New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Security of Opening All UDP Ports on Home Firewall?
Recently I have encountered several software programs and external devices that require you to open all UDP ports on the home firewall for them to work. A notable example is Signal, a secure messaging app from Open Whisper Systems.
The Open Whisper Systems people who wrote Signal have serious security cred, yet I balk at the idea of opening all UDP ports on my home firewall, just to use Signal. My niece wants to open all UDP ports for the video cameras at her home, too.
-> What are the security risks of opening all UDP ports on a home firewall? Why do Open Whisper Systems and others feel secure with the idea of opening all UDP ports?
Comments
It's not very clear in that support article, but it's likely that they mean all OUTBOUND UDP ports should be allowed, not inbound.
Allowing all inbound UDP ports to a single device/service would be silly, you'd have no ports available for any other services (if you need to run any at all, that is).
For the sake of security, you shouldn't enable it. IP cameras aren't terribly secure; opening every port is a free ticket for someone to watch through the camera should a vulnerability arise.
Just don't do it.
-P INPUT DROP
-P OUTPUT ACCEPT
Why? What private services do you run in your LAN on UDP?
From my past experience and summarize of what you wrote in this post, my suggestion is not opening those UDP ports.
You can simply Google it and inform yourself about overall security of IP cameras.I can tell you right away, they are not great.
I would also suggest doing further research on which app to use.
I will also look that up in meantime and if I find something more port-friendly xD I will let you know via PM.
You can also disable upnp on your router and those IP cameras are suddenly a non-issue.
Following up with more clarification and details:
I assume that the instructions want me to open all outbound UDP ports on the firewall. That means that outbound UDP packets with any destination port (1-65535) would be allowed to pass through the firewall.
I assume that the instructions DO NOT mean to open up all inbound UDP ports. That doesn't make much sense. The firewall also provides NAT services, and there are multiple devices behind the NAT. What if two devices want to use Signal? What if I have other servers offering services on various UDP ports? This is not a reasonable way to interpret the "open all UDP ports" instructions.
I can configure the firewall so that only certain devices (e.g., the ones that run Signal) can access all outbound UDP destination ports. Unfortunately, one of them is my primary computer, and I don't like the idea of allowing it unrestricted outbound UDP access. I can impose a software-based application-level firewall on the device that allows only the Signal application to have full UDP destination port access, but I still don't like the general idea, plus the effort it imposes on me to secure my network to my satisfaction.
My non-technical, non-concerned niece has the video cameras that require "open all UDP ports", not me. She is oblivious to any security thoughts or issues.
What is the threat of opening all UDP destination ports on my firewall? That's a good question, and I would not mind suggestions from others. Here are my thoughts:
Attackers could exfiltrate data on any random UDP port. Why they would need this is unknown, because they can exfiltrate data to TCP port 80, for example.
Attackers could use arbitrary UDP destination ports for command and control servers and other botnet activities.
???