This article explains – in simple terms – what it means to open an inbound port in your router and why it should be avoided if at all possible.
Your router can let traffic in as well as out.
Did you know that your router – the device that connects your businesses computer network to the internet – can also be used in the reverse direction? Routers have a firewall built into them that – by default – are configured such that anybody outside the network is prevented from getting into the network.
From a security standpoint this makes complete sense and is in fact one of the key parts of an information security policy. In this situation imagine that the router is putting up a brick wall and any unsolicited traffic that tries to access the network from the outside world is simply blocked.
There are however ways to let unsolicited traffic in to your network – we call this opening up a port.
Open ports are like open doors.
Opening a port on your firewall is like poking a hole in your security. It does not in itself mean you will have any security problems but it does increase the attack surface. You are more likely to suffer a denial of service attack or have some other vulnerability in your network exposed and exploited – and so the fewer ports you have open the better.
Opening a port for a VPN is both common and secure.
The most common reason to ‘poke a hole’ in your firewall is so that members of staff can access server resources by means of a Virtual Private Network (VPN). Older VPN types such as PPTP are insecure but more modern VPN types are safe to use. VPN’s are considered a ‘secure tunnel’ between systems that you trust (such as employees laptops) and the rest of your business network. Users that connect via VPN can do so safely and easily and can work on the VPN just as if they are in the office. In an ideal world the only port we open in a firewall ought to be for the VPN.
Opening Ports for Network Video Recorders (NVR’s)
If VPN is the most common reason to open a hole in your firewall, the second most common request is that for the provision of a Network Video Recorder (NVR) often used in CCTV installations. It’s a simple thing to do but the decision to open ports for this purpose should not be taken lightly for these reasons:
- If you have a more traditional ‘on premise’ camera system, this can be accessed via the VPN, so strictly speaking no additional holes in the firewall are necessary. In terms of configuration, having to negotiate a VPN connection before accessing the NVR is undoubtedly more secure and a little less convenient.
- Some better developed NVR’s such as the UNVR’s offered by Ubiquiti (see here) do not need any ports to be opened and also do not require a VPN connection. In this example the app on your mobile phone or tablet simply negotiates a secure connection to your UNVR via the Ubiquiti web site which ‘handshakes’ the connection. If your CCTV system supports a feature like this then no ports need to be opened.
Security Considerations for Network Video Recorders (NVR’s) when Ports are Opened
If your NVR is accessible only via the VPN then we can ensure only authorised VPN users have access to it. If however we do open up a ports in your firewall so your staff can access the CCTV system then in the interests of security you must consider these variables:
- Who is responsible for managing and maintaining the NVR to ensure it is up to date and patched with the latest firmware and security fixes?
- Who is responsible for managing and maintaining the cameras to ensure they are up to date and patched with the latest firmware and security fixes?
- Who is responsible for managing and maintaining the network equipment associated with the installation such as switches and bridges to ensure they are up to date and patched with the latest firmware and security fixes?
- Who is responsible for providing access to the system to those staff members that need it?
- Who is responsible for revoking access to the system when job roles change or staff leave the business?
- Have you set a policy such that users are only allowed to use the system by means of business issued devices e.g. mobiles and tablets?
- Are the open ports fully documented in your security policy and are they reviewed at least annually?
- Would you like us to cover these responsibilities as part of our scheduled support tasks and starters or leavers processes, or are you happy that your processes are sufficient?
As part of our Policy and Procedure Framework it is our position that opening ports in the firewall should only happen when there is a documented business case for doing so. A documented business case means that the reason for opening a port must be discussed and recorded. The requirement should be reviewed regularly and when the ports no longer need to be open, they should be closed as soon as possible. Even in these scenarios port should be locked down as far as possible – typically by IP address but this is not always feasible.