Home > Articles > Networking > Routing & Switching

  • Print
  • + Share This

Security

Of course, you didn't think that all this good stuff came free, did you? Any time you open your network, you create security problems. The main vulnerability created by port forwarding is that it allows unchecked traffic to be passed to internal computers, which is antithetical to the job that a firewall is supposed to be performing:

  • The firewall is supposed to stop direct communication between the outside world and computers on your internal network, and assure that all traffic is validated and passed through a specific host. A firewall should not allow fragments, or traffic that has "invalid addresses." Invalid addresses include the internal addresses covered in RFC1918, Address Allocation for Private Internets, such as the 192.168.x.x and 10.x.x.x subnets. A port-forwarding host does just that: It forwards traffic on specific ports to specific ports on specific hosts inside the firewall. This is therefore inherently insecure.

  • A proxy, or in this case a reverse proxy, would normally connect from the incoming client directly to itself. It would then build a new connection on behalf of the client to the internal resource. The remote host (or attacker) never has direct network access to the internal box.

What should you do about this security problem? Since the traffic is being passed unchecked to the internal computer, that box should be treated, at the very least, as a server on a DMZ, and more likely a server directly on the Internet. This means that it should be hardened to some extent. This may simply mean removing certain convenience accounts, or enabling routine password cracking and difficulty standards (for example, requiring eight characters of mixed alphanumeric and non-alphanumeric) or turning off job control so that people cannot stop background processes.

The type of hardening you need to do obviously depends on what type of port forwarding you're doing. For example, a web server behind a firewall permits different exploits than an FTP server, and different again from an interactive form of access, such as Telnet. To cut down on what an attacker can do, remove network-capable utilities that won't have a legitimate use, such as Finger, Telnet, FTP, etc., so that an intruder can't reach out from this machine to other internal computers on your network, or use that machine as a staging ground for an attack against someone else.

Telnet itself is a great security hazard. Instead of this utility, you may want to use what's called a restricted shell, which allows only certain authorized commands to be executed. You should also find out whether a version of SSH or OpenSSH, a more secure form of Telnet, is available for your internal machine.

  • + Share This
  • 🔖 Save To Your Account

Related Resources

There are currently no related titles. Please check back later.