Router question

We have a Linksys router.

In order to connect to our desktop machines remotely, we're supposed to "enable remote management" on our router.

Is this a security risk if we leave it enabled?
skbohlerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sh00t3rCommented:
Ok let's find out exactly what needs to be done....

When you "enable remote management" all your doing is allowing users on the internet to directly connect and manage your linksys router given the right credentials. This doesn't give them direct access to your desktop machines on the Local Area Network.

Depending on what type of communication to the desktops are required will determine how you configure your linksys router. If you need to directly connect to these desktop machines I would suggest setting up some type of VPN (virtual private network). Your linksys may or may not support VPN. Shoot me over the model number and I can let you know. Otherwise you will have to setup port forwarding to the designated machines. Your best bet with security in mind is to setup a VPN.

Is it a security risk to enable remote managment? Yes. You must set a very very strong password. Don't use the default of "admin". Your router will get hacked quicker then you can say blackhat.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sh00t3rCommented:
Questions:

1. Who needs access to these desktop machines?
2. What type of access do they need? Will they just need access to files? Or will they need to see the entire computer to run applications and such (Terminal Services)?
3. What type of Internet Connection do you have? DSL/Cable, T1, etc.?
4. Model of your Linksys Router


0
skbohlerAuthor Commented:
The people who need access are the users of the office computers who want to access the whole computer from home. They want to see the entire computer via MS Remote Desktop Connection. They each have a DSL/Cable connection.

My router model is BEFSR41

Thanks!

Steve
0
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

ferg-oCommented:

Um - yep sh00t3r is right - remote management on the Linksys is just what it says and if you don't need it I would disable it immediately. At the very least change the port it uses to something slightly more obscure than 8080.

First I will make the assumption that the router is runing dynamic NAT meaning that you have hidden addresses behind it and one valid address on the outside. In this case you will have to enable port forwarding for TCP 3389 from outside to the IP address of the machine on the inside that you want access to.

You can only do this for one machine. The user will then connect via remote desktop to the IP address of the firewall and that will forward them to their machine. The limitation is one IP per TCP port.

If you want other machines to have access then you will either have to make their machines listen on a different TCP port to the default and change the TCP port that they use remote desktop from home with.

Instructions for changing these for terminal services are here:

http://support.microsoft.com/default.aspx?scid=187623

I could not find a way to do this with XP but may help to get you started. This way each remote desktop client can connect to each machine inside the firewall using an individual TCP port.

HOWEVER! This opens up all the inside machines to terminal services from everywhere on the Internet. I suggest you use VPN if you can...


0
sh00t3rCommented:
Depending on your ISP you may have a useable public ip range. For instance most cable/dsl ISP's for small business will usually include 5 static ips. Then you can redirect the traffic from each one of these static "public" ip's towards the internal clients. So in essence you could get 5 for 5, kinda like arby's. 5 internal computers can get access by 5 outside users. More outside users would be able to access these computers if you had legitimate terminal services server but your probably using XP.

So a couple more questions...

1. Does your ISP give you more then 1 static IP?
2. Operating Systems of PCs
3. How many people need access to their computers?

If it's over 5 users you will want to think about other remote applications. Such as citrix. Citrix would provide all the functionality you need. Or a legitimate version of terminal services server.
0
skbohlerAuthor Commented:
Is setting up a VPN pretty complicated?
0
ferg-oCommented:

Not if you have Linksys routers/firewalls at home. Then it is really simple. If this is not an option then you will need some VPN client software. Unfortunately I do not know of a good client for connecting to Linksys machines - someone else reading might...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.