What's new

Open ports? Newbie question

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Chippy_boy

Regular Contributor
Hi folks

I must confess, although computer savvy, I am not very clued up on networking.

I want my home network to be as secure as possible, so I think I have all my ports closed and I am not port-forwarding anything.

Screenshot 2022-07-05 091856.png


My question is this: How can e.g. Philips Hue and Tado control my lights and my central heating remotely? How can these services access devices in my network (which they both do quite happily) if my network is locked down? I am really confused how this is possible without open ports and port forwarding to the respective devices. So how does this work?

And Is it a (albeit small) possible security risk?

If anyone could explain, I'd be very grateful.

Thanks
 
Last edited:
Beware that Shields Up (like most other similar online tools) only tests for TCP ports, NOT UDP.

Many such devices do NOT need to initiate connections inbound (i.e., rely on port forwarding). They can simply "phone home" to their servers(s) for instructions. IOW, when you buy into these devices, you're implicitly buying into a service to manage it. If in fact they need to initiate connections inbound, it's a simple matter to configure a site-to-site tunnel, using something like OpenVPN or SSH. This is exactly how my OOMA (VOIP) phone adapter works. In order for their service to inform me of an incoming call, they create an OpenVPN connection from behind my firewall (the client) to their OpenVPN server, from which they can initiate connections back through my firewall.

It's something employers have to deal w/ all the time. Their admins actively seek out such traffic, just in case employees are punching holes in their firewall and creating security risks.

That's why *anything* behind your own firewall is a potential security risk. You just have to decide who and what you're willing to trust.
 
Last edited:
Beware that Shields Up (like most other similar online tools) only tests for TCP ports, NOT udp.

Many such devices do NOT need to initiate connections inbound (i.e., rely on port forwarding). They can simply "phone home" to their servers(s) for instructions. IOW, when you buy into these devices, you're implicitly buying into a service to manage it. If in fact they need to initiate connections inbound, it's a simple matter to configure a site-to-site tunnel, using something like OpenVPN or SSH. This is exactly how my OOMA (VOIP) phone adapter works. In order for their service to inform me of an incoming call, they create an OpenVPN connection from behind my firewall (the client) to their OpenVPN server, from which they can initiate connections back through my firewall.

It's something employers have to deal w/ all the time. Their admins actively seek out such traffic, just in case employees are punching holes in their firewall and creating security risks.

That's why *anything* behind your own firewall is a potential security risk. You just have to decide who and what you're willing to trust.
Thanks for this. So presumably my Tado and Philips Hue are constantly (periodically?) polling, checking the respective servers to see if there's any new instructions?
 
Thanks for this. So presumably my Tado and Philips Hue are constantly (periodically?) polling, checking the respective servers to see if there's any new instructions?

Most likely. Polling is very common. But when things need to be initiated from the server to the client (e.g., a phone call is coming in over VOIP), that's when you see the tunneling.

Whether it's constant or periodic polling is just going to depend on the nature of the device. Whatever it needs to get the job done.

That's why you might want to consider gaining some experience w/ a tools like tcpdump and WireShark so you can snoop on what these devices are doing.
 
This is exactly how my OOMA (VOIP) phone adapter works. In order for their service to inform me of an incoming call, they create an OpenVPN connection from behind my firewall (the client) to their OpenVPN server, from which they can initiate connections back through my firewall.

I thought they turned away from OVPN some time back (like 2010...) - If I recall, they're using SSL/TLS these days that supported the mobile application...
 
I thought they turned away from OVPN some time back (like 2010...) - If I recall, they're using SSL/TLS these days that supported the mobile application...

I can't speak to what they use today. I have the original OOMA Hub VOIP adapter, purchased back in 2009 for $160. Hasn't cost be a penny since then for service. Still going strong. I only noticed it was using OpenVPN by accident while monitoring other traffic for other purposes.
 
Similar threads
Thread starter Title Forum Replies Date
G Multiple tries needed to open windows share Other LAN and WAN 0

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top