UPnP, ports, firewalls, it can still be quite difficult to make something available from within your network so that it can also be reached at external locations. It is often difficult to configure your router to send the correct traffic to the correct device in your network. We will get started with UPnP and port forwarding.
Do you want to be able to reach a device from your home network, for example your NAS, even when you are not at home? By default, your home network is secured in such a way that this is not just possible, because otherwise malicious parties could also reach your network devices. So you have to adjust settings yourself. It is essential that you know what you are doing, so that you do not unwittingly weaken the security of your network. Also read: Is your NAS getting full? You can do this.
01 Internet layers
If you want to send something over the internet from point A to point B, this data is sent through a number of 'layers'. Each layer always offers some extra functionality for sending data.
At the very bottom you have the physical layer, where data in the form of signals is sent over the cable or wirelessly via WiFi. A layer above that you have a layer that sends the data over the cable or WiFi in the form of ones and zeros and that also checks for errors, and resends data if necessary. One more layer up you have the ability to send data between two network devices, something that is done via a MAC address. Each layer is a bit more abstract, at the bottom you work with physical ones and zeros, above that with packets between devices and addresses. So you have a number of layers, where each layer always uses the functions and abstractions of the layer below.
Now suppose we want to send the text "Hello, world!" to our server at home. The network layer packages the text and finds a router that can take the packet and forward it on its way to our server. The packet goes one layer deeper until it is converted into physical signals and passes through the cable. Ultimately, it arrives at our server, which reads the data. Now suppose that the server also responds with a packet that says 'Hello, PC!'. This package also goes through all layers, on its way to our computer. However, there is a problem. The package has arrived on our computer, but how does the operating system know for which program the package is intended? There are gates for that. A port is nothing more than a mailbox for a program; where Windows, Linux or macOS can deliver the data so that the program for which the data is intended can receive it.
02 Port forwarding
If you don't have a firewall, access to all your ports is open. That's not so bad, because as long as no program opens a port, nothing can happen. In addition, Windows has its own built-in firewall. If a program deploys a port and the firewall allows it, any PC anywhere can call your IP address using that port and send data to it.
At least in theory that is the case… in practice you have a router to which several PCs, laptops and tablets are connected. Suppose you want to send data to your PC somewhere outside your own network, then there is a problem. Your router does something called NAT, or Network Address Translation. This is necessary, because your internet provider only gives you one IP address per internet connection and with that one IP address you can connect exactly one device to the internet. The router solves that problem by being the only one directly connected to your provider and thus adopting that IP address, and then handing out IP addresses to your own devices.
So suppose you want to send a message to your PC at home from the coffee bar, then it makes no sense to use your local IP address, assigned by the router, because that IP address only has meaning inside your network. Outside it doesn't refer to anything. Instead, you can use your external IP address, in combination with your port. The problem is that your router has to know where the data has to go. With only the external IP address and port, the router still doesn't know for which PC, tablet or smartphone the packet is intended. That is why there is port forwarding: with this you indicate in the router that if data is on this port soon, that data must be forwarded to a specific device.
You may wonder how the internet still works on your network at all. When you visit a website, data is also sent back and forth and that data does arrive on your PC, without having set up port forwarding. That works, because your router itself already applies port forwarding for connections you set up from within, so that all packets arrive correctly where they need to be. Port forwarding itself is not a security risk, by the way. That risk comes from the application listening on that port. Suppose you forward port X to a PC that you never update, that's a big risk because of known vulnerabilities. So it's important to always keep a device up to date when forwarding a port to it.
UPnP stands for Universal Plug and Play. It allows devices on the network to "see" each other. Each device can announce itself on the network, making it easy for devices to communicate and collaborate with each other. One of the functions of UPnP is to allow a device to forward ports, so you don't have to do it manually.
Suppose your Xbox would like to receive traffic on port 32400, then the device can automatically request that from the router, which will then create the relevant rule and thus forward all traffic on that port to your Xbox by means of the IP or MAC- address. However, UPnP poses a security risk. The problem is that UPnP does not use any form of authentication. Malware can open ports that easily. The problem is that UPnP can be exploited remotely. Many UPnP implementations of router manufacturers are insecure. In 2013, a company spent six months scanning the internet to see which devices were responding to UPnP. No fewer than 6,900 devices responded, 80 percent of which were a home device such as a printer, webcam or IP camera. We therefore recommend disabling UPnP in your router. The most important conclusions from the study can be found in the box 'UPnP safe?'
The main conclusions of the UPnP safety study conducted by Rapid7.
- 2.2 percent of all public IPv4 addresses responded to UPnP traffic over the Internet, or 81 million unique IP addresses.
- 20 percent of those IP addresses not only responded to the internet traffic, but also, reachable remotely, offered an API to configure the UPnP device with!
- 23 million devices use a vulnerable version of libupnp, a widely used software library that implements the UPnP protocol. Vulnerabilities in that version can be exploited remotely, requiring only one UDP packet.