Learn how to a build a cloud-first strategyRegister Now


Security Precautions on a Router with VNC and RD Port Forwarding

Posted on 2008-10-04
Medium Priority
Last Modified: 2012-05-05
About a month ago, I setup port-forwarding on my DSL and internal Ethernet routers to to allow for incoming UVNC traffic and RD traffic.  I modified RD to utilize a non-standard port (not 3389), but UVNC is still operating with the standard VNC port numbers.  All port-forwarding is directed at my server.  I'm currently running Windows Server 2003 on an oldish Dell Optiplex box.  (It's a little slow, but otherwise it works fine.)  I'm a little concerned about security with the new setup.  I could get my hands on a second Optiplex from a client for nothing, and I have the MS Action Pack, so there's no problem dropping a copy of WS03 on the second Optiplex and making it a application server in the DMZ.  I'm wondering, however, if it's possible to reasonably tighten up the router security without going with a DMZ.  I'm looking for recommendations for logging incoming traffic, enhancing the firewall settings, or perhaps modifying the port forwarding.  One extra comment: I'm going to drop DD-WRT firmware on my Linksys WRT54G to give myself some extra options.  
Question by:jdana
  • 2

Assisted Solution

valheru_m earned 664 total points
ID: 22641216
It's all a matter of how much time and $$ you want to drop on it.  In my opinion, for a home environment you've already gone the extra mile by changing the port forwarding to non-standard ports.  That combined with a good strong password will deter 99% of hacking problems.  If you want to change the port forwarding on VNC, you can do so at the router level instead of trying to modify the server.  For instance, you can tell the router to forward port 5010 on the outside to port 5000 on the inside.  This way the VNC server can stay in the stock configuration , but from the outside world you would have to hit port 5010, etc.

Other than that, make sure your VNC server is up to date so you dont have any outstanding security holes.

Tightening up "router security" isn't really possible with stock linksys or DD-WRT, nor would it really be a feasible proposition anyway unless, for instance, you know exactly which IP address you would be using to VNC into your home equipment with and it never changes.  If you're linux savvy you could install OPenWRT on your router instead of DD-WRT and then use shorewall or some other highly configurable firewall to set up actual firewall rules that say "Only forward port 3389 traffic FROM ip address xx.xx.xx.xx".  If this is something that would work for you, be warned that OpenWRT is not for the faint of heart.  It's all command line and config files with no stock GUI.

Anyway, hope some of that helps.
LVL 12

Accepted Solution

Pugglewuggle earned 1336 total points
ID: 22642593
I agree with pretty much everything valheru said regarding port forwarding and that type of thing.
If you're doing this as a business I recommend you spend about $350 USD and get a Cisco ASA 5505 security appliance/firewall to protect your setup. It's a very good little device that has literally thousands and thousands of configuration and security options. You just cannot get "secure", at least to my standard (or most business' for that matter) with home grade equipment like Linksys routers.
And with the ASA you're not stuck with only command line (although it is an option) - you have the VERY nice ASDM (Adaptive Security Device Manager) that can configure just about EVERYTHING EVER and generates graphs and reports on traffic and attacks.
It really comes down to $$ as said. If you have the $$ OR if it is for a business environment (even a small to medium one) I recommend that you spend the money and make sure you are 100% (well, as close as you can get to it anyways) secure.
Cheers! Let me know if you have any questions!

Author Comment

ID: 22644730
Thanks guys,

Great responses.  I have a couple followup questions:

>> valheru_m: The VNC port modification seems like a great idea.  I'll look into modifying my UVNC SC tool to utilize a non-standard port.  (I'd be surprised if I can't configure it to do such a thing.)  I have a Ukrainian buddy who described the exact same thing you did: "forward port 5010 on the outside to port 5000 on the inside."  Is there a name for that type port forwarding?  He had a Russian phrase for it, but that didn't do me a lot of good. I also appreciate the candid feedback on OpenWRT.  For someone like me, whose really just learning the nuances of routers, I don't think the command-line interface is a good idea.

>> Pugglewuggle: I think the Cisco ASA 5505 is probably a appropriate for my needs.  Does Cisco make a router that offers close to the same functionality as the ASA 5505 that's not as expensive?
LVL 12

Assisted Solution

Pugglewuggle earned 1336 total points
ID: 22652207
I'll step in and answerfor valheru since he hasn't replied yet...
It will work to forward those ports, just make sure you have the VNC viewer setup to work off those ports instead of the default ones. That "type" of port forwarding is referred to as port forwarding just like every other type of port forwarding (there is no special name for any other type).
As for OpenWRT and DD-WRT... those are good for adding features but they just don't always work as intended and can cause serious problems if you don't know what you're doing.
$350 is about the cheapest functional device you can buy from Cisco. For the price though, the ASA is the best. You can look for used devices, but they don't always work like they're supposed too if you know what I mean...
Cheers! Let me know if you have any questions!

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question