Solved

Security Precautions on a Router with VNC and RD Port Forwarding

Posted on 2008-10-04
4
616 Views
Last Modified: 2012-05-05
About a month ago, I setup port-forwarding on my DSL and internal Ethernet routers to to allow for incoming UVNC traffic and RD traffic.  I modified RD to utilize a non-standard port (not 3389), but UVNC is still operating with the standard VNC port numbers.  All port-forwarding is directed at my server.  I'm currently running Windows Server 2003 on an oldish Dell Optiplex box.  (It's a little slow, but otherwise it works fine.)  I'm a little concerned about security with the new setup.  I could get my hands on a second Optiplex from a client for nothing, and I have the MS Action Pack, so there's no problem dropping a copy of WS03 on the second Optiplex and making it a application server in the DMZ.  I'm wondering, however, if it's possible to reasonably tighten up the router security without going with a DMZ.  I'm looking for recommendations for logging incoming traffic, enhancing the firewall settings, or perhaps modifying the port forwarding.  One extra comment: I'm going to drop DD-WRT firmware on my Linksys WRT54G to give myself some extra options.  
0
Comment
Question by:jdana
  • 2
4 Comments
 
LVL 5

Assisted Solution

by:valheru_m
valheru_m earned 166 total points
ID: 22641216
It's all a matter of how much time and $$ you want to drop on it.  In my opinion, for a home environment you've already gone the extra mile by changing the port forwarding to non-standard ports.  That combined with a good strong password will deter 99% of hacking problems.  If you want to change the port forwarding on VNC, you can do so at the router level instead of trying to modify the server.  For instance, you can tell the router to forward port 5010 on the outside to port 5000 on the inside.  This way the VNC server can stay in the stock configuration , but from the outside world you would have to hit port 5010, etc.

Other than that, make sure your VNC server is up to date so you dont have any outstanding security holes.

Tightening up "router security" isn't really possible with stock linksys or DD-WRT, nor would it really be a feasible proposition anyway unless, for instance, you know exactly which IP address you would be using to VNC into your home equipment with and it never changes.  If you're linux savvy you could install OPenWRT on your router instead of DD-WRT and then use shorewall or some other highly configurable firewall to set up actual firewall rules that say "Only forward port 3389 traffic FROM ip address xx.xx.xx.xx".  If this is something that would work for you, be warned that OpenWRT is not for the faint of heart.  It's all command line and config files with no stock GUI.

Anyway, hope some of that helps.
0
 
LVL 12

Accepted Solution

by:
Pugglewuggle earned 334 total points
ID: 22642593
I agree with pretty much everything valheru said regarding port forwarding and that type of thing.
If you're doing this as a business I recommend you spend about $350 USD and get a Cisco ASA 5505 security appliance/firewall to protect your setup. It's a very good little device that has literally thousands and thousands of configuration and security options. You just cannot get "secure", at least to my standard (or most business' for that matter) with home grade equipment like Linksys routers.
And with the ASA you're not stuck with only command line (although it is an option) - you have the VERY nice ASDM (Adaptive Security Device Manager) that can configure just about EVERYTHING EVER and generates graphs and reports on traffic and attacks.
It really comes down to $$ as said. If you have the $$ OR if it is for a business environment (even a small to medium one) I recommend that you spend the money and make sure you are 100% (well, as close as you can get to it anyways) secure.
Cheers! Let me know if you have any questions!
0
 

Author Comment

by:jdana
ID: 22644730
Thanks guys,

Great responses.  I have a couple followup questions:

>> valheru_m: The VNC port modification seems like a great idea.  I'll look into modifying my UVNC SC tool to utilize a non-standard port.  (I'd be surprised if I can't configure it to do such a thing.)  I have a Ukrainian buddy who described the exact same thing you did: "forward port 5010 on the outside to port 5000 on the inside."  Is there a name for that type port forwarding?  He had a Russian phrase for it, but that didn't do me a lot of good. I also appreciate the candid feedback on OpenWRT.  For someone like me, whose really just learning the nuances of routers, I don't think the command-line interface is a good idea.

>> Pugglewuggle: I think the Cisco ASA 5505 is probably a appropriate for my needs.  Does Cisco make a router that offers close to the same functionality as the ASA 5505 that's not as expensive?
0
 
LVL 12

Assisted Solution

by:Pugglewuggle
Pugglewuggle earned 334 total points
ID: 22652207
I'll step in and answerfor valheru since he hasn't replied yet...
It will work to forward those ports, just make sure you have the VNC viewer setup to work off those ports instead of the default ones. That "type" of port forwarding is referred to as port forwarding just like every other type of port forwarding (there is no special name for any other type).
As for OpenWRT and DD-WRT... those are good for adding features but they just don't always work as intended and can cause serious problems if you don't know what you're doing.
$350 is about the cheapest functional device you can buy from Cisco. For the price though, the ASA is the best. You can look for used devices, but they don't always work like they're supposed too if you know what I mean...
Cheers! Let me know if you have any questions!
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now