I know that opening ports creates risks, but what exactly are they?
I know the dangers due to the risks of the cyber attacks like the ones that occurred on default devices.
But my question is aside from the risk to the device that is port forwarded, what else can be exploited and how?
I install almost 100% embedded NVRs on residential and small commercial, and always change the default ports. What concerns should I have?
A port scan of the network can reveal that it is open on the nondefault ports. This could then be exploited to gain access to the device that the ports arw forwarded to, in this case an nvr which has any number of cameras attached to it. If root access (ie a backdoor) can be gained then the nvr is essentially a mini computer and is inside the network already allowing all sorts of malicious activity, like hacking into other devices on the network or mining for bitcoin/monero... just use your imagination.
Now if root level access is not achievable then the hacker can still do many fun things like, oh I don’t know, stream your camera feeds to sites like shodan and others, turn your camera feeds black and call them all hacked 1,2,3,4,etc, watch your recorded footage, and so on.
I am sure someone will come along and correct me on nomenclature or specifics of technique, but full disclosure I am not a hacker nor am I a “cybersecurity expert” this is just meant to be a generic explainer of risks involved with unsafe it practices and by no means an exhaustive list. As always DYOR
Using port forwarding is somewhat analogous to installing a pet door in your home. You're punching a whole in your door (firewall) for a very specific purpose, but there's a lot more cats/dogs/various-other-species out there than just your own, and they're all interested in seeing what's behind the door.
Maybe the door opens into a mud room with nothing of interest and no access to the rest of your home. Ideally that's what happens when someone tries to access a service you've setup port forwarding for. The web server and authentication mechanisms are rock solid, and nobody can get through them without authorization.
Unfortunately even enormously popular web servers like Apache and Microsoft's IIS have flaws which can be exploited to reveal information you're not entitled to see, or to gain "root" access to a server, NVR, or any other networked device. And with root access, you "own" the device, giving you the power to do whatever you want to that device or to use it as a gateway to the rest of the network where you may be able to gain access to even more systems.
Using alternate ports is widely considered "security by obscurity". The product isn't any more secure simply because it's hiding behind a different port number. But it does help to reduce the number of automated attacks against that service. Eventually though, it'll be discovered.
By exposing NVR's (or literally any other networked device or service) to the internet using either port forwarding or a direct connection, the risk of that device being compromised is dramatically increased. And even if there are no known exploits for the device today, there are services which catalog various devices/services which are publicly available, and if an exploit for that device is discovered in the future, it's almost trivial to get a list of all known internet addresses where devices of that type and/or version can be found which means it'll likely be exploited before you hear anything about it.
A lot of customers might be thinking "So what? Someone in some unknown corner of the world gets access to my driveway camera?". But there's a bigger risk than someone spying your front porch or deleting/disabling video. That device now becomes a point of entry into the rest of the network. So an attacker can potentially exploit other computers on the network gaining access to personal data. And of course they can join any compromised devices on the network to a botnet where you may unknowingly be used in a DDOS attack or other campaigns typically arranged via the darkweb.
Zero if you're using VPN!
Otherwise, a few. It depends on the product and what you're trying to access; mobile / web server only, or full Smart Client access including access to maps/alarms.
"Zero if you're using VPN!"
The same answer apply to other companies even HIK:)
OpenVPN on pFsense, OPnsense or Ubiquiti Edge routers (though I must admit, I have yet to successfully configure OpenVPN server on Edge Routers), Yields no cost for certificates or users.
Using port forwarding is somewhat analogous to installing a pet door in your home. You're punching a whole in your door (firewall) for a very specific purpose, but there's a lot more cats/dogs/various-other-species out there than just your own, and they're all interested in seeing what's behind the door.
Definitely related:
Thanks for that! This visual will forever be with me when I think about port forwarding
great pic, but what exactly would represent the kid with the gun on a residential or small business router?
It was to illustrate that someone is always trying to get in...
The firearm to the head is just a bonus.
Just to add to the discussion here, what Joshua has said was correct and substantial, but what you should also know is that no matter what way you connect your systems to the internet, you should know there will ALWAYS be some risk. How much risk is up to you and your client(s).
There are varying degrees of risk involved:
1) The worst case scenario is your entire DVR is open to the internet with no firewall, using a public IP. You can rest assured this almost never happens in the real world, or it least it shouldn't ever happen.
2) The next worst scenario has the DVR behind a firewall physically, but in a DMZ outside of the internal network, which in effect is the same as above, naked to the internet.
3) Moving up the security levels one step would be keeping the DVR behind the firewall, but opening all of the default ports set by the manufacturer for the given DVR. For all intents, this is not much more secure than above, except you may get lucky and not intentionally allow unknown ports to be used (SSH, TFTP, etc).
