Since the advent of low-cost, high-speed Internet access, cheap remote access to resources has become standard fare in small offices. Unfortunately, problems inevitably occur when you try to access remote resources with basic off-the-shelf hardware and software. The typical small office network has high-speed access but only one public IP address shared among multiple PCs through Network Address Translation (NAT). On a standard port, a basic NAT router with one public IP address can forward traffic to only one system at a time.
The typical workaround is to forward several different ports to different PCs, but this workaround introduces new problems. People often randomly select low port numbers for custom use, then discover a conflict with another service that uses that port. Furthermore, intruders trying to break into systems typically scan low-numbered ports so using low port numbers increases the risk of successful break-ins.
The most-secure solution is to use a VPN. However, if using a VPN isn't an option in the short term, here are a couple of tactics you can use until you set up a VPN:
1. Use Internet Assigned Numbers Authority's (IANA's) private port numbers whenever you must use nonstandard ports for remote access to a system. The IANA port list is available at http://www.iana.org/assignments/port-numbers. IANA has allocated ports 49152 through 65535 for private custom use in this kind of situation. If you use high-numbered private ports, you won't accidentally use a well-known or standard vendor service port. Using high-numbered private ports also reduces the risk of someone noting the open port during a random port scan; intruders are much less likely to try scanning an entire 65,000+ port range to find open ports because such a scan can draw attention to them.
You configure private ports at the firewall. For example, you can configure the firewall to forward incoming connections to port 50000 to pc1 port 3389 on the internal LAN, port 50001 to pc2 port 3389, and so on.
2. Dynamically check local port usage on all PCs on the LAN. To perform this check, open a command-shell window on each PC, type the command
netstat -an | find "LISTENING"
and press Enter. This command generates a list of all listening ports, whether they're currently connected or not.
A VPN is always the most secure and flexible tool for networking over the Internet and should be the eventual target of any remote networking environment. However, until that time comes, you can help secure your remote access system by using the private ports and dynamically checking local port usage.