Is it OK to leave ports forwarded?
Posted on 2004-11-04
>>>A few weeks ago I asked the following question:
Typical setup is a small office peer network with XP Pro computers, all of them using Norton Internet Security. All PCs are set with static IP addresses, such as 192.168.1.10, ...20, ...30, etc. They will have a DSL router connected to their hub, and we set router port forwarding for pcAnywhere, so that ports 5631 and 5632 might forward to ...10, and 5641 and 5642 might forward to ...20, etc. The only time we effectively utilize this forwarding setup is if the user runs their pcAnywhere Host software, so we can connect. After we are finished, we/they exit the pcAnywhere Host.
We understand very little about the technical details of ports, so in layman terms, please tell me if this setup is safe or not. Is there a risk to leaving this port forwarding setup in place, as long as the pcAnywhere Host software is not left running?
If it is NOT safe, is there a simple way to accomplish our goals without a lot of hassles? Right now, it's easy--we permanently setup the forwarding, and we can connect anytime the user bring up his host software.
>>>And I got this one answer:
It's all relative. If there is no information on the client's PC's that can cause damage/money loss, or release information that should not be, then you are relatively safe. If, on the other hand, there is anything like financial information or health care information - things that if not fully protected CEO's can go to jail for - then I certainly would not leave them open.
Depending on the router that you use for the port forwarding, you can turn it on/off with a web page checkbox, that would be an additional layer of protection, but an additional layer of complexity for the users. What happens if someone forgets to close the client?
Safest thing would be to use a VPN to access their network, and that is what I recommend. No ports are left open, and only authorized users can even establish the VPN.
>>>The problem is that I should have pursued this further, because I'm still not clear on the answer. The answer I got talks about 'what is someone forgets to close the client?' What does that mean? Are we talking about what happens if the user forgets to shut down the pcAnywhere host?
Looking at it another way: what if the user didn't even have pcAnywhere loaded on his computer, but the port forwarding were still set to point to his computer through his router. Would an outsider still be able to access his computer somehow and do damage, simply because the ports were forwarded?