Method 6: Virtual Server - Port Redirection

4 Shields

Virtual Server is a way to expose local network services to the internet through the WiFi router. By allowing port redirection, so-called well-known ports can be exposed on different ports.

Network port scanning tools and techniques can identify the ports that are open and what protocol (TCP or UDP) they are using.

If you really need to expose a network service like a web server, FTP server, or other such service to the internet, using port redirection is one technique to slow down hackers by offering up the service on ports other than what they would expect to find. When used in conjunction with scheduling and inbound filtering, exposing internal services to the internet can be very well protected.

A good example of port redirection is FTP. An FTP server normally offers its service on port 21. By using port redirection, the service can be offered on, say, port 9001, on the internet. While this won’t stop hackers, it will slow them down, as they expect an FTP service to be on port 21, not 9001. While they can find it eventually by scanning all ports, they run the risk of being discovered by firewall logging, for example. To avoid getting caught, they typically scan for well-known service ports only, like 21 for FTP, 80/443 for web servers, and others.

By combining port forwarding with a schedule that limits time access to the service, hacking attempts can be further mitigated. If the service, even at port 9001, is not even available for most of the day, then the hackers would have to be lucky enough to be scanning port 9001 within the scheduled window of availability.

By adding inbound filtering to port forwarding, the security gets even better. Inbound filtering specifies who, based on IP address, can access the service. Again, we have seen that hackers can spoof any IP address or even take control of a legitimate machine using that IP address. It just further complicates their lives.

With port redirection, inbound filtering, and time scheduling combined, the hackers would have to be very lucky to be able to identify the availability of a given service. It would also take higher levels of sophistication in order to identify the services and then be able to compromise it. Hence, port redirection, when combined with other strategies such as scheduling and inbound filtering, is a pretty good security strategy if a service needs to be offered on the internet.