Has your router set up secret port forwards without your knowledge?

February 18th, 2014 Leave a comment Go to comments

I admit the title may be a little bit sensational.  Please forgive me and read this anyway.  For the tl;dr, scroll down to the link to the STUN Test Utility.

It's a common misconception that placing a network device behind a router provides impenetrable security.  This might be true, but if you have a full cone NAT router, your VoIP equipment (and possibly other internet-connected devices) are likely be open to anyone, as if you had forwarded ports or used DMZ.  Instead, you should use a restricted cone NAT router.  Keep reading to find out what these terms mean how to test your router.



A recent example of why full cone NAT can produce undesired effects was discussed at great length in the OBiTALK Forums.  The default configuration of OBi ATAs (which we recommend changing) accepts calls for any username.  Those users behind a full cone NAT router received a great deal of annoying calls from SIP scanners at all hours.  Those users with a restricted cone NAT router did not.

Before we continue, it may be worth it to note that "full cone NAT" and "restricted cone NAT" are not actual standards.  We use these terms based on their generally accepted definitions.

When a VoIP device behind a router needs to receive calls, a common technique is to configure the device to register with your service provider.  This opens a "NAT hole" in the router to allow incoming traffic.  If you have a restricted cone NAT router, your router will only allow incoming calls from the service provider the device regestered to.  In most cases, that's a good thing.  But if you have a full cone NAT router, your router will allow incoming SIP calls from anyone, as if you had set up port forwarding.  That's probably not what you intend.

You can use following STUN Test Utility to test your router, written by the venerable DogFace05.  To use the utility, simply open a command prompt and type the following command.  Instead of stun.ekiga.net, you may use any other public STUN server.
stun stun.ekiga.net
If the tool doesn't say that you have some type of restricted cone NAT, don't despair.  Pick one of the following options:

1) Enable restricted cone NAT, if your router allows you to.  This may be called something different such as "Strict UDP Session Control".
2) Install third-party firmware on your router, such as Tomato firmware.
3) Be sure all devices behind your router are configured securely, because the router's firewall may not protect them.
4) If you're particularly security-conscious, replace your router.

Also, next time you purchase a router, perhaps you'd like to vote with your wallet and purchase one on which you can install a Linux-based third-party firmware.
 

If you would like a reply to your comment, you must leave your email address! We receive dozens of questions every month from people who don't leave us with any way to contact them, so we have no choice but to ignore the question. We try to reply to as many questions as we can, if we know the email address of the person who asked the question. Thanks in advance for writing in :)

Allowed HTML: <b>, <i>, <em>, <strong>. All other < and > will be replaced with &lt; and &gt;.