPN tunnel. With the right setup configured correctly you can make your building like Cheyenne Mountain, home of NORAD, complete with armed guards and about as difficult a place to get into as can be.

DDNS:

In order to use any entrance at the mall, be it the open door (port forwarding) or the super secure private entrance only you know about (VPN with x509), you still need to know where the mall is located. Static IP vs dynamic IP can be thought of like street addresses for buildings but with a twist. All street addresses in the real world are essentially "static" addresses. Your house or your work are always the same street address that doesn't change. Dynamic addressing could be envisioned as buildings suddenly having different street addresses. When you went to bed your place was at 123 Anystreet USA, when you woke up the next morning it was 433 Otherstreet USA. While you are at home this change means virtually nothing to you but if you are out in the world and want to find your house how do you know what address it is, it could be the same as when you left this morning or it might have changed. DDNS is a simple piece of software that basically sends you a text, either every set amount of time or with some other qualifier. That text basically says "your house is at the following address: 614 yetanotherstreet USA". This way you can always find your house. The catch is depending on what the DDNS system uses to choose to notify you there are times between the address changing and you getting that text telling you it has. Overall it is a pretty reliable and good system. The only real security risk it presents is if you have to run some kind of software on your machine to inform the DDNS system of what your IP address is at any given time. Many NVR/DVR units have builtin DDNS functionality, so you need only sign up for a free account, enter the account info in the DVR/NVR, and the unit will send updates to the DDNS system at whatever interval it is designed to do.

 

[nbstl68]

Wow, very descriptive @smoothie thanks!

So with VPN and\or DDNS use, does that still require a port to be open \ forwarded but just better fortified via the VPN password process?
Or does using a VPN bypass having to open any ports?




For my phone to connect would I then need a same\similar VPN app or software on the phone to connect so it is only open access to the computer from my phone (or tablet or other source I choose)?

@bp2008 I'll google \ read up on Open VPN and PPTP. IsOpenVPN a software that would reside on my computer, ( I have only an iMac, is that an issue) or are you saying it would somehow be installed in my router if it does not have its own VPN option.
(I have aCenturyLink DSL AP\Router combo provided w my service and not sure what it provides if anything.)


I also have a Asus RT-N56U router, (currently just being used as a pass-through just for the additional Ethernet ports but looks like it may have a VPN option of some sort.)


So is a static IP NOT a requirement for VPN...if not, would DDNS be required or how would the VPN handle if \ when my provider changes the static IP the next time?

I read about people paying a bundle to get a static IP from their provider but never really understood why.


Sorry, prob asking too much "discovery information" here for this type of forum but my interest is peaked..Any further direction for additional research so I can put something secure into practice is appreciated.

 

[S_K]

The OP also mentions P2P connection (I know that Hikvision offers remote viewing via P2P cloud which is simple to set up). Is this method safer than port forwarding since it doesn't require leaving exposed ports?

 

[nayr]

its just as bad, if not worse.. they reverse tunnel into your network to bypass your firewall rules, nothing's encrypted.. you trust the Chinese servers? I dont, and my cameras have no internet access at all, only access to the LAN.

 

[S_K]

So is a static IP NOT a requirement for VPN...if not, would DDNS be required or how would the VPN handle if \ when my provider changes the static IP the next time?

I read about people paying a bundle to get a static IP from their provider but never really understood why.

DDNS is just an alternative or substitute to static address from your ISP. You only need either one, not both - for any VPN or port forwarding configuration.

 

[nbstl68]

... and my cameras have no internet access at all, only access to the LAN.

@nayr, how do you view your cameras remotely then, (when away from home network, aka out of town on vacation), from a computer, browser,phone app, tablet or whatever with no internet access to them...or do you just not do that?
Or am I misunderstanding "internet access" as a requirement for remote viewing vs. VPN use?

 

[nayr]

When I am connected to the VPN, my remote device is on the LAN and has full access to all the LAN devices just like it was a local device.. the cameras can talk to any local IP's without being subject to the external firewall.

in the OP's question, DDNS is just used so the VPN Client can always find the VPN Server when you dont have a static IP.. when you are away from home, trying to figure out what your IP address changed to can be quite a pain in the ass without DDNS.

