Playing a game over the Internet may require more than just a data connection between you and the other players. You may want to talk with your friends, or chat, while playing. In many multiplayer games, a number of TCP and UDP connections could exist between the players while the game is active. Leaving a large number of ports open to the Internet can represent a security risk.
Port triggering allows the router to temporarily forward data through inbound TCP or UDP ports to a specific device. You can use port triggering to forward data to a computer only when a designated port range is used to make an outbound request. For example, a video game might use ports 27,000 to 27,100 for connecting with other players. These are the trigger ports. A chat client might use port 56 for connecting the same players so that they can communicate with each other while playing the game. In this instance, if there is gaming traffic on an outbound port within the triggered port range, inbound chat traffic on port 56 is forwarded to the computer that is being used to play the video game and chat with friends. When the game is over and the triggered ports are no longer in use, port 56 is no longer allowed to send traffic of any type to this computer.
Figure 16-16 shows a port range triggering rules table on a Cisco CVR100W Wireless-N VPN router.
Figure 16-16 Port Triggering on a Cisco CVR100W Wireless-N VPN Router
Video—Firewall Settings on a Wireless Router (16.3.6)
Refer to the online course to view this video.
Video—Firewall Settings on a Windows PC (16.3.7)
Refer to the online course to view this video.
Lab—Configure Windows Firewall Settings (16.3.8)
In this lab, you will complete the following objectives:
- Access Windows Firewall settings to add a new firewall rule.
- Create a firewall rule to permit ping requests.
- Remove the new firewall rule to return the settings to their previous state.
Summary (16.4)
The following is a summary of each topic in the chapter:
- Wireless Security Measures—With wireless connectivity, threat actors can tune in to signals from your wireless network, much like tuning in to a radio station. After they have access to your network, they can use your Internet services for free, as well as access computers on your network. These vulnerabilities require configuration of special security features and implementation methods to help protect your WLAN from attacks:
- Change default values for the SSID and administrator password.
- Disable broadcast SSID.
- Configure MAC address filtering.
- Configure encryption using WPA2 or higher.
- Configure authentication.
- Configure traffic filtering.
With the SSID broadcast activated, any wireless client can detect the network and connect to it, if no other security features are in place. The SSID broadcast feature can be turned off, which means that the presence of the network is no longer made public. Any computer trying to connect to the network must already know the SSID.
Default information should be changed to something more secure and unique. Changing the default settings on a wireless router does not protect your network by itself. Even with SSID broadcast turned off and default values changed, attackers use devices that intercept wireless signals to learn the name of a wireless network. It takes a combination of several methods to protect your WLAN.
MAC address filtering uses the MAC address to determine either the devices that are allowed on the wireless network (which is the most common method) or the devices that are not allowed on the network based on the preconfigured MAC address database.
- Implement Wireless Security—Applying a username and password is the most common form of authentication. In a wireless environment, authentication, if enabled, must occur before the client is allowed to connect to the WLAN. The setup utility on many routers disables open authentication and automatically sets up more secure user authentication on the WLAN. If both authentication and MAC address filtering are enabled, authentication occurs first. When authentication is successful, the AP then checks the MAC address against the MAC address table. When verified, the AP adds the host MAC address to its host table. The client is then said to be associated with the AP and can connect to the network.
WPA2 uses encryption keys from 64 bits up to 256 bits. However, WPA2, unlike WEP, generates new, dynamic keys each time a client establishes a connection with the AP. WPA2 is considered more secure than WEP because it is significantly more difficult to crack. The version of WPA2 designed for home networks is designated as WPA2-PSK. The PSK indicates that this encryption method is based on a preshared key—in this case, your configured passphrase. WPA3 is an upgrade to WPA and includes both versions for home (personal) and enterprise.
- Configure a Firewall—A firewall is usually installed between two or more networks and controls the traffic between them as well as helps to prevent unauthorized access. Firewall products use various techniques for determining which devices are permitted or denied access to a network. Typically, a hardware firewall passes two different types of traffic into your network: responses to traffic that originates from inside your network and traffic destined for a port that you have intentionally permitted. Many home network devices, such as wireless routers, include multifunction firewall software. This firewall typically provides NAT, IP, application, and website filtering capabilities; it also supports DMZ capabilities.
Port forwarding is a rule-based method of directing traffic between devices on separate networks. When incoming traffic from the Internet reaches your router, the firewall in the router determines if the traffic should be forwarded to a certain device based on the port number found with the traffic. The rules that you configure in the firewall settings determine which traffic is permitted on to the LAN.
Port triggering allows the router to temporarily forward data through inbound TCP or UDP ports to a specific device. You can use port triggering to forward data to a computer only when a designated port range is used to make an outbound request.