Is UPnP really that bad a security risk?

[sfryman]

My router has a "security assessment" function from Trend Micro. I clicked on it last night, and most things turn up "OK". The exception is for uPNP being enabled (see attached screenshot). I did some online reading and found several opinions stating UPnP is a security risk.


So I disabled UPnP, and predictably some services made a fuss. No big deal, except that Plex is no longer accessible outside of my home network. Manual port forwarding should be an alternative, but I could not get it to work. The instructions from Plex are very straight forward, and I have done this before with an older router & linux server, so I'm not sure what's wrong.


After about an hour of failing to get Plex working fully again I noticed that port forwarding was also considered a security risk by the Trend Micro security assessment.

So, I cannot have a perfectly clean security risk assessment AND external access to Plex. Fine. We will take some risk but how much worse is UPnP over manual port forwarding?

Also is there something special about Plex implementation on FreeNAS that I need to address to get port forwarding to work?

I understand that Plex is running in a jail, so I gave the jail a static IP (same one DHCP gave out already, just made it static) & then I set up internal port 32400 forwarding to this IP. I also checked off manual port forwarding in the Plex settings page and used the same external port number as the router. Plex still does not work outside my network. I tried multiple external port numbers and restarted both the FreeNAS machine and the router several times with no change.

 

[fracai]

That assessment seems a little simplistic. And as you've assessed, you can't have a perfectly clean score AND get anything done. That's why it's risk; it's a tradeoff. My guess is that the assessment is meant for people with no network experience.

UPnP is "worse" in that any application on your network can open a port, rather than you opening one manually. That's worse in that something malicious could get on your network and start opening ports that other machines could then connect to. Without UPnP, something could still get on your network and open a connection to a control server somewhere. That is indeed marginally less damaging, but your network is compromised either way.

Without seeing the configuration pages for Plex and your router I can't say why it still wouldn't have connectivity. It sounds like you have things configured they way they are supposed to be. I have noticed that sometimes Plex will report in the settings menu that it's not connectable when it really is, but when I'm looking at the actual port settings page, it always accurately reports the status as connectable.

 

[melloa]

UPnP is "worse" in that any application on your network can open a port

2nd that.

 

[m0nkey_]

I stopped using UPnP a long time ago. Unless you have a games console (XBOX or PlayStation) it's not required. Just forward the ports as normal.

 

[pschatz100]

I would try turning off the Trend Micro altogether and see if that makes any difference. It looks like you told it to secure your router - which it did.

Did you notice that it reports Port Forwarding as disabled? I like Asus routers, but I don't use the Trend Micro application.