Is it OK to leave ports forwarded?

>>>A few weeks ago I asked the following question:

Typical setup is a small office peer network with XP Pro computers, all of them using Norton Internet Security.  All PCs are set with static IP addresses, such as, ...20, ...30, etc.  They will have a DSL router connected to their hub, and we set router port forwarding for pcAnywhere, so that ports 5631 and 5632 might forward to ...10, and 5641 and 5642 might forward to ...20, etc.  The only time we effectively utilize this forwarding setup is if the user runs their pcAnywhere Host software, so we can connect.  After we are finished, we/they exit the pcAnywhere Host.

We understand very little about the technical details of ports, so in layman terms, please tell me if this setup is safe or not.  Is there a risk to leaving this port forwarding setup in place, as long as the pcAnywhere Host software is not left running?

If it is NOT safe, is there a simple way to accomplish our goals without a lot of hassles?  Right now, it's easy--we permanently setup the forwarding, and we can connect anytime the user bring up his host software.

>>>And I got this one answer:

It's all relative. If there is no information on the client's PC's that can cause damage/money loss, or release information that should not be, then you are relatively safe. If, on the other hand, there is anything like financial information or health care information - things that if not fully protected CEO's can go to jail for - then I certainly would not leave them open.
Depending on the router that you use for the port forwarding, you can turn it on/off with a web page checkbox, that would be an additional layer of protection, but an additional layer of complexity for the users. What happens if someone forgets to close the client?

Safest thing would be to use a VPN to access their network, and that is what I recommend. No ports are left open, and only authorized users can even establish the VPN.

>>>The problem is that I should have pursued this further, because I'm still not clear on the answer.  The answer I got talks about 'what is someone forgets to close the client?'  What does that mean?  Are we talking about what happens if the user forgets to shut down the pcAnywhere host?

Looking at it another way: what if the user didn't even have pcAnywhere loaded on his computer, but the port forwarding were still set to point to his computer through his router.  Would an outsider still be able to access his computer somehow and do damage, simply because the ports were forwarded?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

LucFEMEA Server EngineerCommented:
Hi sasllc,

Correct me if I'm wrong, but it looks like you're very basic into networking.
Those ports are forwarded and some program will has to listen... so if the program isn't listening the "attacker" won't get any responce or ability to abuse it. If some program behind that port is listening (like PC-anywhere in your case) then every "attacker" could get full access IF they know the loginname and password to do so, or if they exploid a hole in PC-anywhere (I don't know of any holes at the moment, just make sure to keep the program up-to-date) Therefor, make sure to use strong passwords.
The only thing you are vulnerable of are "Man in the middle" attacks, so if someone is actively monitoring the connection in between and is able to crack the encryption used by PC-anywhere.
One thing you should always do if possible is to let PC-anywhere only accept connections from the IP-range you're logging in from (if it's static only one IP-address is needed, otherwise, the range your ISP uses)



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.