Over the past 2 years I’ve seen a great change in customer’s attitudes toward network security. One of my biggest worries (right behind physical and electronic security) is computer and network security. Network security in both commercial environments and residential settings.
Our commercial customers (who have always had the right idea, if not the time and budget) lately have been paying more attention to hard to get to things like patching every server and updating security software. Upper management has seen cyber espionage on the increase and do not want to called ‘Victims’ (this usually leads to firings, heads rolling etc..) and so have mandated more attention be paid to all things related to security, computers and networks.
Our residential customers, while not too tech savvy a few years back, i applaud loudly! It seemed that residential customers as a whole were very fast to embrace the wireless home network idea, but did not understand the ramifications of a unsecured wireless network. I used to pass my idle time by sniffing wireless networks where ever I happened to be. Two years ago more than 50% were unsecured and open to possible mayhem. These days, when engaging in the same sort of time killing, I can happily say that it is rare to find an unsecured network! I think that computer and router manufacturers have made security setup simpler (and turned ON by default in many cases).
People like me are always bringing up computer and network security. It’s almost uncanny, I can bring up this subject in almost any conversation in almost any context. Maybe security is better these days just because customers are tired of hearing me complain that the network is not properly secured, and would you like me to secure it for you? Maybe securing a network has become akin a knowing how to operate a TiVo, it’s just something you learn to do as a normal part of life (the jury is still out on this idea).
All that is fine, but I’d like to talk about something that (for the most part) residential customers have not caught onto, the danger of opening, forwarding and triggering ports in their firewalls. In most commercial settings, the IT department would frown upon you if you asked them to open a port to connect something like a DVR for remote viewing, where as residential customers have no qualms about opening as many ports as needed to add convenience for things like remotely programming your cable TV DVR, looking into a CCTV DVR, remotely controlling stuff like an alarm system (PLEASE NOTE, THIS DOES NOT APPLY TO HONEYWEL TOTAL CONNECT PRODUCTS). Most companies with an IT department have a VPN in place that allows their Road Warriors to securely connect to the home base network and all the good stuff on it, i.e. DVR’s.
There are 65,536 ports available for network communications (ports 0 -65,535, port number 0 is never used, but it could be). Ports come in two flavors, TCP and UDP. Ports are like doorways that programs and services can use to enter and leave a computer (I mean communicate with other computers over a network). Some programs use specific ports, and some can be assigned arbitrary ports. Here in lies the danger, because some ports are more secure than others. For instance, port 443 is used for HTTPS:// secure Internet communications and is handled by the host computer as such.
Why so many ports? I don’t know, but 65,536 is a number any computer enthusiast would recognize. Actually, ports have a 16 bit value, meaning that there are 65,536 possible combinations (remember hexadecimals? 1234567890ABCDEF). Ports 0 through 1023 are called ‘Well Known’, as many of them have official uses (like port 443) and others in this range have, over the years, by default become the ports used for many applications. Check out this handy chart at Wikipedia http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers Ports 1024 through 49,151 have been registered, or claimed by various hardware and software vendors. Ports 49,152 – 65,535 are known as dynamic ports and can be freely used. These are the ports that are typically opened, forwarded and triggered to make our lives more convenient and less secure (it can be done securely if you know what you are doing).
Please consider this fact of life, every time you open a port, your are opening a hole in your networks defenses. There are hackers running programs called scanners, running 24 X 7 “pinging” the Internet across various ranges of IP addresses looking for computers with open ports. Once they see an open port, they ‘probe’ the port to see what device or service is there. If you have connected something that uses a password, and that password strength is weak, the hacker will try to use this weakness as a vector to gain deeper network access, trying to get ‘root’ privileges. At this point the hacker owns you. This is one of many possible security snafu’s that can happen when ports are opened.
How secure is your computer? There is a well known and trusted automatic port scanner located at www.grc.comClick on ‘Shields Up’ and follow the directions. I use this service all the time. It will tell you what is open and how to secure open ports and if your computer is responding to “pings”. There is also tons of information concerning various ports and their vulnerabilities and possible solutions to closing them. Ideally, your computer should be invisible to hackers pinging your network.
Of course, life without open ports would be tough, you could not run programs or communicate with and through other networks to other machines. The right course of action is to understand what the contractor means when he/she says ‘Ill open a port on your router and forward it to the DVR IP address (or whatever device)”. It can be difficult to understand all of the implications of opening that port and how to protect it. The chances are good that the technician doing the work does not truly understand it either.
When using Honeywell IP products, like Total Connect remote services, there is no need to open ANY additional ports in your firewall. Why? Because the Honeywell equipment polls (or checks into) the Honeywell AlarmNet Center every 20 seconds. When you want to connect to your equipment, you actually are connecting to a secure server at AlarmNet. When AlarmNet gets your request to connect to your equipment, it waits for your equipment to check in, and connects the two of your through a secure server located and maintained at alarmNet. DoD, DoE and the military like this idea and use AlarmNet by Honeywell it because it is secure.
There is a small monthly fee to use the AlarmNet service. Why? Because they hire people who know what real network security is to run the place. You get what you pay for. Pay nothing, and you could get about that much security.
Whats the sense of installing a DVR and cameras for security if you need to compromise the firewall to use it? There is a better way, email me and I’ll tell you all about it. mlomega@safe-t-tech.com