 

[nbstl68]

So I would have a VPN "server" running FT on the home computer, (or built into the router) and a VPN "Client" say on my phone or tablet?

 

[smoothie]

Wow, very descriptive @smoothie thanks!

So with VPN and\or DDNS use, does that still require a port to be open \ forwarded but just better fortified via the VPN password process?
Or does using a VPN bypass having to open any ports?

Ports do NOT need to be open at all when using a VPN. The VPN does bypass the firewall in that sense, when connected with the VPN it is exactly like you are connected on the LAN at home.

For my phone to connect would I then need a same\similar VPN app or software on the phone to connect so it is only open access to the computer from my phone (or tablet or other source I choose)?

Yes, you would install a VPN client app on your phone/tablet/laptop/etc which would need to be launched and connected before you could view the camera feeds with the camera/DVR/NVR app

@bp2008 I'll google \ read up on Open VPN and PPTP. IsOpenVPN a software that would reside on my computer, ( I have only an iMac, is that an issue) or are you saying it would somehow be installed in my router if it does not have its own VPN option.
(I have aCenturyLink DSL AP\Router combo provided w my service and not sure what it provides if anything.)


I also have a Asus RT-N56U router, (currently just being used as a pass-through just for the additional Ethernet ports but looks like it may have a VPN option of some sort.)

OpenVPN can be installed on a dedicated computer or certain firewall/router devices that support it. I would have to check the specs on the Asus RT-N56U to see if VPN support is native or if you can run 3rd party firmware such as Tomato that would support VPN connections. But likely it can support VPN in some way. So you could have your CenturyLink router in bridge mode or bypass mode where the public IP is passed thru the CenturyLink router to the next device in the chain which would be your Asus RT-N56U. The Asus would then be your firewall.

So is a static IP NOT a requirement for VPN...if not, would DDNS be required or how would the VPN handle if \ when my provider changes the static IP the next time?

I read about people paying a bundle to get a static IP from their provider but never really understood why.


Sorry, prob asking too much "discovery information" here for this type of forum but my interest is peaked..Any further direction for additional research so I can put something secure into practice is appreciated.

Correct, a static IP address is NOT required for VPN.

DDNS is generally your best option when dealing with a VPN to a dynamic IP address. DDNS isn't perfect. If the DDNS provider you choose is offline you cannot connect. There can be periods of time after the IP address has changed before the DDNS system is updated, these are usually short lasting only a few minutes at most but you cannot connect during these windows.

A static IP address on the other hand never changes and you can use traditional DNS for an entry like vpn.myhouse.com and it will work 24/7 and is cached in multiple DNS servers so if any one DNS server is down you can still reach it. Plus you will often see companies that have multiple facilities with all of them on static IP addresses this allows them to create permanent VPN tunnels between all the facilities with greatly increased security. Since they can specify that any given VPN connection always originates from only this ip address (1.2.3.4 for example) and always goes to this other ip address (4.3.2.1 for example) and in reverse, then no other IP addresses can talk to those two VPN endpoints.

 

[alastairstevenson]

Ports do NOT need to be open at all when using a VPN.

So how do you reach UDP 1194 from outside?

 

[smoothie]

So how do you reach UDP 1194 from outside?

When you are connected with a VPN it is like you are plugged into the private home network, so there isn't any traffic restriction between your remote device and the camera system, in other words all communication across all ports is allowed so you can talk to UDP 1194 or any other port you want.

If you home network was 192.168.0.x for example. And say your camera system was 192.168.0.90 which is the address you would use to view your cameras while you are at home. If you go out into the world with your smart phone and connect with a VPN to your home network you would use 192.168.0.90 to connect to your cameras because the VPN knows that the 192.168.0.x network is on the other end of the VPN so it will forward any requests to that address range thru the VPN instead of the open Internet.

