Jump to content
ver2go

Why Port forward over VPN?

By ver2go, in Computers/Networking

Recommended Posts

ver2go    0

ver2go
Posted

I'm curious as to why Port Forwarding seems like the default solution here. From looking through a few of the post, a number of folks use DD-WRT. DD-WRT with VPN makes it fairly easy.

 

With VPN you will have better security. Your DVR is not subjected to attacks over the internet. Plus you'll be able to access all your DVRs (or any device) on your network without having to port forward for each device.

Share this post

Link to post
Share on other sites

VST_Man    1

VST_Man
Posted

we use what is easiest. I've played with VPn's and it seems harder than itis worth.......less moving parts

 

installers take the path of least resistance.

Share this post

Link to post
Share on other sites

SteveFD    0

SteveFD
Posted

VPN's are a good solution with encrypted end to end transport but can be difficult to setup and troubleshoot. Some users may not have routers with VPN pass through, additionally VPN's especially IPSEC add a additional bandwith overheads. For me the biggest advantage with port forwarding is my DVR is instantly available from virtually any PC or mobile phone with out having to go through the trouble of installing and setting-up a vpn client for every device I may want to use to access my DVR.

 

On security critical installations and anything which is running in an enterprise enviornment VPN is the way to go but as always it's a trade-off between greater security and convenience.

 

Steve

Share this post

Link to post
Share on other sites

securityhombre    0

securityhombre
Posted

Well you can open a port on the router to be used to port forward to a computer running a ssh server. There are many ways to set up this application on a server behind the router's firewall with minimal resources needed. This way there would be an encrypted tunnel through the internet before you accessed any application giving better security. I agree that scanners would try to pick at the open port giving your internet a headache. There are many ssh servers to choose from depending on the operating system you want to use. Read up on secure shell port forward with your favorite search engine.

 

 

 

[security Hombre]

Share this post

Link to post
Share on other sites

Sawbones    0

Sawbones
Posted

If you're running behind a half-way decent firewall (either PC-based, or appliance), you can simply pick a high random port number (30,000 or so) to forward to you DVR's web port (usually 80). That way, if some knucklehead is scanning your IP address, your firewall should drop his connection after a couple of port hits (and he's likely to be scanning the lower 1024 ports for common services anyway)

 

Unless your antagonist has an infinite number of IP addresses to use, he'll probably move on to easier targets rather than continue to knock on your ports and get blacklisted by your firewall.

 

If you want to get trick, you can implement port-knocking:

 

http://www.portknocking.org/

Share this post

Link to post
Share on other sites

ini    0

ini
Posted

Excellent post Sawbones. As an IT consultant and Network Engineer, I often why more people don't change the default listening port. Very simple and effective. Unless it's a financial or medical institute, most "bad guys" aren't going to spend the time going above 1024.

Share this post

Link to post
Share on other sites

Sawbones    0

Sawbones
Posted
Excellent post Sawbones. As an IT consultant and Network Engineer, I often why more people don't change the default listening port. Very simple and effective. Unless it's a financial or medical institute, most "bad guys" aren't going to spend the time going above 1024.

 

That's exactly right... particularly if your firewall blacklists their IP after 3-4 port probes, and keeps them on the banlist for 2-3 days.

 

At that rate, it would take them a year or so just to get through the first 1024 ports... and if you pick a high random port, they're simply going to move on to lower-hanging fruit.

Share this post

Link to post
Share on other sites

Soundy    1

Soundy
Posted
not really, a few minutes. You can change the mac and IP with ease !

 

errrr so im told....

 

Well, that depends on your ISP... with mine (Shaw Cable), if I change the MAC address of my router or a directly-attached computer, I then have to cycle the power on my cable modem for it to pick up the new MAC and allow it access. That can take two or three minutes in itself - not a big deal for a one-time thing, but if you're having to do it every few minutes of war-dialing, it could really slow you down.

 

Our local telco's DSL service is even tougher - a new MAC address on the system has to be registered with their back-end. You plug in a new router or computer to your DSL modem, it gets a 10.* address on their internal network; you then log in to the customer-service page that's accessible from there and register the MAC under your account. Most are limited to something like 5 MACs as well, so after a little while you have to start deleting the old ones if you want to add new ones.

 

Changing the MAC is a handy idea for getting around IP bans on gaming servers and stuff, but I suspect with most broadband providers, not all that efficient for brute-force hacking. It would have to be someone you REALLY REALLY want to hack...

Share this post

Link to post
Share on other sites

tomdlgns    0

tomdlgns
Posted
I'm curious as to why Port Forwarding seems like the default solution here. From looking through a few of the post, a number of folks use DD-WRT. DD-WRT with VPN makes it fairly easy.

 

With VPN you will have better security. Your DVR is not subjected to attacks over the internet. Plus you'll be able to access all your DVRs (or any device) on your network without having to port forward for each device.

 

well, it depends where you want to access your cams from...

 

we have some DVRs where customers connect to view their hardware being worked on. for that, we are not going to set them up on a VPN connection.

 

also, they are given a specific user/pass that only display the camera they need to be looking at.

 

now, if you are setting up a DVR and you want to give access to yourself or a boss at home...then sure, setup a VPN, it works just fine. i have a few VPN tunnels setup to other offices and that is how i view those specific DVRs remotely.

Share this post

Link to post
Share on other sites

macrouser    0

macrouser
Posted
VPN's are a good solution with encrypted end to end transport but can be difficult to setup and troubleshoot. Some users may not have routers with VPN pass through, additionally VPN's especially IPSEC add a additional bandwith overheads. For me the biggest advantage with port forwarding is my DVR is instantly available from virtually any PC or mobile phone with out having to go through the trouble of installing and setting-up a vpn client for every device I may want to use to access my DVR.

 

On security critical installations and anything which is running in an enterprise enviornment VPN is the way to go but as always it's a trade-off between greater security and convenience.

 

Steve

 

I disagree i found it easy setting up VPN's there quite easy to be onist, you can find a free tutorial at itidiots . com

 

Its only setting up the encryption thats a bugger to get setup but once you learnt it the first time its easy

 

Regards

Shaun

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go To Topic Listing Computers/Networking
×