Port Forwarding

[Bellzemos]

Hello!

I have a few questions about the Port Forwarding and routers in general. I have changed the actual port numbers on the picture below to maintan privacy and security (but this was probably unnecessary, right?).

As you can see on the picture below, the internal and external UDP and TCP ports have the same number in my router settings for Skype. But in Skype, under the Connections, I have a different port number (6677). Should I change and enter the number that I've found under the UPnP settings of my router to make Skype work better?

I am pretty new to networks but it seems to me that even though the UPnP is enabled in my router Skype didn't get set up properly - as the port numbers differ. Or am I wrong?

Also, why is the number after the IP address :5698 and the port's numbers are 56985 (with the additional number 5)? What's the deal here, which port is opened then, 5698 or 56985?

Would my internet connection be (much) more secure if I would disable the UPnP completely and open the ports for Skype manually (if yes - how & do I have to do it for each computer on the network respectively)?

In general, is it true that one should always open only the ports above 6000 (for Skype and such)?

A little off topic: how can I check which Channel is best for my WiFi broadcast? Is there a (free) utility that would find the best possible channel for my wireless network? Or should I leave it on the Auto setting?

Thank you for your help in advance!

 

[Sergeant Steve]

Personally I would leave UPNP enabled in your router, I would also check the box in Skype that says "Enable uPnP". I would then reboot your router to clear the UPNP settings and then start Skype again.

The reason it would say 192.168.1.100:5698 and not 56985 is most likely due to a Character Limit. I have no idea about whether you should only enable ports above 6000 for Skype, I would say it shouldn't matter too much so long as they don't overlap with other things.

As for your WiFi, never leave it on Auto as this tends to only use about three different bands not them all. The best way to check is to use this WiFi Analyzer on your phone: https://play.google.com/store/apps/details?id=com.farproc.wifi.analyzer&hl=en_US

When you open the app it may already be on the "Channel Graph" which looks like the screenshot with all the peaks (the first after the video), if not then tap View at the top and set it to it. This view lets you see what bands all the other routers around you are using, and what one your router is using. For your router pick the band that is furthest away from all the others, e.g. if there are routers using bands 1, 3, 4 and 5, but none of them are using the higher bands then stick your router up there.

 

[Bellzemos]

Thank you, Sergeant Steve. But would it be safe/secure to let Skype take control of opening ports via uPnP?

As for the WiFi, I don't have a phone, I have a computer so I guess that the app you you linked won't work on it.

 

[Alejandro85]

First of all, uPnP gives more trouble than solutions, it must always be disabled for security reasons, as its implementations are insecure. Take a look here to find why:
network - is UPnP / NAT-PMP really necessary today? - Information Security Stack Exchange
ports - What are the security implications of enabling UPnP in my home router? - Information Security Stack Exchange
Universal Plug and Play - Wikipedia, the free encyclopedia

It should always be disabled in both the router and Windows itself (it's enabled by default, allowing security vulnerabilities to be exploited). If a program really needs port forwarding, just set it up yourself and stay in the safe side.

About Skype in particular, it's really unnecesary to forward ports just for it. While Skype has some built-in peer-to-peer capabilities, for faster file transfers and maybe faster calls, it can also fall back for the traditional client-server model. It explicitly says so when peer-to-peer can't be activated, saying that transfers are slow and are being redirected, but still works.
It's more useful to use that for local network rather than internet, generally, where forwarding is not needed at all.

But if you really want to do it, the port you must open is 6677, as per your image. In the Skype parameters you can choose which port to use for incoming connections, that's the one that needs to be opened, as it's the one that Skype will be listening for peer-to-peer connections.

About the "above 6000" thing, I never heard anything like that, but it might make some sense. Generally, opening commonly used ports will make you an easy target for random hacking attempts, as those are probed first (80 for web, 21 for FTP ans such). A hacker doing just random probing on random IPs will first try those and try a few common passwords generally, and if changed to something else will often deter such trivial attempts. Not that it's a serious protection, if they really want you attacking the new port is trivial, but at least the most basic attacks die at the router. My personal rule is to change the external port to some random number just to avoid that.

 

[Bellzemos]

Thank you for the extensive post, it's really informative and well written, I really appreciate it.

But, is it true that the programs which feature UPnP will open a certain port (or ports) when they need them (when that certain program is used) and then close the ports via UPnP after they are closed (when I quit the program)? So, would it be safer to use the UPnP then or to manually open the needed ports and have them opened at all times?

If I would disable UPnP, how can I do that in Windows 7? And my router has UPnP enabled by default too.

I have read that Skype works way better with an open port, like the audio and video is much clearer. I want to test that and will report back here if it's true or bogus.

I don't know much about port forwarding and you seem to have a great knowledge, I'd like to learn more.

 

[Bellzemos]

PS: I've read a bit more about port forwarding and only now realised that when you open a certain port you only open it for a certain computer on the network. Right? We have 3 computers at home connected (one by cable and two wireless) to the router and if I want to open a port for Skype only on my computer I have to set a static IP for my computer. Could this bring me any trouble (security & convinience-wise)? And how do I do that? Thank you!

 

[Bellzemos]

Anyone, please?

