security best practice: you can offer your guests free Internet access without having them
looking around your cameras, computers, personal files or, worse, your router!).
DMZ
If your router offers the DMZ functionality (De-Militarized Zone!), it’s good to know that devices
you attach to the DMZ will be exposed to the Internet but usually cannot access the internal
network. In this way, if they get compromised, the malicious attacker should remain confined to
the exposed device, without an easy route to your home systems and data. Consult the router
manual to know more about the DMZ configuration when available.
Port forwarding
One important role of the router is to control the traffic between the internal and the external
worlds.
Typically, in a basic setup, all the internal devices can reach any destination on the Internet, but
nothing from the Internet can reach an internal device (except for answers
to communications
initiated
by an internal device such as requesting a web page). In this way, your router protects
your devices from unauthorized access attempts coming from literally anywhere in the world.
Sometimes, certain internal devices may act as a server and need to be reached from the
Internet in order to provide the information they generate. For example, surveillance cameras
have a built-in video server that you can reach only when you are in the internal home network
(not very useful). If you want to see the video feed from outside and the camera manufacturer
doesn’t provide a cloud service, you need to expose the camera to the public Internet. To do
this, your router provides the port forwarding service. Game consoles may need port
forwarding for multi-player online gaming. Skype, WhatsApp and other similar communication
tools may need port forwarding to allow bi-directional chats with audio and video. BitTorrent
may need port forwarding to communicate with more peer nodes and speed up file transfer.
UPnP and NAT-PMP
Port forwarding can be configured manually or automatically whenever the applications need
it. Manual configuration is typically done via the router configuration web page or mobile app.
For automatic port forwarding, many routers offer services like UPnP and NAT-PMP that
applications can use to open the ports they need.
Unfortunately, UPnP and NAT-PMP do not ask for any authorization to open the ports and
malicious applications can use them to expose the network to the Internet and gain
unauthorized access or leak information. For example, a malware may ask UPnP to expose a
Windows service or a surveillance camera with a software vulnerability.
This lack of access control makes UPnP and NAT-PMP as potential security hazards. Many
security-concerned users prefer to turn off these services from their router configuration.
Fingbox User’s Guide - App v6.2.1 Page 44
To Next Page
Loading...