When is Port Forwarding Safe? What devices/programs/apps or Never?

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,428
Reaction score
47,549
Location
USA
So we get quite a few posts every month about someone thinking they have been hacked, or someone not understanding the vulnerabilities with allowing their cameras on the internet. I searched here and couldn't find that "one thread" that we could point people to or have them find in a search, so I thought if we had a thread we could simply point them to, it might save a lot of the same things being typed when people come here looking for advice.

Yes I understand we have the WIKI's on not to get hacked and VPN, but to the total newbie I am sure the WIKI is not enough information to be useful to them and let's face it, most don't start there unfortunately.

So here is the WIKI on not getting hacked:


So let's have our experts chime in and when/if it is ever safe to port forward. The internet is full of information and a lot of it is wrong. Here is the top page that comes up when I typed in "when is port forwarding safe" in a browser:

Is Portforwarding Safe

And that webpage and many others all come up saying port forwarding for cameras is safe, yet I do not believe many on this site agree with that.

So when is it safe - Xbox and other gaming units? I couldn't find a single page on the internet that said that is an issue. Other applications you are trying to run?

If there is a case where port forwarding is needed, what steps does someone need to take to keep their system safe?
 
Last edited:

Lennyz1988

n3wb
Joined
Dec 31, 2020
Messages
2
Reaction score
0
Location
Amsterdam
Yes the most safe solution is probably using a VPN. But it's not userfriendly.

I don't think it's that unsafe to port forward the RTSP stream of you camera. You don't want to port forward other services from your camera. The main problem is that most camera's won't get updated for more then a few years. After that any security vulnerability won't get fixed and that's bad.

A better solution would be to put any webservice behind an Nginx reverse proxy and use SSL to encrypt it. You could use a docker image for that. Setting it up is not that hard. You get a more secure setup and Nginx is getting updated regularly.
 
Joined
Aug 8, 2018
Messages
7,386
Reaction score
25,889
Location
Spring, Texas
And that webpage and many others all come up saying port forwarding for cameras is safe,
Of course they say it is safe. They SELL software to help you port forward:

"We sell software on this site that is designed to setup a port forward in your computer. Our software is called PFConfig and it's a part of the Port Forward Network Utilities software package. As long as you download the software from this site then it is safe."

That site has a vested interest in getting people to use port forwarding. So they only talk about a certain what if..."... Worst case scenario is that people will be able to see your video feed. As long as you setup a password in the device then you are secure even with a port forward." But of course they fail to mention that most cams have documented security vulnerabilities, have been used as bots in DDOS attacks, and can be used to get into your network if those vulnerabilities, both known and yet to be found, are exploited.
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,428
Reaction score
47,549
Location
USA
But what about the many sites that are not selling a service like whatismyipaddress.com

"Port forwarding is an excellent way to preserve public IP addresses. It can protect servers and clients from unwanted access, "hide" the services and servers available on a network, and limit access to and from a network. Port forwarding is transparent to the end user and adds an extra layer of security to networks.

In short, port forwarding is used to keep unwanted traffic off networks. It allows network administrators to use one IP address for all external communications on the Internet while dedicating multiple servers with different IPs and ports to the task internally. Port forwarding is useful for home network users who may wish to run a Web server or gaming server on one network."
 

sebastiantombs

Known around here
Joined
Dec 28, 2019
Messages
11,511
Reaction score
27,690
Location
New Jersey
Port forwarding is useful for home network users who may wish to run a Web server or gaming server on one network.

If you need to have a web or gaming server and feel confident enough to be able to secure it properly it could, and I stress the word "could", be OK. In short P2P is like leaving the front door of your house open and a sign on the lawn saying "Open House" at the curb. Scans are constantly going on looking for P2P devices and hijacks are a dime a dozen as a result, passwords not withstanding.
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,428
Reaction score
47,549
Location
USA
For what we do and protecting our cams, yes VPN is a solution that works and is what I do and recommend, but what about something like an Xbox needing to be port-forwarded or AT&T telling people for wifi calling to work that some may have to open or forward ports to work. VPN isn't going to help that situation.

Port forwarding is useful for home network users who may wish to run a Web server or gaming server on one network.

If you need to have a web or gaming server and feel confident enough to be able to secure it properly it could, and I stress the word "could", be OK. In short P2P is like leaving the front door of your house open and a sign on the lawn saying "Open House" at the curb. Scans are constantly going on looking for P2P devices and hijacks are a dime a dozen as a result, passwords not withstanding.
So is it the P2P that is the main issue? What else would you do to secure a web or gaming server that needs a port forwarded?

What about some github utilities out there that provide improved functionality of something like AI or plate recognizing that require a port forwarded - do we avoid them or what should someone do to minimize risk?
 
