Is it OK to leave ports forwarded?

Posted on 2004-11-04
Last Modified: 2010-04-09
>>>A few weeks ago I asked the following question:

Typical setup is a small office peer network with XP Pro computers, all of them using Norton Internet Security.  All PCs are set with static IP addresses, such as, ...20, ...30, etc.  They will have a DSL router connected to their hub, and we set router port forwarding for pcAnywhere, so that ports 5631 and 5632 might forward to ...10, and 5641 and 5642 might forward to ...20, etc.  The only time we effectively utilize this forwarding setup is if the user runs their pcAnywhere Host software, so we can connect.  After we are finished, we/they exit the pcAnywhere Host.

We understand very little about the technical details of ports, so in layman terms, please tell me if this setup is safe or not.  Is there a risk to leaving this port forwarding setup in place, as long as the pcAnywhere Host software is not left running?

If it is NOT safe, is there a simple way to accomplish our goals without a lot of hassles?  Right now, it's easy--we permanently setup the forwarding, and we can connect anytime the user bring up his host software.

>>>And I got this one answer:

It's all relative. If there is no information on the client's PC's that can cause damage/money loss, or release information that should not be, then you are relatively safe. If, on the other hand, there is anything like financial information or health care information - things that if not fully protected CEO's can go to jail for - then I certainly would not leave them open.
Depending on the router that you use for the port forwarding, you can turn it on/off with a web page checkbox, that would be an additional layer of protection, but an additional layer of complexity for the users. What happens if someone forgets to close the client?

Safest thing would be to use a VPN to access their network, and that is what I recommend. No ports are left open, and only authorized users can even establish the VPN.

>>>The problem is that I should have pursued this further, because I'm still not clear on the answer.  The answer I got talks about 'what is someone forgets to close the client?'  What does that mean?  Are we talking about what happens if the user forgets to shut down the pcAnywhere host?

Looking at it another way: what if the user didn't even have pcAnywhere loaded on his computer, but the port forwarding were still set to point to his computer through his router.  Would an outsider still be able to access his computer somehow and do damage, simply because the ports were forwarded?
Question by:sasllc
    1 Comment
    LVL 32

    Accepted Solution

    Hi sasllc,

    Correct me if I'm wrong, but it looks like you're very basic into networking.
    Those ports are forwarded and some program will has to listen... so if the program isn't listening the "attacker" won't get any responce or ability to abuse it. If some program behind that port is listening (like PC-anywhere in your case) then every "attacker" could get full access IF they know the loginname and password to do so, or if they exploid a hole in PC-anywhere (I don't know of any holes at the moment, just make sure to keep the program up-to-date) Therefor, make sure to use strong passwords.
    The only thing you are vulnerable of are "Man in the middle" attacks, so if someone is actively monitoring the connection in between and is able to crack the encryption used by PC-anywhere.
    One thing you should always do if possible is to let PC-anywhere only accept connections from the IP-range you're logging in from (if it's static only one IP-address is needed, otherwise, the range your ISP uses)



    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Join & Write a Comment

    Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
    To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    This video discusses moving either the default database or any database to a new volume.

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now