Crucial security questions

thedrama · February 2012

Hey guyz, somethin' significant came into my mind. In these days, i have been playing Guild Wars. Nevertheless, im a little bit
insecure if i need forward the relevant ports. (6112, TCP connection)

I saw that, without forwarding, downloading speed remains so slow and lags often occur , making the game unplayable. On the other hand, i shouldn't and do not need to port forward unless someone tries to open a connection to my private network. Besides,
a security risk is obvious in such a situation.

My questions are

1) What do you think about if i need to open the relevant ports for this game? will it pose a security risk even if the game provides higher speeds?

2) The well-known protocols such as FTP,HTTP,Telnet,SMTP on my router(in port forwarding section) is entered but not "enabled" for an IP address. Does this mean they are not forwarded?

paul78 · February 2012

Its going to be hard to give you an opinion on this one. It sounds like there is a proprietary protocol used be the app. It would require a protocol analysis and a review of the tcp peer software to dtermine if there are vulnerabilities .

SephStorm · February 2012

I would think that the service running on the port would need to have vulnerabilities to be exploited. Just because a port is open and accepting connections doesnt mean the application running on the port is vulnerable. Now, depending on what kind of firewall you are running, an attacker could try to use that port to tunnel data or scan your machine using a source port that he knows is forwarded, but I wouldnt consider it a unacceptable risk.

thedrama · February 2012

Any ideas else?

dustinmurphy · February 2012

1) ANY open port to the inside poses a security risk of some sort. How much of one, however, is hard to tell. As previous posters said... it depends on the vulnerabilities of the program...

2)If they're not "enabled" then, no... they're not open.

Heero · February 2012

Why the hell would Guild wars require you to open a port? You are not hosting anything to the outside world. Also opening a port should not be the difference between laggy and not laggy, it should be the difference between cannot connect and can connect.

MAC_Addy · February 2012

Mostly all games that you play online require a port. Just like WoW uses port 3724. It's a port that the game looks for on your local network to reach the game servers.

Heero · February 2012

Yes, all communication using UDP and TCP requires ports, both source and destination. What I am saying is that since all traffic is initiated from the local side (by the client), why would he need to forward any ports?

MAC_Addy · February 2012

Since you have listed CCNA and NP on your certs you'll know that when connecting through your router you'll use NAT/PAT. If your router isn't setup with 10.1.1.1:80 it won't allow you to access the internet, correct? So if you don't setup port forwarding correctly it won't work correctly. You'll be sending and receiving data while connected to their servers, since your character moves, the server would like to know if you went from A to B.

Heero · February 2012

I think you may need to study NAT/PAT a bit more.

MAC_Addy · February 2012

For your reading pleasure.. Port forwarding - Wikipedia, the free encyclopedia

Heero · February 2012

When using NAT, connections initiated from behind the NAT require no port to be forwarded. The device doing NAT tracks each session, allowing it to map return communication to the correct host. This is why you don't have to set up port forwarding for email, web, skype, etc...

dustinmurphy · February 2012

Heero wrote: »

Yes, all communication using UDP and TCP requires ports, both source and destination. What I am saying is that since all traffic is initiated from the local side (by the client), why would he need to forward any ports?

True, however they may have some proprietary software that is more like P2P, which may require an opened port to run properly.

dustinmurphy · February 2012

Heero wrote: »

I think you may need to study NAT/PAT a bit more.

LOL... agreed.

tr1x · February 2012

Also agreed. To the OP, forwarding your port will do absolutely nothing to help your lag. And it does have the possibility to introduce some security vulnerabilities.. So the answer to your question is no, you shouldn't do it.

afcyung · February 2012

thedrama wrote: »

1) What do you think about if i need to open the relevant ports for this game? will it pose a security risk even if the game provides higher speeds?

Just from a purely security stand point. Yes it will increase the threat landscape for the PC you are forwarding the port to. Your router will forward all TCP traffic that comes in on that Port to your PC regardless of the sender (obviously this depends on the sophistication of your hardware). Your computer should only be listening to that port when the game is up and running, what an attacker would try to do is use a flaw in the game to exploit your box and go from there. Having solid firewall rules on both the router and on the local PC should minimize the risk to an acceptable level.

thedrama · February 2012

MAC_Addy wrote: »

Since you have listed CCNA and NP on your certs you'll know that when connecting through your router you'll use NAT/PAT. If your router isn't setup with 10.1.1.1:80 it won't allow you to access the internet, correct? So if you don't setup port forwarding correctly it won't work correctly. You'll be sending and receiving data while connected to their servers, since your character moves, the server would like to know if you went from A to B.

i apologise but Heero seems right. If you have studied NAT/PAT, you should have learned that NAT/PAT doesn't allow the incoming traffic by default which means a basic security to keep the private network behind NAT/PATting device safe. However, while playing online games the thing you should do is connecting as a game client to the game server outside. By means of this, port forwarding is not needed to be applied on the router
cos there is no attempt of access from the game server to the private network.

BUT

The thing im chasing is why the hell the game downloads fast when i made port forwarding in spite of no necessity? My case is that.

