dominicdq
12-10-2009 19:15:11
Hello all - Noob question here (and I don't know or can see if this has been discussed before) Just how secure is Port 8081?
I've configured my firewall to accept Port 8081 traffic and named the rule accordingly. But my thing is just how [i27x4ez2d]secure [/i27x4ez2d]is the port? IBM's BlackIce security network uses this port as well ... So it must be safe? Or does anyone have any suggestions in beefing it up?
Thanks in advance for any feedback in this regard!
MockY
13-10-2009 00:27:15
To my knowledge, no port is safer than the other (please correct me if I'm wrong). A port is a port, no matter what number it is. The question is rather, how safe is the service/application accepting traffic on that port, and how is it handled by the firewall (i.e what type of protocol)? However, none commonly known ports are obviously "safer" than others since they are...well...not commonly known and is generally not included in port sniffers and tools similar to such. 8081 is however a commonly known port (though not usually used for public use).
A list of commonly known ports is found
HERE[/url1eplyolf]
Yukiko
13-10-2009 14:04:36
Anytime you open a port to the Internet you are taking a risk. There is no "safe" port really. Using an obscure or "not-well-known" port might be safer but there is the chance of setting up a sense of false security with that train of thought. Also, as MockY points out, the security of a port depends on the programs and services that are monitoring and accepting packets from that port. Many port insecurities found are due to flaws in the software servicing those ports. Things such as buffer overrun errors are very common sources of remote code exploits that could allow remote access and control of your system. These types of problems are not easily discovered and may not materialize for years. I won't bore you with the nitty gritty details (yeah I know...too late) of how this is accomplished and all that. You can find out a ton about Internet and operating system security issues by listening to or reading the transcripts of the Security Now! Netcast produced by Leo LaPorte and Steve Gibson found at
http//www.twit.tv/sn
I say all that because I don't want to give you a false sense of security when I say, ya probably are fairly safe with port 8081 unless Vibe Steamer or any other service you have listening on port 8081 has a security flaw.
If you are truly concerned and want to really tighten up your local network and yet still have ports open to the Internet you can use the three router approach recommended by Steve Gibson. It involves attaching the first of the three routers to your WAN (Internet Modem). Let's call that one the "Front Line Router". Then you attach a second router to one of the wired ports of the Front Line Router. We'll call that the LAN or Local Area Network Router. That one will be the "safe" zone where your home network computers are attached. The last router we attach to another wired port of the Front Line Router. That one we'll call the "Open Router". The Open Router is where you will attach the system running Vibe and any other computers you are going to have open to the Internet. There are setup issues you'd have to do such as forwarding the necessary ports on the Front Line Router to the Open Router so that those same ports are accessible by the machines attached to the Open Router.
I think for most of us though that is more than we are willing to do and that is understandable.
Security, whether Online or physical, isn't hassle free.
Anyway, sorry if I have given you more info than you asked for.
MockY
13-10-2009 19:35:52
Most home user routers (residential gateways, or WAPs to be exact) have today at least some type of DMZ capabilities where the server can reside. No need for 3 separate routers (which in itself physically subnets the whole network and becomes a bitch to administer).
If you want to divide your networks in an easy but yet very safe way, you should take a look at SmoothWall. All of my networks (both private and business) are protected with SmoothWall (been using it for many years) where the public side, LAN side and Wireless side is completely separate. It is a treat to administer and works beautifully. It might be overkill, but something you should look into if your top priority is security and ease of administration (as well as a computer that collects dust). It's free to download, use, and distribute. You can grab it
HERE[/url9d2ah2ju]
Furthermore, you might want to run VibeStreamer on a *nix OS (Debian or Ubuntu are both excellent choices) if you want to tighten security on an OS level.
dominicdq
13-10-2009 21:58:50
No security guru here however I somewhat get the point and where the proverbial [i23jdiwt3]strength of the chain is at it's weakest link[/i23jdiwt3] and may consider migrating VS to BSD. Thanks again!
Yukiko
14-10-2009 13:50:22
No matter what OS you use it is also very important to keep it up-to-date as well. Vulnerabilities can crop up in the "most secure" operating systems. So always watch for update alerts.
If you run Windows you should enable automatic update to, [b35yoybdp]at the very least[/b35yoybdp], download the updates for you to review prior to installing them. That avoids having to reboot at an inconvenient time.
MockY
15-10-2009 19:21:37
All of my smoothies are custom built boxes made up of hardware I have lying around. I build computers for a living so I have accumulated quite a collection over the years
Anywho, the 2 boxes I administer the most frequently are
[b253afhda]Roland[/b253afhda]
Express Version - 3.0-polar-i386
CPU Model - Pentium III (Coppermine)
CPU Speed - 602 Mhz
Memory - 370 Mb
Disk - 38.2 Gb
Network Config - GREEN + PURPLE + ORANGE + RED
[b253afhda]Fort-SK[/b253afhda]
Express Version - 3.0-polar-i386
CPU Model - Pentium III (Coppermine)
CPU Speed - 1003 Mhz
Memory - 504 Mb
Disk - 28.0 Gb
Network Config - GREEN + PURPLE + RED
Yukiko
16-10-2009 14:18:58
It is easier and cheaper, if you have the spare hardware lying around, to build a custom router using a produvt like Smoothie. I took a brief look at Smoothie and, from what I could tell, it sounds like a good solution for folks who have unused "beige boxes" just gathering dust. Plus it is easier to administer than the three router situation I mentioned. Also, I must mention that the three router set-up is intended for those situations where one might need to have a less secure WiFi encryption (WEP) enabled for devices that do not support WPA. The one thing I would say is, if you don't have the extra beige box at hand, buying two routers (assuming you already have one router) is cheaper than buying even the cheapest bare bones box.
However, since a Smoothie powered box is essentially functioning as your router, I am curious how you secure your your systems on the LAN from the computer(s) that might have ports open to the Internet. The three router set-up totally isolates the LAN from the "servers" that would be potential targets. Is this same ability built into Smoothie somehow? I mean if it is routing all traffic through the same internal network isn't there the possibility of infection from compromised server computers to the rest of the LAN?
I too am not an expert on computer/network security and this whole discussion is most likely a moot point because most of us, for one reason or another, have open ports forwarded to our desktops.
MockY
16-10-2009 19:03:51
I highly recommend (just a recommendation) that you look into the documentation about what a "Smoothie" is capable of. It will surprise you what this piece of OS can do, besides the fact that you will get to learn some valuable things about networking.
With that said, let me brief you on how it works in simple terms, or at least I'll try (I'm usually horrible at it).
A Smoothwall powered computer does not just act like a router, it IS a router. I gather as much as you are just familiar with residential gateways (regular routers you buy at Best Buy), and those devices are very limited in terms or capabilities. However, due to this fact, they are cheap and work for most regular needs and is a perfect solution for most people.
The setup that you are describing is subnetting, as in you divide your network into 3 different ones with 3 different uses. However, having more than one router in your network is an absolute nightmare in terms of administration. A much better solution is ONE box that can do exactly that. Say hello to SmoothWall.
Notice that in my previous post, I listed the current Network Config for each machine. The colors represents every network (or simply Zone or subnet) that is currently configured for that network. Each color represents a single network card. In other words, each network card installed in the box acts as a gate for each zone.
GREEN is your LAN where you have your computers and sensitive data you don't wish to share with anyone. ORANGE is the zone you put your servers. Purple is where you put your Wireless access points. RED is incoming network from your ISP.
None of these zones can see each other by default (and it's recommended that your leave it that way). You can in other words have absolutely no encryption on your wireless and still be sure that no one gets into your LAN. Same goes for ORANGE. Even if someone hacked your server and could pass your security, the hacker have no way of getting to your LAN, since it's on a different subnet and the router itself won't allow any traffic from that zone into the LAN.
So with one box, you have accomplished what you wanted (created 3 different networks) but you can manage all traffic from one single box.
You can also extend it's capabilities by enabling DHCP, SSH, VPN, PROXY, Content Filtering...and much more.
If you still have issues visualizing what I just said, here is a picture. In the following setup, the "Smoothie" has 4 network cards, one for RED, one for ORANGE...and so on.
[img22u518a5]http://www.linux-tip.net/images/stories/Smoothwall/smoothwall.png[/img22u518a5]
Even though this is an absolute awesome setup and is a blast to administer, a "smoothie" has one minor flaw. It is dependent on your hardware. In other words, if you are using a regular hard drive, you can be a victim of it failing. However, all you need to do is installing a new hard drive and apply your settings backup and it's all good again.
Yukiko
17-10-2009 09:31:56
Right. I must have missed the use of multiple NICs. I know by using multiple network interface cards you accomplish the isolation of each subnet.
I am aware that boxes running Smoothie-like software really are routers. The cheap "residential" routers are almost always running a scaled down Linux with stripped down router functionality. The only difference (besides the a fore mentioned ones) is that they are firmware based.
arjaycob
15-02-2010 15:44:41
And there is also ipcop.
[url2sdrzqxb]http://www.ipcop.org/index-pn.php?module=pnWikka&tag=IPCopScreenshots[/url2sdrzqxb]
It also takes knowledge to configure, but is also very safe. It even supports raid on your harddisk, so put two 40 gb disks in an old pentium with an usb port to backup config file to and you are also good to go.
I have a fritzbox, and with that it translates the ADSL signals to a network signal, no way any program can replace that because it is ISP dependent.
Still a neat proggie...