Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 715
  • Last Modified:

Security Precautions on a Router with VNC and RD Port Forwarding

About a month ago, I setup port-forwarding on my DSL and internal Ethernet routers to to allow for incoming UVNC traffic and RD traffic.  I modified RD to utilize a non-standard port (not 3389), but UVNC is still operating with the standard VNC port numbers.  All port-forwarding is directed at my server.  I'm currently running Windows Server 2003 on an oldish Dell Optiplex box.  (It's a little slow, but otherwise it works fine.)  I'm a little concerned about security with the new setup.  I could get my hands on a second Optiplex from a client for nothing, and I have the MS Action Pack, so there's no problem dropping a copy of WS03 on the second Optiplex and making it a application server in the DMZ.  I'm wondering, however, if it's possible to reasonably tighten up the router security without going with a DMZ.  I'm looking for recommendations for logging incoming traffic, enhancing the firewall settings, or perhaps modifying the port forwarding.  One extra comment: I'm going to drop DD-WRT firmware on my Linksys WRT54G to give myself some extra options.  
  • 2
3 Solutions
It's all a matter of how much time and $$ you want to drop on it.  In my opinion, for a home environment you've already gone the extra mile by changing the port forwarding to non-standard ports.  That combined with a good strong password will deter 99% of hacking problems.  If you want to change the port forwarding on VNC, you can do so at the router level instead of trying to modify the server.  For instance, you can tell the router to forward port 5010 on the outside to port 5000 on the inside.  This way the VNC server can stay in the stock configuration , but from the outside world you would have to hit port 5010, etc.

Other than that, make sure your VNC server is up to date so you dont have any outstanding security holes.

Tightening up "router security" isn't really possible with stock linksys or DD-WRT, nor would it really be a feasible proposition anyway unless, for instance, you know exactly which IP address you would be using to VNC into your home equipment with and it never changes.  If you're linux savvy you could install OPenWRT on your router instead of DD-WRT and then use shorewall or some other highly configurable firewall to set up actual firewall rules that say "Only forward port 3389 traffic FROM ip address xx.xx.xx.xx".  If this is something that would work for you, be warned that OpenWRT is not for the faint of heart.  It's all command line and config files with no stock GUI.

Anyway, hope some of that helps.
I agree with pretty much everything valheru said regarding port forwarding and that type of thing.
If you're doing this as a business I recommend you spend about $350 USD and get a Cisco ASA 5505 security appliance/firewall to protect your setup. It's a very good little device that has literally thousands and thousands of configuration and security options. You just cannot get "secure", at least to my standard (or most business' for that matter) with home grade equipment like Linksys routers.
And with the ASA you're not stuck with only command line (although it is an option) - you have the VERY nice ASDM (Adaptive Security Device Manager) that can configure just about EVERYTHING EVER and generates graphs and reports on traffic and attacks.
It really comes down to $$ as said. If you have the $$ OR if it is for a business environment (even a small to medium one) I recommend that you spend the money and make sure you are 100% (well, as close as you can get to it anyways) secure.
Cheers! Let me know if you have any questions!
jdanaAuthor Commented:
Thanks guys,

Great responses.  I have a couple followup questions:

>> valheru_m: The VNC port modification seems like a great idea.  I'll look into modifying my UVNC SC tool to utilize a non-standard port.  (I'd be surprised if I can't configure it to do such a thing.)  I have a Ukrainian buddy who described the exact same thing you did: "forward port 5010 on the outside to port 5000 on the inside."  Is there a name for that type port forwarding?  He had a Russian phrase for it, but that didn't do me a lot of good. I also appreciate the candid feedback on OpenWRT.  For someone like me, whose really just learning the nuances of routers, I don't think the command-line interface is a good idea.

>> Pugglewuggle: I think the Cisco ASA 5505 is probably a appropriate for my needs.  Does Cisco make a router that offers close to the same functionality as the ASA 5505 that's not as expensive?
I'll step in and answerfor valheru since he hasn't replied yet...
It will work to forward those ports, just make sure you have the VNC viewer setup to work off those ports instead of the default ones. That "type" of port forwarding is referred to as port forwarding just like every other type of port forwarding (there is no special name for any other type).
As for OpenWRT and DD-WRT... those are good for adding features but they just don't always work as intended and can cause serious problems if you don't know what you're doing.
$350 is about the cheapest functional device you can buy from Cisco. For the price though, the ASA is the best. You can look for used devices, but they don't always work like they're supposed too if you know what I mean...
Cheers! Let me know if you have any questions!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now