Public Port - Port forwarding 1-65000

Solved
TimBisel
Getting noticed

Public Port - Port forwarding 1-65000

So this seems like a very bad idea to me. But I am not the sharpest one when it comes to port forwarding. This was done from a consultant for our company. Camera system needs to be view able from outside network and is not meraki. But currently settings are like below.

 

Uplink: Both

Protocol:TCP

Public Port: 1-65000

Local Port: 80

Allowed remote IP's: any

 

Cameras are accessed my multiple people who are remote and travel a lot, specifying IP's is not practical and they are against VPN to do this because some are note domain users.

 

My questions are around Public port. With it like this, isn't it a rather large security risk allowing anything going to the public IP on almost any port straight through the firewall? And wouldn't it be directing all the traffic from outside directly to the camera?

1 Accepted Solution
WadeAlsup
A model citizen

Hi @TimBisel

 

I would agree that this wouldn't be my ideal setup, albeit I'm sure it gets the job done...

 

Do they need access to each individual camera externally? Or are they only accessing an NVR that all of the cameras are connected to? If it's the latter, you should only have to specify a single IP for the NVR. You would also want to identify what public port needs to be opened and narrow the exposure to that device. Probably could be found in the configuration of the NVR. 


Found this helpful? Give me some Kudos! (click on the little up-arrow below) and If my reply solved your issue, please mark it as a solution 🙂

View solution in original post

4 Replies 4
WadeAlsup
A model citizen

Hi @TimBisel

 

I would agree that this wouldn't be my ideal setup, albeit I'm sure it gets the job done...

 

Do they need access to each individual camera externally? Or are they only accessing an NVR that all of the cameras are connected to? If it's the latter, you should only have to specify a single IP for the NVR. You would also want to identify what public port needs to be opened and narrow the exposure to that device. Probably could be found in the configuration of the NVR. 


Found this helpful? Give me some Kudos! (click on the little up-arrow below) and If my reply solved your issue, please mark it as a solution 🙂
Adam
Kind of a big deal

At that point you'd be better to do a 1:1 NAT and only let port 80 through.  But if they'd need to NAT any of those other ports to something else it'd be a waste.  Seems lazy to me.  Would be far more secure to only map through the ports it needs.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
TimBisel
Getting noticed

Thanks guys I am new at company and still need to build the trust in. Was able to convince him to let me trim it down to the one needed port. It connects back to a server so I was able to do it with just one port.

Adam
Kind of a big deal


@TimBisel wrote:

Thanks guys I am new at company and still need to build the trust in. Was able to convince him to let me trim it down to the one needed port. It connects back to a server so I was able to do it with just one port.


Nice work, you've done your security deed for the day. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels