Enabling remote management on router from a security perspective

[boomerang]

With a secure password, what's the consensus?

I have two homes and spend winters 1500 miles away from my primary residence. Right now, I have an IP camera at the primary residence that shows as being disconnected. This, after a power blip. Up until two weeks ago it was online and working fine.

It would be great to be able to log into my router and see if the camera has been assigned a different IP although the chances are slim that this would be the problem. It would have only occurred if the camera settings somehow got reset to out of the box settings through power cycling. But... I'd like to know.

Last year I really wanted to be able to log into the router for a reason I do not exactly recall. I was running a WHS box at the time and I was unable to log in or something along those lines IIRC. I replaced it with a Synology which is fully accessible so there is nothing wrong with the Internet connection or the router up there just as an FYI.

What do you guys think? Bad, bad, bad or what?

 

[JackMDS]

There are risks involved.

On the other hand you can assign a real Static IP to all Network Devices that involve Remote access and put the Router on a UPS.

 

[RadiclDreamer]

As long as there aren't bugs and you use a secure password you are good.

 

[avos]

Honestly it depends on your router. With the seemingly endless accounts of consumer routers with backdoors, exploits, hardcoded passwords, and undocumented config pages it is hard to recommend allowing remote access. I'd feel more secure setting up a vpn if possible instead.

 

[boomerang]

There are risks involved.

On the other hand you can assign a real Static IP to all Network Devices that involve Remote access and put the Router on a UPS.

That could potentially help but in this case if the camera settings got reset back to default the DDNS would have gotten turned off which would be the true problem that makes it show as disconnected .

It's virtually impossible to determine what's going on remotely. I would need to access the router to see if the camera is listed as an attached device but I would more importantly need a browser built into the Synology DSM to access the camera and change settings. My research in that regard has been less than fruitful. Regardless, I believe I had set a static IP in the camera config, I should really change it and have the router assign an IP. That would have one piece of the puzzle under control.

We'll be back in Michigan late next week and at that time I will know more. I feel that the camera either got zapped by a power blip or the settings got reset by that power blip. (I finally put my SS receiver on a UPS because with our typical power off, on, off, on, off, on type of power failures, the receiver saw that as a sign to reset everything to default settings.)

 

[boomerang]

Honestly it depends on your router. With the seemingly endless accounts of consumer routers with backdoors, exploits, hardcoded passwords, and undocumented config pages it is hard to recommend allowing remote access. I'd feel more secure setting up a vpn if possible instead.

Yeah, I really need to research that more. Computing was my passion for many, many years but I eventually reached a point where I just didn't desire to learn much more.

 

[matricks]

As mentioned, many routers have backdoors for firmware recovery mechanisms, and occasionally debug backdoors that are included in final firmware. When these are discovered, they usually require that remote management is enabled to be exploitable by remote attackers.

In addition router firmware, like most other operating systems, consists of several libraries, utilities and so on. All of these can have vulnerabilities, and keeping sub-components up to date is very low priority on these devices from the vendor perspective. Last year or early this year, several relatively modern routers were discovered to have a known vulnerability in the firmware web server, which was fixed 9 or so years ago by the web server developer. The vendors never bothered to include that fix in their firmware kit, in all that time.

I would recommend connecting by some form of VPN. OpenVPN is a common one, and if your router supports third party firmware (OpenWrt, DD-WRT et al.), it usually isn't that hard to get it going (depends on how complex the network is). A solution that requires less configuration, but is somewhat more cumbersome in day to day use, is SSH port forwarding. You just have to enable SSH in your firmware (supported in some vendor routers, even), maybe check a box for allowing port forwarding, and it works. Say you're at the first location and your camera is at the other. Camera has internal address 192.168.2.100 in remote network, you do this on your local computer:

putty -L 9999:192.168.2.100:80 user@$remote_public_address

Command is for the Windows client PuTTY, works with most SSH clients but syntax might differ. Point is, now you surf to http://localhost:9999 on your local computer, and there's your web interface for your camera. Encrypted access, even.

OpenVPN, SSH or any other access method of course requires that the service is accepting outside connections. However, these components are designed for that purpose, and carry some more trustworthiness in my book than the average router firmware. You can also leave your router as it is, and set up e.g. a Raspberry Pi in the network to serve as your SSH gateway.

 

[boomerang]

As mentioned, many routers have backdoors for firmware recovery mechanisms, and occasionally debug backdoors that are included in final firmware. When these are discovered, they usually require that remote management is enabled to be exploitable by remote attackers.

In addition router firmware, like most other operating systems, consists of several libraries, utilities and so on. All of these can have vulnerabilities, and keeping sub-components up to date is very low priority on these devices from the vendor perspective. Last year or early this year, several relatively modern routers were discovered to have a known vulnerability in the firmware web server, which was fixed 9 or so years ago by the web server developer. The vendors never bothered to include that fix in their firmware kit, in all that time.

I would recommend connecting by some form of VPN. OpenVPN is a common one, and if your router supports third party firmware (OpenWrt, DD-WRT et al.), it usually isn't that hard to get it going (depends on how complex the network is). A solution that requires less configuration, but is somewhat more cumbersome in day to day use, is SSH port forwarding. You just have to enable SSH in your firmware (supported in some vendor routers, even), maybe check a box for allowing port forwarding, and it works. Say you're at the first location and your camera is at the other. Camera has internal address 192.168.2.100 in remote network, you do this on your local computer:

putty -L 9999:192.168.2.100:80 user@$remote_public_address

Command is for the Windows client PuTTY, works with most SSH clients but syntax might differ. Point is, now you surf to http://localhost:9999 on your local computer, and there's your web interface for your camera. Encrypted access, even.

OpenVPN, SSH or any other access method of course requires that the service is accepting outside connections. However, these components are designed for that purpose, and carry some more trustworthiness in my book than the average router firmware. You can also leave your router as it is, and set up e.g. a Raspberry Pi in the network to serve as your SSH gateway.

Thank you very, very much for your reply. You have explained some things for me that will be very helpful to get me started.

I have put DD-WRT on routers at home in the past. And the routers at both my residences now are identical models with the same SSID (everything just plain connects with no futzing whichever location we're at :thumbsup and both were purchased in part because they can run DD-WRT.