 

[smoothie]

Back when the Internet was first conceived computers were massive, few, and expensive, only large educational institutions, large corporations and Government agencies had computers. The base idea of the Internet was to get dissimilar systems to talk to each other. The idea that there would be malicious computers and a need to prevent systems talking to each other was beyond comprehension in that time period. TCP/IP, and thus by extension the Internet, was originally created to have open unrestricted communication. Only after the advent of the World Wide Web did the need for restricting the communication become an issue. In the same way that 18th Century Swedish steam engineer Gustaf de Laval could not have foreseen that his creation would be instrumental to Space Exploration, long range warfare, and putting Astronauts on the Moon and returning them safely to the Earth. The original idea of the Internet when compared to what it has evolved into in the modern day is astonishing.

 

[switchman]

@nayr, do you run your cameras in a vlan or just drop the packets at you router?

 

[nayr]

I have them on a vlan, I have lots of vlans.. I even have one setup that only has access to windows update, guest samba access on my nas, and a netboot install server, so when some family member brings me a nasty virus riddled windows box I can put it on its own network, backup the pictures/documents and then nuke the damn thing from orbit... does not get used often but I am glad its there when I do use it.. I call it the windows network, and its always pitch black out those windows.

 

[PSPCommOp]

I also have a Asus RT-N56U router, (currently just being used as a pass-through just for the additional Ethernet ports but looks like it may have a VPN option of some sort.)

Try this
https://www.asus.com/support/faq/1008713

I have the AC68P so mine is a little bit different then yours but i used a similar tutorial to set mine up. It really wasn't hard once i figured out that i was setting up a VPN Server and not a client but thats another story.
This is the basic VPN setup. If you can get this up and running, try googling OpenVPN with that particular router. It offers more functionality.

I have them on a vlan, I have lots of vlans.. I even have one setup that only has access to windows update, guest samba access on my nas, and a netboot install server, so when some family member brings me a nasty virus riddled windows box I can put it on its own network, backup the pictures/documents and then nuke the damn thing from orbit... does not get used often but I am glad its there when I do use it.. I call it the windows network, and its always pitch black out those windows.

@nayr, at the risk of sounding ignorant, do you know of any online resources that explain VLAN setup relatively easily? i've looked around with google and youtube and as someone who isn't really network inclined, its all pretty confusing. Maybe i'm just slow and need to take it all in and process it at my own pace but u've mentioned it a few times and i'd like to do this if possible. I have a managed Cisco switch that does offer VLAN functionality.

 

[nayr]

well, basically each port on your switch can be configured for vlan's in two ways.. Tagged VLAN's, and Port VLAN's..

Port VLAN you basically assign the port to a specific vlan, say ports 1-10 are vlan 100, and ports 11-20 are vlan 200.. thats all there is too it, now you have 2 separate networks.. nothing on ports 1-10 can directly communicate to anything on ports 11-20, its like 2 separate switches now and if you want traffic to transit both networks you need a router thats connected to both.. so it can route traffic from one subnet to the other.

Now for Tagged Vlans, I will add vlan 300 and vlan 400 to port 10 configured as tagged.. its still port assigned to vlan 100..

When I plug a computer/router into port 10, it will be on vlan 100.. but I can go into the Operating system on that computer router and add VLAN Tagged Interfaces, and I setup 2 VLAN Interfaces, one with the tag of 300 and the other with the tag of 400.. Now this computer has one port on the switch, and one network cable connecting it to it.. but it has 3 interfaces and access to 3 different LAN's directly.

Most of the time you'll use port vlan's, but you might have a few devices that need access to more than one lan.. like your router or fileserver, and then you use a combination of port and tagged vlan's on that.

Thats about as simple as I can explain it this early in the morning, need more coffee.. it gets more complicated if have more than one switch, as all the switches have to support VLAN's and your trunks have to be tagged so a single uplink can be used for all the vlan's.

If your going to break out into many subnets and vlans, you need a powerful router to maintain GigE routing speeds.. ie, if you want GigE speeds from one subnet to another, it has to pass through your router.. and few consumer ones are remotely capable of routing at these speeds, because you dont have GigE internet access.. this is why I use the Ubiquiti Edgerouter; it can route traffic across GigE networks without choking.