 

[Tookeri]

I agree with Alejandro. Your router should be configured to block everything coming from the Internet, for security reasons. If you have UPnP enabled it means programs can request the router to open up ports. Same security issue with port forwards. They open up a security hole in the otherwise closed router. That's my opinion.

A port forward means you forward incoming traffic on a specific port to a specific device/IP on your LAN. So yes, you'll need to set a static IP for that machine.

But I would follow Alejandro's advice. If popular software like Skype would require users to open up ports in their routers then most average users wouldn't be able to use it. In other words: you shouldn't need to.

 

[Alejandro85]

UPnP is insecure not because it leaves things open, but because it has no security protections taken into consideration. Anything can open a port as long as it's enabled, including viruses that might enter your computer, giving access to anyone from the outside (there are a few cases where a Flash exploit was used to open ports on target computers, right from the browser).

Never heard about it opening and then closing ports, but that shouldn't really matter. Even with a forwarded port if the target program is not running, nothing will be listening on that port on the target computer, so connections will be still dropped. The only problem happens with an open port and having a program running, listening on that port on that computer. So even if you do forward it, closing Skype will suffice to be as safe again.

On Windows, this link helps disabling it totally (it says for XP, but it really applies to all other versions too):
Completely disable Universal Plug and Play (UPnP)
For your router, it's done though the web interface, the exact location will vary depending on your model.

Neither I know about Skype being better though an open port, not even testing it, but it sounds reasonable. A direct connection between both computers will logically be faster than passing though the Skype servers back and forth. Seems like a good thing to test.

Port forwarding always open one particular external port and redirect it to an internal port on one particular computer (identified by its IP). It's basically like saying "when someone talks from outside, that computer will answer". If you run Skype on 3 computers, you'll obviously need to open 3 different ports on the router, one for each computer, and change listening port on Skype accordingly.

Security-wise, port forwarding is always a compromise. Opening means that internal services become available to external computers, in this case the Skype peer-to-peer feature that possibly increases speed of file transfer and improves call/video quality by using a direct connection. But that also means that it moves the responsibility of security from the router to that particular program, for that port. Should any attack happen, without forwarding they would die in the router (or must break it at least, which is possibly a substantial effort).
With a port forwarded, Skype itself must be able to withstand such an attack (or any program with an open port). Is it designed to handle and drop malicious packets? Is it good enough to distinguish a legitimate usage from an attack and reject it? What would happen if it does effectively gets breached, what data would be exposed? I have no idea about those, but something says me that normal consumer programs aren't specially careful about network security. Permissions on the computer then become important if something goes wrong, for example.

Strictly speaking, for Skype in particular, it's not really needed. When peer-to-peer fails, it falls back to normal client-server model (most of its calls over internet are handled in this way, actually), even at the cost of sacrificing speed. It can be an interesting experiment, but keep in mind that it isn't without some risks. I would investigate more about Skype security and how it does actually handles network traffic security. And keeping it updates then becomes important if bugs are discovered and fixed.

 

[Bellzemos]

This was really interesting to read, I learned something. Thank you!

So, if I'm getting this right, if I open (forward) a certain port for Skype - the security risk exists only when Skype is running. If a certain port (or ports) are open (forwarded) and there is no program used which listens to them (Skype, uTorrent etc.) there's no security risk at all (concerning the opened port)?

And, if the program in question (Skype) can handle the attack of malware through that port nothing bad can happen? What kind of attack exactly can happen through an open port? It's not the same as running an infected/malicious executable in Windows or is it?

I mean, what can be done with an attach through the opened port on Skype? What can it achieve (if you can give me an example)?

Again, thank you very much!

 

[Bellzemos]

I have just tried this: I disabled the UPnP in the router settings but uTorrent still works normally. It says it uses NAT-PNP but even if I disable the NAT-PNP and UPnP in the uTorrent settings it still works. Is NAT-PNP dangerous? I don't see the option to disable it in the router settings.

 

[Alejandro85]

As far as I know, having no program listening on a port nullifies the effect of that port being open, so there should be no extra risk with it (possible OS bugs apart). Closing Skype here will in fact remove any problem the port might cause, if something goes bad.

Properly made programs will simply reject any bad inputs and shouldn't be affected by being exposed on internet. At most, you might see some minor network traffic and maybe CPU usage, but nothing beyond that if Skype is really well done concerning security. Of course "nothing bad can happen" is too broad a topic and ultimately 100% immunity can never be warranted, but we can be reasonably close to that.

What can be done with an open port?
Let's say this way, entire books can be written about replying that question alone
But let's try to resume. In short, open ports means that anything on the outside can communicate with Skype directly. At the very least, they can for example issue connection to see if they can make Skype accept the connection, which means your computer might waste a few CPU cycles and network bandwidth, often negligible, but when those come in mass can cause problems). If an attacker can communicate, often they'll look for either some weak password or something they can peek (for Skype in particular, I doubt that's the case, as peer-to-peer is only used for file transfers and calls, which are also encrypted). Or as a last resort, they'll look for some vulnerability that they can exploit remotely, which means basically they "convince" Skype to do something it wasn't meant to do (this is known as "remote code execution").

Low user privileges and being somewhat vigilant about strange activity may greatly help in mitigating those risks. And while I just mentions them, it doesn't means that they WILL occur, I'm just naming the theoretical possibilities.

 

[Bellzemos]

Thank you for all the knowledge you have shared.