Last edited:

bp2008

Staff member
Joined
Mar 10, 2014
Messages
12,666
Reaction score
14,005
Location
USA
But what about the many sites that are not selling a service like whatismyipaddress.com

"Port forwarding is an excellent way to preserve public IP addresses. It can protect servers and clients from unwanted access, "hide" the services and servers available on a network, and limit access to and from a network. Port forwarding is transparent to the end user and adds an extra layer of security to networks.

In short, port forwarding is used to keep unwanted traffic off networks. It allows network administrators to use one IP address for all external communications on the Internet while dedicating multiple servers with different IPs and ports to the task internally. Port forwarding is useful for home network users who may wish to run a Web server or gaming server on one network."
It sounds like they are describing NAT routing. Not port forwarding.
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250
But what about the many sites that are not selling a service like whatismyipaddress.com

"Port forwarding is an excellent way to preserve public IP addresses. It can protect servers and clients from unwanted access, "hide" the services and servers available on a network, and limit access to and from a network. Port forwarding is transparent to the end user and adds an extra layer of security to networks.

In short, port forwarding is used to keep unwanted traffic off networks. It allows network administrators to use one IP address for all external communications on the Internet while dedicating multiple servers with different IPs and ports to the task internally. Port forwarding is useful for home network users who may wish to run a Web server or gaming server on one network."
This is just a plain lie. An outright fabrication and fraud. Port forwarding does nothing to hide services, it exposes them. They are twisting the facts to fit their narrative. They are comparing port forwarding vs completely opening your device to the internet like with DMZ. They should be comparing port forwarding to using a more secure method.
Here is an example of what they are saying. Unlocking only one door in your house rather than leaving all the doors and windows open, makes it safer and adds an extra layer of security. What a farce.
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,428
Reaction score
47,549
Location
USA
This is just a plain lie. An outright fabrication and fraud. Port forwarding does nothing to hide services, it exposes them. They are twisting the facts to fit their narrative. They are comparing port forwarding vs completely opening your device to the internet like with DMZ. They should be comparing port forwarding to using a more secure method.
Here is an example of what they are saying. Unlocking only one door in your house rather than leaving all the doors and windows open, makes it safer and adds an extra layer of security. What a farce.
I totally agree - I was shocked when I came across that site. But unfortunately, I am finding that almost every search on this topic is saying some variation of that, or is basically plagiarizing what was said on some other site that it is generally a safe method. So I totally see how a total newbie can go down that path very easily as we saw in the most recent thread where someone thought they were hacked.

Don't get me wrong, I am running OpenVPN and have no intent or desire to port forward for my cameras! I am trying to have a thread like @mat200 has for reolinks that we point people to when they come here asking for advice. And have it cover more than just cameras and NVRs.

But when is safe, if at all? For example, my roommate just switched to AT&T and the wifi calling isn't working here and their tech support said we need to port forward in the router. For kicks I took an old router laying around and didn't connect anything to it but the modem and did a quick port forward and the wifi calling started working. So it does appear in certain cases that some may need to port forward. I told the roommate to look for another provider lol as I am not forwarding ports.

And what about the many applications being developed by folks using AI engines for their cameras that could be useful but require a port forward - is it safe? I think we will start to see more questions like that on this site.
 

bp2008

Staff member
Joined
Mar 10, 2014
Messages
12,666
Reaction score
14,005
Location
USA
It is naive to believe anything is unhackable, and no network service is truly 100% safe to forward a port to. Not even a VPN server. You should always measure the risk versus reward.

Lots of vulnerabilities in RTSP servers of various cameras have been publicly documented, and IP cameras in general are notorious for having cybersecurity problems (which usually never get fixed because they require firmware updates) and cameras get hacked all the time, so I wouldn't forward any port to an IP camera unless I had a really good reason to.

Blue Iris's web server on the other hand does not have such a long history of known vulnerabilities, and in the rare event that a security problem is identified, Ken fixes it quickly. Here's one such example. Forwarding a port to Blue Iris's web server is a risk I'm willing to take, particularly on systems where I keep the software relatively up-to-date.

VPN servers are designed with cybersecurity as a top priority, so they are generally among the safest things to expose (if configured properly).
 

biggen

Known around here
Joined
May 6, 2018
Messages
2,539
Reaction score
2,765
It really depends on what you are forwarding to. A camera shouldn't be forwarded to because their track record for security is really poor. But port forwarding to a webserver if you are hosting a public website is going to be much safer since that server's purpose is to be a forward facing endpoint. Its designed to be more hardened because of this. If its open source, then that's even better because the code is available for review to anyone and there can't be any hidden "backdoors" since its vetted by the public.

