A few weeks back after the disastrous distributed denial of service attack on the DNS servers was found to have been caused by insecure Internet of Things devices, Bart suggested that we turn off automatic port forwarding. This is a technology that is built into routers that allows devices (and software) inside your network to punch holes through your firewall in order to talk to the Internet. The advantage of this technology is that you don’t have to understand or even know what port forwarding is in order to get your devices and software to work. Unfortunately, we’ve learned that our IoT devices are often spectacularly insecure. For example, there are devices with hard-coded Secure Shell (SSH) usernames and passwords that were largely responsible for the denial of service attack.
This automated port forwarding I’m describing on most routers is called UPnP, and on Apple routers they use a similar protocol called NAT-PMP. Bart recommended that we turn this service off, and only open ports manually when we know why they need to be opened. I have both a Netgear router and an Apple router, so I thought it might be helpful if I posted tutorials on how to turn off UPnP via the web interface on the Netgear router, and NAT-PMP from the Airport Utility. Thanks to Allister Jenks for helping put together the instructions for turning off NAT-PMP from an iOS device for the Airport. And of course we made the tutorials with my favorite app, Clarify.
Here’s links to the three tutorials:
UPNP and PMP do not puch holes though a firewall, they add entries to a table on the router which enables the forwarding of packets to a specific private IP in your LAN. NAT is not a firewall, NAT doesn’t provide real security.