So since doing my research on proper home survelliance networking setups, ive come across several articles that mention the dangers of port forwarding. I believe the use of stunnel requires port forwarding. Is this something that should be concerning? Is the recommendation that port forwarding is safe in this instance since stunnel is being used to encrypt traffic or should it be avoided? Any thoughts?
Stunnel ?
- Thread starter MrRouter
- Start date
Lets start with some basic concepts.
Port Fowarding is a 2 part thing.
First what is a port?
Think of your network like a house a fully steel building.
Nothing is getting through that steel building, but now you want to add a door or a window.
These are now Ports into your house. The port is only secure as the layer of security you've applied to it, a glass door vs a steel door.
So, by default, you router / firewall is configured to have no ports (open) so to speak.
So when you open a port, you are allowing traffic into your network.
You want to make sure that traffic is going where you intend it (port forwarding, more on that in a second)
And that the transmission is secure.
2 scenarios:
We all know blue iris runs on port 80 http un-ecrypted traffic.
You can use other ports, but the bottom line is the traffic is un-encrypted.
This allows for people to use tools like wireshark on a shared network to analyze your unecrpyted traffic and can capture your credentials.
Which why you want to use and SSL Cert to encrypt your traffic (https), which commonly used on port 443, you can use any port you want.
Well, a real and typical webserver, like Apache, Nginx and IIS have the ability for you to configure self-signed or third-party signed certificates.
However, blue iris's built-in webserver does not have this capability.
So, the recommend option has been to utilize s-tunnel to encrypt your traffic pver 443 and re-route it back to port 80 locally.
There are other options. I use Sophos UTM firewall in a VM. This has a feature to utilize my firewall's SSL connection to route traffic to blue iris.
It can have it's flaws too.
The other option would be to run a reverse proxy locally on the server using one of the above mentioned web servers and re-route the traffic that way, but its a bit of a learning curve.
So, some other key points.
When ever you have a port open, anyone can knock on the door, and yes they will knock. I have over 20K hits a day from places all over the world.
So, if you have weak passwords, they will keep knocking with different password until one opens the door, so make sure they are a strong and different than anything other passwords.
Secondly, hackers scan for common ports like 443 and 80, so if you want to be more secure, you could use a different random port in the higher ranges say: 57321
Something that is far from common.
Keep in mind though, certain wireless networks will block people from utilizing those ports... so you might not be able to connect from everywhere unless you were on the cell network.
Lastly, you could keep most of it closed and access your network through a VPN. Then connect to blue iris, again more configurations, but not to bad.
And finally, port forward is really just the redirection of an open port.
You can open port 1234 on your router, but the router has nothing running on port 1234, thus you port forward to route port 1234 to your blue iris server, where you've configured stunne to run on port 1234...
It's a lot to digest, so let me know if you have any further questions.
Port Fowarding is a 2 part thing.
First what is a port?
Think of your network like a house a fully steel building.
Nothing is getting through that steel building, but now you want to add a door or a window.
These are now Ports into your house. The port is only secure as the layer of security you've applied to it, a glass door vs a steel door.
So, by default, you router / firewall is configured to have no ports (open) so to speak.
So when you open a port, you are allowing traffic into your network.
You want to make sure that traffic is going where you intend it (port forwarding, more on that in a second)
And that the transmission is secure.
2 scenarios:
We all know blue iris runs on port 80 http un-ecrypted traffic.
You can use other ports, but the bottom line is the traffic is un-encrypted.
This allows for people to use tools like wireshark on a shared network to analyze your unecrpyted traffic and can capture your credentials.
Which why you want to use and SSL Cert to encrypt your traffic (https), which commonly used on port 443, you can use any port you want.
Well, a real and typical webserver, like Apache, Nginx and IIS have the ability for you to configure self-signed or third-party signed certificates.
However, blue iris's built-in webserver does not have this capability.
So, the recommend option has been to utilize s-tunnel to encrypt your traffic pver 443 and re-route it back to port 80 locally.
There are other options. I use Sophos UTM firewall in a VM. This has a feature to utilize my firewall's SSL connection to route traffic to blue iris.
It can have it's flaws too.
The other option would be to run a reverse proxy locally on the server using one of the above mentioned web servers and re-route the traffic that way, but its a bit of a learning curve.
So, some other key points.
When ever you have a port open, anyone can knock on the door, and yes they will knock. I have over 20K hits a day from places all over the world.
So, if you have weak passwords, they will keep knocking with different password until one opens the door, so make sure they are a strong and different than anything other passwords.
Secondly, hackers scan for common ports like 443 and 80, so if you want to be more secure, you could use a different random port in the higher ranges say: 57321
Something that is far from common.
Keep in mind though, certain wireless networks will block people from utilizing those ports... so you might not be able to connect from everywhere unless you were on the cell network.
Lastly, you could keep most of it closed and access your network through a VPN. Then connect to blue iris, again more configurations, but not to bad.
And finally, port forward is really just the redirection of an open port.
You can open port 1234 on your router, but the router has nothing running on port 1234, thus you port forward to route port 1234 to your blue iris server, where you've configured stunne to run on port 1234...
It's a lot to digest, so let me know if you have any further questions.
Thank you very much for all of that information that is definitely most helpful!
Im running OpenVPN on my router so I can connect back to my home network while away. I would be accessing blue iris web server (http). Would you say that it is safer to run just the VPN or the VPN with stunnel (opening ports like you mentioned above)?
The reason I ask is because ive read through the nayrs VPN Primer for n00bs thread and he explicitly says not to port forward but at the same time the video feed is not encrypted when viewing from the webserver while I am away from home.
Well - It'd be interesting to see if the traffic through the VPN is encrypted all the way through the blue iris login.
I can see where it could and also where it couldn't, this is something I'd definitely have to look into it and don't think I will have the time for quite a while (maybe someone else knows).
But put it this way, at the very least, your VPN has secured the connection to your internal network.
So, when you access blue iris at home (locally via wifi or lan) do you believe that your internal network is secure enough that you don't have to worry about people using wireshark to sniff out traffic on your own network?
Because, if you are connecting to blue iris from inside of your network, the login is also not secure, because those credentials could be exposed to someone on your same network.
If you are not worried about that, then you don't need stunnel, if you do, then you need stunnel.
I can see where it could and also where it couldn't, this is something I'd definitely have to look into it and don't think I will have the time for quite a while (maybe someone else knows).
But put it this way, at the very least, your VPN has secured the connection to your internal network.
So, when you access blue iris at home (locally via wifi or lan) do you believe that your internal network is secure enough that you don't have to worry about people using wireshark to sniff out traffic on your own network?
Because, if you are connecting to blue iris from inside of your network, the login is also not secure, because those credentials could be exposed to someone on your same network.
If you are not worried about that, then you don't need stunnel, if you do, then you need stunnel.
fenderman
Staff member
- Joined
- Mar 9, 2014
- Messages
- 36,901
- Reaction score
- 21,270
If you are worried that someone has internal access to your network you are screwed stunnel or not.
Okay great. I would like to think that the home network is secure so I would not really need stunnel in that case. Thanks for your input! That helps address some of the concerns I had.