0

I was reading this to understand Port Forwarding and what it is used for. Though the thread very clearly explains what Port Forwarding is, wouldn't setting up a port on the router to forward all the requests to a computer on the network make that particular computer vulnerable?

The thread touches upon it briefly :

"[...]you lose that layer of security for that computer: it is now completely open to incoming connections from the internet, so you need to secure it as if it was directly connected. Of course, any time you forward a port, the computer at the receiving end becomes vulnerable on that specific port. So make sure you run up-to-date software that is well configured."

How can security be ensured in such a case because as far as I know all securtiy tools such as Firewall etc are to be set up on the router?

akellas
  • 125
  • 1
  • 8
  • As your article pointed out, Port Forwarding reduces security from the outside. If you are trying to access your own systems from a remote location, then use a commercial VPN (IPsec VPN) to secure it. That is what I do and it has been in place for some years now. – John Apr 11 '20 at 00:41
  • 2
    Your elipses hide that it was talking about something a bit more extreme than regular port forwarding "**You should keep in mind, then, that by DMZing a computer inside your network (setting it as the DMZ destination)** you lose that layer of security for that computer : " I have put in bold the part you snipped out from the quote – barlop Apr 11 '20 at 00:46
  • 2
    You can have a firewall device between router and computer, and also a firewall at the router could limit what IPs can connect. And a software firewall can restrict IPs too. Any any firewall can do packet filtering – barlop Apr 11 '20 at 00:48

1 Answers1

1

Wouldn't setting up a port on the router to forward all the requests to a computer on the network make that particular computer vulnerable?

In the strictest sense, but effectively only on that port (assuming you're speaking about genuine port forwarding and not generally insecure home router "DMZ" settings). This is where the security of the software listening on that port comes in. Assuming the software is configured correctly and doesn't have any unpatched vulnerabilities (bugs) for an attacker to exploit, it's likely relatively safe to expose that port/device.

"[...]you lose that layer of security for that computer: it is now completely open to incoming connections from the internet, so you need to secure it as if it was directly connected.

As already pointed out in the comments, this part is not in regards to typical port forwarding (where a single or very specific range of ports is specified to be forwarded) but home router "DMZ" settings. "Port forwarding" generally filters all requests that aren't specifically sent to the forwarded ports whereas the "DMZ" settings typically forward all connections period, with no filtering, etc. whatsoever. Think of the difference as like unlocking your front door and sitting next to it versus leaving every door and window in your home unlocked and wide open while you're on vacation.

Of course, any time you forward a port, the computer at the receiving end becomes vulnerable on that specific port. So make sure you run up-to-date software that is well configured."

Keeping software up to date and well-configured means the vulnerabilities an attacker might exploit (as mentioned in the first paragraph of this answer) are patched in updates or are otherwise unavailable and thus are ideally no longer usable for gaining access to the remote system.

How can security be ensured in such a case because as far as I know all security tools such as firewalls, etc. are set up on the router?

Beyond correct software configuration and security patches, firewalls, etc. can also live either on the receiving PC itself (think Windows firewall) or even on a dedicated e.g. firewall device between the router and the PC (so the router would actually forward to this device, then the device would pass the filtered connection(s) along to the server). While certainly not the only example of this kind of thing, Sophos UTM Home is an example of software you can install on a dedicated device (e.g. an old PC) to provide this kind of security.

Anaksunaman
  • 16,718
  • 4
  • 38
  • 45