Its still not a bad idea to put public facing endpoints in a DMZ or segregated VLAN if you want to take even extra precautions. That way if an attacker was able to compromise the service and gain some type of console access, they would be locked into that walled off subnet/Vlan which should have firewall rules setup to not allow traffic out of that area except back to the internet. In other words, no access to your other subnets/vlans from that DMZ.
 
Last edited:

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
I searched here and couldn't find one thread that we could point people to
Here is a practical example of the potential consequences of exposing a Hikvision camera to the internet :
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,428
Reaction score
47,549
Location
USA
@alastairstevenson - yeah, I edited my post for more clarity after seeing how you interpreted what I said. I meant to imply to have that "one thread" that we could point a newbie to with all the reasons. I am aware that there are threads here regarding the backdoors and other vulnerabilities, so thanks for adding this to the thread as it helps keep all this in that "one thread" we can point people to!
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,428
Reaction score
47,549
Location
USA
It really depends on what you are forwarding to. A camera shouldn't be forwarded to because their track record for security is really poor. But port forwarding to a webserver if you are hosting a public website is going to be much safer since that server's purpose is to be a forward facing endpoint. Its designed to be more hardened because of this. If its open source, then that's even better because the code is available for review to anyone and there can't be any hidden "backdoors" since its vetted by the public.

Its still not a bad idea to put public facing endpoints in a DMZ or segregated VLAN if you want to take even extra precautions. That way if an attacker was able to compromise the service and can some type of console access, they would be locked into that walled off subnet/Vlan which should have firewall rules setup to not allow traffic out of that area except back to the internet. In other words, no access to your other subnets/vlans from that DMZ.
So is having a port forwarded on the router for wifi calling to work acceptable for my housemate's iphone? Regardless, I am leaning towards saying go to another provider or don't use wifi calling!
 

biggen

Known around here
Joined
May 6, 2018
Messages
2,539
Reaction score
2,765
So is having a port forwarded on the router for wifi calling to work acceptable for my housemate's iphone? Regardless, I am leaning towards saying go to another provider or don't use wifi calling!
Wifi calling shouldn't' require any port forwarding into your network. Where would you forward to? Link me to the device he is using.
 

mat200

IPCT Contributor
Joined
Jan 17, 2017
Messages
13,649
Reaction score
22,741
Q: "When is Port Forwarding Safe? What devices/programs/apps or Never?"

A: If you have to ask this question, then the answer is "Don't",

Seriously.

Just like asking when is it safe to leave my car door unlocked in the worse neighborhood in the world.

Answer to that depends on the guards you have on duty vs the tools the attackers are going to use - and what is the value of the car or stuff in the car.
As you can see it gets complex, so the easy answer is don't leave the car door unlocked.

Hint: Application firewall = one type of guard for your doors... remember to always check the logs
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,428
Reaction score
47,549
Location
USA
Wifi calling shouldn't' require any port forwarding into your network. Where would you forward to? Link me to the device he is using.
When I did it on the old router that had been factory reset so that nothing accidentally connected to it, I went into the port forward section and put in the iphones ip address and then the ports that AT&T said to forward and wifi calling worked. Turn off port forward and wifi calling turned off.
 

biggen

Known around here
Joined
May 6, 2018
Messages
2,539
Reaction score
2,765
That is odd and I’ve never seen that before.

Years ago when I had shitty Sprint and had to use wifi calling I didn’t have to forward anything. If the phone was on wifi, calls came in and out normal. I could go into restaurants, hotels, etc and still use wifi calling. None of those places would have forwarded anything to my phone.

I could see having to open some outgoing ports/ips in a corporate firewall that was locked down to prevent employees from accessing Facebook, YouTube, etc... to allow the phone to connect to the external servers it needs to announce it’s on wifi. But i can’t imagine you’d have to port forwards toward a phone. That would mean you would have to setup a static IP address for every wifi phone on the network. That would be unmanageable.

Id not try to do that again first and see if it works.
 
Last edited:

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,428
Reaction score
47,549
Location
USA
@biggen Oh I agree and AT&T said it is sometimes router specific (or they could just be saying that). But I know the housemates phone connects to other wifi's and wifi calling works just fine, but it only works here when I go in and port forward the ports they say, it works. The router only has a port forward option, so I guess maybe this is just opening the ports instead of port forwarding, but I would think that is basically one and the same?

From their link they sent:

Data ports must be open
Routers can be set to block traffic using certain ports. Ports 500, 4500, and 143 as shown in the table below are used to communicate to the AT&T network and must be open. Port blocking is sometimes implemented in the form of access lists.

Data ports
PortTCP or UDPService or protocol nameRFCService name
500UDPWi-Fi Calling5996IKEv2
4500UDPWi-Fi Calling5996IKEv2
143TCPInternet Message Access Protocol (IMAP)3501imap
 
Top