NAT Routers With UPnP - Security Risk, or Benefit?

NAT routers, in general, only open ports when necessary. When an application, running on a client computer on your LAN, wants to communicate with a server outside the LAN, it sends a packet out. The NAT router does 4 things, in sequence:


  1. Opens a port which points back to the client computer that sent the packet.
  2. Sends the packet to the distant computer, giving its IP address, and the port that was just opened.
  3. Waits for a return packet from the distant computer.
  4. Forwards the return packet from the distant computer to the client computer that started the whole thing.

Now, NAT is stateful. This is a reason why a NAT router is said to provide protection like a firewall (though a NAT router is NOT a firewall). The port that is opened, from the outgoing packet, only responds to the address of the distant server. Thus when a port is opened, only replies from the distant server will be returned to the client computer on the LAN. Packets from any other computer, to that port, simply get dropped by the NAT router.

NAT, in its purest form, only supports client computers. Unless a client computer opens a port with an outgoing packet, no incoming traffic gets passed, by a NAT router, to any LAN computer.

So how do you use a server (a computer that waits for unsolicited incoming packets) behind a NAT router? Before UPnP, you would use either Port Forwarding, or Port Triggering.

  • With Port Forwarding, you define fixed ports, to be forwarded to a fixed IP address. Those ports are opened when they are defined, and stay opened forever. The ports must be defined, and opened, before they are needed.
  • With Port Triggering, you define fixed ports, to be forwarded, when specific other ports are opened, by any application on any computer. Those ports are opened when triggered, and stay open forever. The ports must be defined before the triggered port is needed.
  • With UPnP, the UPnP capable application tells the router, precisely when needed, what ports are to be opened, and fowarded to what (potentially dynamic) IP address. And properly written UPnP applications will also tell the router when to close those ports.

Many well meaning security experts see UPnP as a security risk. If you have uncontrolled applications running on your computer, they can control your router, have it open ports at will, and create security risks.

If your computer has uncontrolled applications running on it, you've already lost that battle. You need to learn about detecting and removing malware (get rid of any existing untrustable software), and then you need to learn about protecting your computers properly (keep any future untrustable software off your computer).

UPnP is just as reliable, and as safe, as any applications running on your computer. If you control your computers properly, and ONLY trusted applications run on them, UPnP is perfectly safe. If you don't control your computers properly, applications hijacking UPnP to open holes in your router will be the least of your worries.

UPnP is actually more secure when your computers can be trusted. UPnP, as I state above, will dynamically instruct the router to close specific ports when they are not needed. Port forwarding, and port triggering, leave ports open forever.

The other advantage of UPnP is that it allows you to have servers on your LAN, using dynamic IP addressing. Port forwarding requires a server to have a fixed IP address. Port triggering, depending upon the NAT router, may or may not require a server to have a fixed IP address.
  • With port forwarding, or port triggering, you can have only a single computer on the LAN running a given server application. A pre defined port can be forwarded to only one server.
  • With UPnP forwarding, multiple computers can run the same UPnP compliant application, such as an IM program. The server application can negotiate with the router, as necessary, and have the port forwarded.


Bottom line? A properly written UPnP capable application is more functional, and no less secure, than an equivalent non-UPnP capable application. On a LAN with a properly designed layered security strategy, it will not create a security risk.

5 comments:

Indicator Veritatis said...

I love his "bottom line" summary: " A properly written UPnP capable application is more functional, and no less secure, than an equivalent non-UPnP capable application. On a LAN with a properly designed layered security strategy, it will not create a security risk."

This correctly identifies the crucial issue, that the application be properly written.

However, most security issues result from the application not being correctly written, e.g. buffer overruns. So it raises the central, yet unanswered question: how can we be sure that the UPnP application/router code we are considering using really is "properly written"?

pooh said...

But beware that code running in Flash on a webpage can also change router settings this way, so potentially visiting a malicious website could open specific ports to the outer world.

Chuck said...

Indicator,

That's a subject of some debate.

My personal opinion is that if you have the ability to use your computer carefully, using UPnP to dynamically open and close ports is better than opening ports permanently.

If you do not have the ability to use your computer carefully, then you should not use UPnP, and you should not open any ports that might allow malicious traffic through your router.

The latter alternative is a very small step from "put your computer back into the box, and take it back to the store", IMHO.

If you have a house, is it better to not have a door because bad guys might get into the house, then use the door to let more bad guys in? Or should you have a door, but use it properly and lock it when ever necessary?

Indicator Veritatis said...

Chuck, you have not answered my question at all. You have said nothing at all about how we can be sure that the UpnP code is properly written.

Chuck said...

LOL, Indie,

You got me there.

Unless you are a programmer, and you can reverse engineer all of the code that scares you, you really can't.

How can you be sure that any code is "properly written"?

My thought on that would be to use code that millions of other people use. Any product with any popularity is probably being carefully scrutinized by one watchdog agency or organisation. As long as you are not the CIA, or some major bank or other terrorist target, most likely you are as safe as anybody else using the same router, or software.

In reality, you can't be 100% sure that code in any electronic device is "properly written". Do you have a microwave oven in your home? Do you leave it connected to the mains, on a 7 x 24 basis? If the microcode in the circuitry on your microwave oven is not "properly written", the oven might turn on when you are not watching.

But you still (probably) have a microwave oven - and you have a computer, and a router.

If you have a computer - and you have a router - you have to place some trust in the people who wrote the code that runs on your computer, and in your router.

Whether it's code that runs the mouse pointer, that opens and closes ports on the router, or that lets you chat (audio / text / video) with your friends, you have to trust that code.

Life is full of risks.