Thread: Maybe OT - Home Network issue
View Single Post
  #4   Report Post  
Posted to sci.electronics.repair
Jeff Liebermann Jeff Liebermann is offline
external usenet poster
  
Posts: 4,045
Default Maybe OT - Home Network issue
On Sat, 07 Jan 2012 18:19:15 +0000, Adrian C
wrote:

On 07/01/2012 16:58, bobvalli wrote:

If I open IE on a computer connected to the home network and type in
192.168.1.105:3100 I'm able to access and view the connected cameras

However if I'm on a computer that is outside of my home network and I
type in 76.127.144.xxx or 76.127.144.xxx:3100 the page can't be found.


Don't do it that way, you'll soon have hackers swimming around your
network trying one known exploit after another.

Ummm... Please explain to me how opening 3 ports to a specific device
(web camera) can open the entire network to hackers. Unless there is
a security problem in the web camera (it does happen), I don't see how
this can be done.

Incidentally, I'm amazed at how many cheap routers hang with this
rather old tester:
http://www.pcflank.com/exploits.htm

Your connections will
also drop if the external ISP engages to block or traffic manage these
ports - some do.

Most block port 25 (SMTP) to discourage spam relays and users running
their own mail servers. There are also a few that block or throttle
BitTorrent and other forms of file sharing. However, that's done by
sniffing the traffic, not by any specific port number. A few block
port 80 (HTTP) for no rational reason. Except for the various
satellite providers, none that I know about block any other incoming
ports.

If you're worried about outside hackers, they're far more likely to
pound on port 8080 (remote admin) on the assumption that most users
don't bother to change the default password on their router.

If you have a machine permanently running on your network, or you can
make one start remotely, install a VPN endpoint service on it. There are
many to choose from - I use OpenVPN on a linux box.

Yep. That's secure. It can also be done on the WRT545G using
alternative firmware (i.e. DD-WRT). The problem is that the WRT54G
lacks sufficient CPU power to run more than one VPN tunnel at a time.
Seems a bit too complicated a solution to secure just a web camera.

Incidentally, both my office and home networks are on static addresses
(also known as the perfect target), and probably have 15 assorted
ports forwarded to various devices on the LAN's. I also run a VPN
between the two networks. It's been roughly like this since about
1995. No problems with hackers, except when I left IPP wide open, and
someone printed a ream of paper on my laser printer. My firewall logs
show plenty of automated scans, probes and attacks, but no successes.
(Hint: I erratically run my own vulnerability tests.)

Then when you are out and about, start the matching VPN client (some
come already built into your OS, or even office router - but sadly not
OpenVPN) and then your packets will route properly into your home network.

Ever measure performance through a VPN tunnel? I don't have the
numbers handy, but as I vaguely recall, there was quite a large
performance hit on thruput in both directions.

It's secure, encrypted communications and in my case with bridging
allows my external device to take on a similar IP address to home.

Yep. Small warning about selecting the IP address block for the home
network. You're probably using the default IP address block supplied
with the WRT54G, which is 192.168.1.xxx. If your remote VPN client
just happens to be using the same IP block, there a very real chance
that the IP addresses delivered from the VPN server IP address pool
will result in a duplicated IP address. It probably won't be the
client that is duplicated, but it may duplicate a printer, NAS box, or
in this case, a web cam. If you're going to play VPN, set your home
network to something other than 192.168.[0-2].xxx. Zero is common on
Netgear, 1 is Linksys, 2 is Belkin. I use 192.168.111.xxx and setup
my customers for other creative numbers.

You can then run IP connections to anything and not worry about port
forwarding this, and setting complicated rules for that.

True. You don't need port forwarding with a VPN. However, I think a
VPN is a far more complicated solution than simple port forwarding.

--
Jeff Liebermann
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
Reply With QuoteReply With Quote