System Advice

NAT Routers With UPnP - Security Risk, or Benefit?

NAT routers, in general, only open ports when necessary. When an application, running on a client computer on your LAN, wants to communicate with a server outside the LAN, it sends a packet out. The NAT router does 4 things, in sequence:

Opens a port which points back to the client computer that sent the packet.
Sends the packet to the distant computer, giving its IP address, and the port that was just opened.
Waits for a return packet from the distant computer.
Forwards the return packet from the distant computer to the client computer that started the whole thing.

Now, NAT is stateful. This is a reason why a NAT router is said to provide protection like a firewall (though a NAT router is NOT a firewall). The port that is opened, from the outgoing packet, only responds to the address of the distant server. Thus when a port is opened, only replies from the distant server will be returned to the client computer on the LAN. Packets from any other computer, to that port, simply get dropped by the NAT router.

NAT, in its purest form, only supports client computers. Unless a client computer opens a port with an outgoing packet, no incoming traffic gets passed, by a NAT router, to any LAN computer.

So how do you use a server (a computer that waits for unsolicited incoming packets) behind a NAT router? Before UPnP, you would use either Port Forwarding, or Port Triggering.

With Port Forwarding, you define fixed ports, to be forwarded to a fixed IP address. Those ports are opened when they are defined, and stay opened forever. The ports must be defined, and opened, before they are needed.
With Port Triggering, you define fixed ports, to be forwarded, when specific other ports are opened, by any application on any computer. Those ports are opened when triggered, and stay open forever. The ports must be defined before the triggered port is needed.
With UPnP, the UPnP capable application tells the router, precisely when needed, what ports are to be opened, and fowarded to what (potentially dynamic) IP address. And properly written UPnP applications will also tell the router when to close those ports.

Many well meaning security experts see UPnP as a security risk. If you have uncontrolled applications running on your computer, they can control your router, have it open ports at will, and create security risks.

If your computer has uncontrolled applications running on it, you've already lost that battle. You need to learn about detecting and removing malware (get rid of any existing untrustable software), and then you need to learn about protecting your computers properly (keep any future untrustable software off your computer).

UPnP is just as reliable, and as safe, as any applications running on your computer. If you control your computers properly, and ONLY trusted applications run on them, UPnP is perfectly safe. If you don't control your computers properly, applications hijacking UPnP to open holes in your router will be the least of your worries.

UPnP is actually more secure when your computers can be trusted. UPnP, as I state above, will dynamically instruct the router to close specific ports when they are not needed. Port forwarding, and port triggering, leave ports open forever.

The other advantage of UPnP is that it allows you to have servers on your LAN, using dynamic IP addressing. Port forwarding requires a server to have a fixed IP address. Port triggering, depending upon the NAT router, may or may not require a server to have a fixed IP address.

With port forwarding, or port triggering, you can have only a single computer on the LAN running a given server application. A pre defined port can be forwarded to only one server.
With UPnP forwarding, multiple computers can run the same UPnP compliant application, such as an IM program. The server application can negotiate with the router, as necessary, and have the port forwarded.

Bottom line? A properly written UPnP capable application is more functional, and no less secure, than an equivalent non-UPnP capable application. On a LAN with a properly designed layered security strategy, it will not create a security risk.