Security with Roon ARC / Roon 2.0

Finally got my set up to work. Since the port is now open on both the ISP router for the wired mesh network and on the access point for the wired roon core, how are we ensuring proper security with that port open?

Thoughts appreciated.

2 Likes

Not an official Roon response but insight as to some of how it works from @ipeverywhere .

Thanks! Not putting me at ease at all.

2 Likes

What kinda extra security would you suggest? Beyond authentication, an application firewall in your gateway is beyond Roons scope.

1 Like

We should put in place a volunteer red team.

4 Likes

UpNP plus open port is elevating a security risk level significantly. To properly configure a firewall with this kind of security vulnerability is a pain in a neck and unlikely to be very effective.

For starters I would like to know if this information is encrypted, encryption methods, as well as Roon’s security risk assessment. This exposes your home network. So to your point Mike, it is a your problem type of problem. I’m not warm and fuzzy. I tested this out, I have few questions, suggestions and some feedback that I will post. But as far as I’m concerned, I’m probably done and will be closing the port and upnp.

6 Likes

Connecting your home network to an internet connected gateway exposes your home network. But don’t let me dampen your outrage. It’s all about the level of exposure vs. utility you’re ok with.

@mikeb you’re correct. It’s all about the level of exposure and the risks you’re willing to take.

I really love the idea and the interface is decent for v1.0 with good potential for future enhancements. But…

1 Like

Anyone who is worried about this should not be setting up port forwarding at this point. But we have to trust Roon with this or why bother taking part in the test. It would be good for Roon to put out something explaining the security and hopefully authenticated encryption used which would help with concerns.

UPNP is the first thing I turn off when setting up a new router as it has been implemented so badly in many places. It is not something I ever expect to enable so the manual option is good.

7 Likes

Won’t most modern homes have ports open?
I know I have multiple open for NAS, Security System, IP cameras, I just manually set them with random number ports.

But at the end of the day the only thing on my NAS is media.

3 Likes

Like a Swiss cheese. An open port is only relevant is something is listening.

I have just disabled UPnP (after I had enabled it for ARC to see my core) and the port forwarding rule it created still holds so perhaps this is advice worth considering i.e. to disable UPnP once the port forwarding rule has been added?

.sjb

I’ve got a UK BT Homehub and if you disable UPnP it removes the rules.

2 Likes

John it’s generally good advice as anything inside the network can create a request for an inbound port.
It’s been the cause of many a hacking problem.
Hopefully it just let’s the already created rule be there, which Just allows Roon to Run

1 Like

Why didn’t you just remove that rule and manually create one, using a different port number.

2 Likes

Well primarily because these types of things are more akin to voodoo for me than science or engineering or whatever they are.

Is there any advantage to doing as you suggest (mainly the change in port?)

.sjb

2 Likes

Changing the port is just adding security through obscurity.
On most linux system you can see usual port address space allocations:
less /etc/services
tcpmux 1/tcp # TCP port service multiplexer
echo 7/tcp
echo 7/udp
discard 9/tcp sink null
discard 9/udp sink null
systat 11/tcp users
daytime 13/tcp
daytime 13/udp
netstat 15/tcp
qotd 17/tcp quote

. . .

Port 55000 currently has no RFC associated with it

One could conceivably put in a Content Based Access Control based on what traffic is flowing through it. That would require users to understand what I just said, which isn’t likely and Roon telling us what the packet looks like for inspection.
Again I put that in the not likely category.
MHO

Some uTorrent versions use 55000 and yes security by obscurity. See

4 Likes

As it turns out I don’t seem to have an option to change or delete the port forwarding rule generated by UPnP.

.sjb

1 Like

Nice site. l learned something, thank you.