Heero · February 2012

You have been a little confusing about this so far, I figured you have been talking about in game lag. When you say "downloading the game" what are you downloading, and how are you downloading it?

tr1x · February 2012

I want to add.. 'downloading' (or playing, whatever you're doing) won't be faster or slower with port forwarding. It will either work or not work, there's no speed increase. If you did experience a speed increase, it's due to something unrelated.

thedrama · February 2012

Heero wrote: »

You have been a little confusing about this so far, I figured you have been talking about in game lag. When you say "downloading the game" what are you downloading, and how are you downloading it?

i have mentioned both lags and the situation especially when you enter a new area, the game client pulls something you know. Do not you download the files of new places cos it shows bottom left ...KB/second by the way it progresses until it is complete.

Heero · February 2012

Hmm, not what I was thinking. What game specifically then?

thedrama · February 2012

The game is Guild Wars. The amount of lag didn't change literally. However, as far as i observed, by opening the regarding ports for the incoming connection, download speed(pulling the data from the game server) relatively increased.

why?

veritas_libertas · February 2012

Heero wrote: »

Yes, all communication using UDP and TCP requires ports, both source and destination. What I am saying is that since all traffic is initiated from the local side (by the client), why would he need to forward any ports?

My thoughts exactly. This online game sounds like it has been very poorly implemented. I HATE opening ports on my firewall. I know from watching my Astaro box that I get pinged/scanned on regular basis from our friends in Russia and China.

tr1x · February 2012

thedrama wrote: »

The game is Guild Wars. The amount of lag didn't change literally. However, as far as i observed, by opening the regarding ports for the incoming connection, download speed(pulling the data from the game server) relatively increased.

why?

When your PC is communicating with the gaming server, your port is already as good as opened. Your PC creates a session with that server and any packets that the server sends get forwarded from your router to your PC, regardless of whether or not the port is open. The only difference is if the server was trying to send you data without you first initiating the session.. which isn't happening. Any speed increase is coincidental and unrelated to port forwarding.

dustinmurphy · February 2012

thedrama wrote: »

i apologise but Heero seems right. If you have studied NAT/PAT, you should have learned that NAT/PAT doesn't allow the incoming traffic by default which means a basic security to keep the private network behind NAT/PATting device safe. However, while playing online games the thing you should do is connecting as a game client to the game server outside. By means of this, port forwarding is not needed to be applied on the router
cos there is no attempt of access from the game server to the private network.

BUT

The thing im chasing is why the hell the game downloads fast when i made port forwarding in spite of no necessity? My case is that.

Actually, the way Heero worded it... his understanding of NAT/PAT is wrong. He is saying that you have to open the ports to go out to the internet. Most home routers are configured to NAT to the outside address... allow all traffic outgoing, and none incoming.

BTW - it's not necessarily NAT that blocks incoming connections... it's firewall rules.

dustinmurphy · February 2012

veritas_libertas wrote: »

My thoughts exactly. This online game sounds like it has been very poorly implemented. I HATE opening ports on my firewall. I know from watching my Astaro box that I get pinged/scanned on regular basis from our friends in Russia and China.

Eeeeew... did you just say Astaro? Ick! I've used those in the past... (their hardware solution) and it was HORRIBLE. It would lock up just doing SMTP filtering... not even using it as a firewall... I had so many outages from that stupid thing locking up randomly.

Turgon · February 2012

I saw this thread tonight and wondered if it was corporate security. Is this seriously about playing games at home? I should imagine the normal precautions taken by the everyday punter without a CCNA should be enough should it not?

Dont open your home network up. Find another game.

dustinmurphy · February 2012

Well, the question is more... how can they claim to give better bandwidth by forwarding ports to the PC... and if you do that, is there a security risk...

All I can think of is that they want you to use their proprietary software (most likely some P2P) and in return you get higher download/upload speeds because it's on a different network. This is my best guess as opening a port will do NOTHING to bandwidth/latency.

Novalith478 · February 2012

Heero wrote: »

Why the hell would Guild wars require you to open a port? You are not hosting anything to the outside world. Also opening a port should not be the difference between laggy and not laggy, it should be the difference between cannot connect and can connect.

I know for World of Warcraft in order to download patches through their own P2P application, they give you a list of ports to open in order to get the maximum download rate possible. I can imagine it is the same for Guild Wars (for patches, that is). Don't see why not having some ports open should affect your game-play, though. I used to play WoW on my computer all the time with only a few ports open on my router, and it went fine with no lag at all.

veritas_libertas · February 2012

dustinmurphy wrote: »

Eeeeew... did you just say Astaro? Ick! I've used those in the past... (their hardware solution) and it was HORRIBLE. It would lock up just doing SMTP filtering... not even using it as a firewall... I had so many outages from that stupid thing locking up randomly.

Did you have enough memory? In my experience the only time it would lock up is if you didn't have the right hardware. I only use it as a firewall/vpn solution. Not perfect but it's free

dustinmurphy · February 2012

veritas_libertas wrote: »

Did you have enough memory? In my experience the only time it would lock up is if you didn't have the right hardware. I only use it as a firewall/vpn solution. Not perfect but it's free

We were using their hardware... either the Security Gateway 220 or 320... like this one: Astaro Internet Security Gateway 220 | UTM Security Appliance | AstaroGuard.com

I was constantly cycling the power because it locked up for some reason or another. (usually once a week or 2 weeks) We put a Pix 515e in it's place for firewall... a 2811 and 6509 in it's place for a router (actually L3 switch) and a Cisco 3000 VPN Concentrator for VPN.

Since we already had purchased this... we used it for SMTP filtering... and it would even lock up with that. We originally had 2 of 'em... for HA.

Crucial security questions

Comments