4) The next level up in security would be to do as you have said here, change the default port numbers, but still leave them open. This will make it a little more of a challenge for an attacker to find your device and a little more difficult to determine it's manufacturer, but it really isn't any more secure in reality. If an attacker really wants to know what is on your network, they will use a port scan to find open firewall ports and knock on the devices to see who's there. Device info is easy to find most of the time.
5) The next level up would be to use a secure VPN connection, as Joshua has said above, to connect to your network. The VPN still has an open port, but hope is that the device hosting the VPN server is more secure than your DVR. This can prove to be a false hope if your VPN server is also insecure or has vulnerabilities. You have to ensure that the VPN server is indeed secure.
6) Above level 5, you will no longer have open firewall ports for outsiders to attack through. Some manufacturers offer some sort of P2P or cloud based service to access your devices without needing to open firewall ports. You are relying on these manufacturers to keep these connections secure for you. While I have yet to have heard of any vulnerabilities with any of these P2P/cloud offerings, it is surely likely at some point in the future, one will happen. Give an attacker enough time and he will find a way in.
7) Going above the security of your manufacturer will require 3rd party, more IT-centric services. This level, you will use a remote desktop service, such as LogMeIn, TeamViewer, Splashtop (my personal favorite), etc. to log into a PC inside of the firewall where you can now view your cameras via the PC, be it through a thick client, a web browser, etc. This method is only as secure as the service you choose. Some services have had vulnerabilities in the past, but they are generally fixed very fast, as these services are relied upon by a vast number of professional users.
8) In this step you are taking the DVR off the internet facing network entirely. This does not mean you cannot have outside access, but you will need a bridge device to get to the DVR. In this scenario, you have a PC with two network cards; one in a network connected to the internet, and a second in a closed network where only your DVR exists. This essentially air gaps your DVR. The only way to access the DVR is the one PC that has a connection in this closed network. You can apply level 7 remote access to this PC so outside access is still available, but no direct access to the DVR is possible now.
9) This is the last step, which is simply unplugging the network cable from the DVR, essentially making the system 100% detached from any network. This is a drastic step and should only be considered in the most extreme cases. While this ensures that the device is impossible to access from the outside, it doesn't prevent someone from sitting down at the DVR and doing damage. This is where physical security is also an essential part of your plan to secure these devices.
This is great additional detail Jon. There is basically no world in which a network connected device is perfectly secure. My personal minimum level of security is "level 5" based on your outline. There's still risk that the VPN software could be faulty, or that your VPN password is keylogged. But there are ways to mitigate it - use widely-used and trusted VPN software and multifactor authentication. In the end, you just need to understand the risks and make an educated decision on how much security you're willing to sacrifice for convenience.
Good stuff, but one small note about note #2. In most cases a DMZ is still functionally behind a firewall with all ports closed off by default. The major difference is that this network may be at the same physical location as your work/home network, but is logically on a different IP subnet with limited or no access to your work/home subnet. If you open ports to a device on a DMZ, you suffer the same security hazards as you would in opening ports to a device on your regular network, but in this case if the device is compromised it does not have the ability to get to devices on the work/home network.
I would rate this as a more secure method of operation than #3, opening ports to a device on your home/work network.
All of the DMZs I have ever seen effectively open all non-forwarded ports to the DMZ host.
I've seen this on consumer routers and I'm not sure DMZ is even the right word for what that feature does, but that's usually what they call it.
A true DMZ setup would offer a significantly higher level of protection compared to standard port forwarding in a "flat" network, but I've never seen anyone implement a "real" DMZ in a home environment. I'd never, ever use this feature in a typical consumer router. It's a sure-fire way to get hacked IMO.
Jon,
Good stuff, do you consider the 2nd NIC option to also be a HUGE vulnerability, not really "air gapping" but security by obscurity. If I gain access to root on the PC then guess what I now have access to :-) I have had countless suppliers state you cannot "bridge" the NIC's but I disagree and have done it myself.
For Resi I am sure this works fine, in my world where Regulation is KING and rules the land every potential exploit in consider a threat period! You cannot even connect to a remote device unless you are part of the ACL and only Power Users get Thick Clients, everyone else uses a "jump box" to route into the remote devices, layers upon layers of security.
And how does this attacker get admin access remotely on the server to bridge the NICs?
Sorry I am UE here, not trying to hide behind my screen but my contract prohibits me from posting using my name/employer for security reasons :-)
I will go out on a limb and say that since the recorder is not behind a firewall or on a VPN then the PC is likely its just as unsecure as the recorder. In fact the PC could be easier to exploit as an example phishing for Privileged Users Accounts (Admin) that folks tend to use as their default daily user account.
I never said the PC would not be behind a firewall. In fact, I assume that all inbound firewall ports are blocked as well. The only way we generally connect remotely is via Splashtop with 2FA.
Ok you got me :-) Just assumed if you had a FW then we would not be having this dialog and the recorder would be behind the FW.
Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.
