Solved

Security Precautions on a Router with VNC and RD Port Forwarding

Posted on 2008-10-04
4
629 Views
Last Modified: 2012-05-05
About a month ago, I setup port-forwarding on my DSL and internal Ethernet routers to to allow for incoming UVNC traffic and RD traffic.  I modified RD to utilize a non-standard port (not 3389), but UVNC is still operating with the standard VNC port numbers.  All port-forwarding is directed at my server.  I'm currently running Windows Server 2003 on an oldish Dell Optiplex box.  (It's a little slow, but otherwise it works fine.)  I'm a little concerned about security with the new setup.  I could get my hands on a second Optiplex from a client for nothing, and I have the MS Action Pack, so there's no problem dropping a copy of WS03 on the second Optiplex and making it a application server in the DMZ.  I'm wondering, however, if it's possible to reasonably tighten up the router security without going with a DMZ.  I'm looking for recommendations for logging incoming traffic, enhancing the firewall settings, or perhaps modifying the port forwarding.  One extra comment: I'm going to drop DD-WRT firmware on my Linksys WRT54G to give myself some extra options.  
0
Comment
Question by:jdana
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 5

Assisted Solution

by:valheru_m
valheru_m earned 166 total points
ID: 22641216
It's all a matter of how much time and $$ you want to drop on it.  In my opinion, for a home environment you've already gone the extra mile by changing the port forwarding to non-standard ports.  That combined with a good strong password will deter 99% of hacking problems.  If you want to change the port forwarding on VNC, you can do so at the router level instead of trying to modify the server.  For instance, you can tell the router to forward port 5010 on the outside to port 5000 on the inside.  This way the VNC server can stay in the stock configuration , but from the outside world you would have to hit port 5010, etc.

Other than that, make sure your VNC server is up to date so you dont have any outstanding security holes.

Tightening up "router security" isn't really possible with stock linksys or DD-WRT, nor would it really be a feasible proposition anyway unless, for instance, you know exactly which IP address you would be using to VNC into your home equipment with and it never changes.  If you're linux savvy you could install OPenWRT on your router instead of DD-WRT and then use shorewall or some other highly configurable firewall to set up actual firewall rules that say "Only forward port 3389 traffic FROM ip address xx.xx.xx.xx".  If this is something that would work for you, be warned that OpenWRT is not for the faint of heart.  It's all command line and config files with no stock GUI.

Anyway, hope some of that helps.
0
 
LVL 12

Accepted Solution

by:
Pugglewuggle earned 334 total points
ID: 22642593
I agree with pretty much everything valheru said regarding port forwarding and that type of thing.
If you're doing this as a business I recommend you spend about $350 USD and get a Cisco ASA 5505 security appliance/firewall to protect your setup. It's a very good little device that has literally thousands and thousands of configuration and security options. You just cannot get "secure", at least to my standard (or most business' for that matter) with home grade equipment like Linksys routers.
And with the ASA you're not stuck with only command line (although it is an option) - you have the VERY nice ASDM (Adaptive Security Device Manager) that can configure just about EVERYTHING EVER and generates graphs and reports on traffic and attacks.
It really comes down to $$ as said. If you have the $$ OR if it is for a business environment (even a small to medium one) I recommend that you spend the money and make sure you are 100% (well, as close as you can get to it anyways) secure.
Cheers! Let me know if you have any questions!
0
 

Author Comment

by:jdana
ID: 22644730
Thanks guys,

Great responses.  I have a couple followup questions:

>> valheru_m: The VNC port modification seems like a great idea.  I'll look into modifying my UVNC SC tool to utilize a non-standard port.  (I'd be surprised if I can't configure it to do such a thing.)  I have a Ukrainian buddy who described the exact same thing you did: "forward port 5010 on the outside to port 5000 on the inside."  Is there a name for that type port forwarding?  He had a Russian phrase for it, but that didn't do me a lot of good. I also appreciate the candid feedback on OpenWRT.  For someone like me, whose really just learning the nuances of routers, I don't think the command-line interface is a good idea.

>> Pugglewuggle: I think the Cisco ASA 5505 is probably a appropriate for my needs.  Does Cisco make a router that offers close to the same functionality as the ASA 5505 that's not as expensive?
0
 
LVL 12

Assisted Solution

by:Pugglewuggle
Pugglewuggle earned 334 total points
ID: 22652207
I'll step in and answerfor valheru since he hasn't replied yet...
It will work to forward those ports, just make sure you have the VNC viewer setup to work off those ports instead of the default ones. That "type" of port forwarding is referred to as port forwarding just like every other type of port forwarding (there is no special name for any other type).
As for OpenWRT and DD-WRT... those are good for adding features but they just don't always work as intended and can cause serious problems if you don't know what you're doing.
$350 is about the cheapest functional device you can buy from Cisco. For the price though, the ASA is the best. You can look for used devices, but they don't always work like they're supposed too if you know what I mean...
Cheers! Let me know if you have any questions!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question