I have been asked (and done) to set up DDNS on my router to allow temporary access to a restricted server for FTP. I have never done this before, and I am uncertain exactly what this means now for my general 'security' via my router? Anybody got it in simple language please? I am using DynDns.com.

BOAC,

First I must confess my practical experience of Dynamic DNS is limited due to more frequent use of static IP and normal DNS. My understanding of it is that there is a DDNS client which keeps the Dynamic DNS service updated with your router/whatever's current IP address.

If that is the case, then the inherent security risks are as follows :

(1) Security vulnerability in the internet exposed DDNS client service leading to a launch point for attacks.

(2) DNS on its own is only there to resolve a name to an IP. Therefore you need to review your general L3 security stance accordingly (filter rules etc.) No specific things need to be checked for DNS in your scenario.

BOAC,

As I understand it, you are using DDNS because your IP address may change, being dynamically assigned by your ISP.

DDNS allows your router to update the DDNS service if your IP address changes, so that the DNS name resolution always points to the correct IP address.

Regarding general security - well, you are no less secure than if you had a fixed IP address and used a static DNS.

You presumably have port-forwarding enabled for at least HTTP and FTP so you need to ensure that the server(s) accessible in this way are properly hardened.

If your router / firewall has the ability to create a DMZ for this purpose (hosting publicly-accessible servers), that would be ideal - thus separating the inside network from the publicly-accessible server(s).

SD

Great replies, guys - thanks. I'll wade through 'DMZs', port-forwarding etc which are black arts to me. Sounds, though, as if I should be ok - I'm happy with the concept of dyndns.com. and static IPs and yes- my ISP, as usual, allocates floating. I understand that the server I am to access needs to have a fixed IP for me to allow me in. It was the 'big picture' security angle I was unsure of.

If I knew how to attach a file to this forum i'd attach a dummy's* guide to networking and the internet in Powerpoint I wrote a few years ago to try and train our call takers. It might help, it might not.



(*no offense implied - just a brand name)

Mike,

Stick it on Google dogs or somewhere and give us the link !

Mike,

Upload it to www.rapidshare.com and they can download the file as a free user.

Right, it's not complete, it might contain a few technical inaccuracies for the sake of getting the point across, and it wasn't originally designed for this audience (or to answer 100% of the asked question), but in the interests of teaching others here you go:

RapidShare: 1-CLICK Web hosting - Easy Filehosting

BOAC,

The servers you need to access, ftp?, do indeed require a static IP address.
Since you are using DDNS then that is not an issue. Simply access the server via dns name, as set up in ddns, and you're good to go. Just make sure you configure the proper security at the ftp server. (I'm familiar with this using Linux and Unix but I"m not so sure about Windows.)