Is port forwarding inherently unsafe?
I had an argument with a person a few months ago when I proposed we forward port 12xyz to an internal SSH server.
The target server was tied down in a manner similar to the one recommended by @stribika at https://stribika.github.io/2015/01/04/secure-secure-shell.html. Specifically, no root access, public key authentication only, non-standard ssh port, high-quality ciphers, kex, and, macs.
I was arguing that the forwarded port was not inherently dangerous in itself, and that the safety was dependant on the service at the target port. I maintained my method was a perfectly safe way to gain remote access. He vehemently argued that it was not, stating that a VPN tunnel is the only safe way to achieve remote access.
Who was right?
Forwarding ports is NOT inherently dangerous in itself and YES the safety is dependant on the service at the target port. But safety also depends on how good is your router's firewall and how well it is protected, both internally and externally.
For remote access, both SSH and VPN works as good as each other. Neither is more secure than the other when similar levels of encryption are used. But since SSH works at application level, supports only TCP and provides remote access to a single computer only I would prefer VPN tunnelling which in fact works at the transport layer, supports both UDP and TCP and allows secure access to multiple resources.
VPN tunnel is NOT the only safe way to achieve remote access, but definitely the preferred way due to the above reasons. Not to mention SSH is really difficult to implement properly in case of multiple resources, can cause DNS leaks and has to be configured separately for each application.
Thanks, Joseph. In our situation, application-level tunnelling is preferable to transport layer tunnelling, which is why I wanted to use ssh in the first place. :-) Also thanks for your comments re DNS leaks. I'm reading about that now, but I see its possible to have DNS leaks even via a VPN connection.
Yes, DNS leaks are possible even with VPN tunnelling. Try DNSCrypt which is a protocol for securing communication between the client and DNS server.
Of course, if you don't care that your ISP or whoever sees that you're accessing `my-corperate-office-5.internal.mycompany.com` then it doesn't matter, since of course `my-corperate-office-5.internal.mycompany.com` is already in the public registry pointing to an IP address, it's just whether it matters that someone knows you happen to be using it at that moment. For most cases, probably not a big deal.