Port forwarding is a networking technique that allows incoming traffic on a specific port number to be redirected to a particular device or application on a local network. Open ports on the network expose an IP video system to the internet. This makes it a potential target for malicious cyberattacks. In the physical security industry, the elimination of port forwarding is seen as a basic and manageable precaution to shore up cybersecurity. We asked this week's Expert Panel Roundtable: What are the risks of port forwarding, and how can manufacturers and/or integrators mitigate those risks?
Port forwarding poses security risks by exposing internal networks to external threats. It creates an entry point, allowing attackers to bypass firewalls and access devices or services directly. This increases the likelihood of unauthorised access, data breaches, and exploitation of vulnerabilities within systems. If a forwarded port connects to an insecure device, attackers can exploit weak credentials, unpatched software, or known vulnerabilities to gain control. Hackers may also use port scanning techniques to identify open ports and launch attacks, potentially compromising critical infrastructure. To mitigate these risks, manufacturers and integrators should prioritise security by implementing strong access controls, such as multi-factor authentication (MFA), to restrict unauthorised entry. They should also ensure devices receive regular updates with the latest security patches to address vulnerabilities. Network segmentation can isolate critical systems from public-facing services, and integrators should consider using VPNs and secure tunneling protocols instead of exposing ports directly to the internet.
Even though zero trust is seen as best practice by many, no IT security professional is going to open up a path into their internal network from the internet. Security is about having multiple layers of protection, so stopping unwanted data packets at the firewall is a must. At Gallagher, we have taken the approach of creating a secure connection from the on-premise security system to our cloud. The on-premise server calls out to our cloud, which is the easiest connection for a firewall to protect. Our cloud then acts as a gateway, where the customer can choose to allow other services to securely authenticate and connect with packets forwarded back and forth between the service and the on-premise server securely. We will extend the services that the site can consume through our cloud gateway, providing peace of mind, that the chance of unwanted data packets coming from the internet into a corporate network is well managed.
Port forwarding is a common technique used in the security industry, to allow external devices or clients to communicate with internal equipment on private networks including equipment such as IP cameras, NVRs, intrusion and access control systems, HVAC, fire, and the list is growing! However, opening ports to the internet provides an inherent attack vector for would-be hackers. If not properly configured, port-forwarding can expose customers to significant risk to not only the exposed application but to their entire networks. VPNs are an alternative, but may add significant administration overhead to IT teams, and can be frustrating and cumbersome for users. Cloud-enabled security software and devices are a great alternative. Cloud applications allow for inbound connections to on-premise security equipment, without any need for port-forwarding. Communications are commonly encrypted to protect sensitive data in transit. Cloud offerings can reduce IT administration workload while also significantly reducing exposure to network attacks.
Port forwarding is the computer networking practice of making a computer or software on that computer inside of a private network accessible outside of that network. It is relatively easy to do and allows convenient access to the machine from anywhere else in the world. This convenience, however, means that anyone aware of this computer being accessible from anywhere could try to connect. Some ways to mitigate this are to limit the port-forwarding to specific IP addresses, to have strong passwords for the computer or the software, and if possible, to add an SSL certificate to encrypt the traffic.