Port scanning and you

[NoStateofMind]

I was setting up my router for port forwarding and noticed in the section "DMZ" and the ports. My router states that using the DMZ would open all ports and is not recommended for security reasons. It says to select an individual port to forward to prevent such things happening. Is this really a concern? Should I be worried?

Would a computer port scanning my router be able to infect my machine with a virus? I'm not too smart when it comes to networking so I would be thankful for any guidance.

 

[spidey07]

Port scanning is very real. It's what is called "background noise" on the internet. Personally I would never put a machine in "the dmz" where all ports are forwarded to a certain machine.

I preface this with a "I'm not a security nazi, I just know what is possible."

Putting a machine in the "DMZ" on a SOHO router just means it blindly forwards requests coming into the router to your computer. This means if you have any vulnerable applications listening on that port they will get exploited. This means every single application on that box (including the OS) had better not have any active exploits.

To answer your question - yes, depending on your operating system and applications listening on those ports.

 

[JackMDS]

To use the DMZ is a bad idea.

To use port forwarding according to the need of certain application is a necessity and there is nothing that you can do about.

Millions of people use Routers and have to forward ports, and sleep well.

Beside been on a Router each Network computer should have software firewall Antivirus and Anti Spyware applications and the rest is up to God or whatever other high power that you believe in.

http://www.ezlan.net/routers1.html

 

[zerogear]

Use DMZ only when you are testing new configurations, applications etc.

 

[Nothinman]

Use DMZ only when you are testing new configurations, applications etc.

That's the worst time to use a "DMZ" on a SOHO router, you should only even consider putting a machine in one after you're 100% sure that it's setup properly and secure.

 

[VirtualLarry]

DMZ is dangerous, normally. However, I use two nested routers, so I have double-NAT going on, so on the outer router I enable "Static NAT" (for some reason, DMZ didn't work, I still don't know the difference between the two), to the LAN IP of the inner-most router, and then on the innermost router, I port-forward needed ports to services running on my LAN.

 

[Red Squirrel]

Originally posted by: Nothinman

Use DMZ only when you are testing new configurations, applications etc.

That's the worst time to use a "DMZ" on a SOHO router, you should only even consider putting a machine in one after you're 100% sure that it's setup properly and secure.

If you want to test in a non secure, seperate environment, that's fine you just have to know what is happening.

Basically it's like plugging that machine right into the modem. I've never had a use for it myself but I could see it come handy, just don't put an actual production machine on there!

But if you have a test box you are ready to reformat at any time then you could put it on the dmz - ex: test security on a setup or something.

One thing I'm unsure of is if the machine on DMZ has access to the rest of the network. I've never actually done this before. If it does have access to rest of the network then yeah, DO NOT use that feature. You are better off getting a switch or hub plugging it into your modem, plugging your router on one port and the PC you want wide open, to the other port.

Also port scanning is basically a program that tries to connect to each port 1 by 1 then displays which ports are opened. Some are more advanced then that, but that's basically what they do. I had fun with those when I was a kid... back in win98 days, good ol port 139 scans. It's scary how many people do not know anything about basic security.

 

[Crusty]

Originally posted by: RedSquirrel

Originally posted by: Nothinman

Use DMZ only when you are testing new configurations, applications etc.

That's the worst time to use a "DMZ" on a SOHO router, you should only even consider putting a machine in one after you're 100% sure that it's setup properly and secure.

If you want to test in a non secure, seperate environment, that's fine you just have to know what is happening.

Basically it's like plugging that machine right into the modem. I've never had a use for it myself but I could see it come handy, just don't put an actual production machine on there!

But if you have a test box you are ready to reformat at any time then you could put it on the dmz - ex: test security on a setup or something.

One thing I'm unsure of is if the machine on DMZ has access to the rest of the network. I've never actually done this before. If it does have access to rest of the network then yeah, DO NOT use that feature. You are better off getting a switch or hub plugging it into your modem, plugging your router on one port and the PC you want wide open, to the other port.

Also port scanning is basically a program that tries to connect to each port 1 by 1 then displays which ports are opened. Some are more advanced then that, but that's basically what they do. I had fun with those when I was a kid... back in win98 days, good ol port 139 scans. It's scary how many people do not know anything about basic security.

On SOHO routers that's exactly what happens, the firewall is wide open to the computer in the DMZ and then that computer is wide open to the rest of the network, you might as well not be running a firewall at all.

In a traditional firewall your DMZ would just be a segregated network that had a firewall between internal<-> DMZ and DMZ <-> outside. You place machines that need to accept connections from the outside in your DMZ, and firewall the ports that aren't being used by that particular service.