Universal Plug and Play

With ‘Play’ in the title, it has to be a good thing, right?

For multiple reasons (mainly to preserve IPv4 address space) most devices aren’t given their own public (or internet-ready) IP address, but are given a private address instead.  The router uses its public address, permitting home devices to talk through to the internet using that address.  The router keeps track of which device is talking to whom by giving each a device a different port (think of ports like extensions in a business’s phone system).

Routers will automatically allow devices inside the network to talk to the internet and receive replies, but block traffic that starts from the internet.  For example, if you used a smartphone at work to log into your home printer’s web interface, the router would prevent the attempt.  In order for an outside device to open a line of communication the router has to have port forwarding enabled, where a specific port number forwards traffic to the private IP address of the device.

Here is where Universal Plug and Play (UPnP) comes in.  If enabled on a router, any device that uses UPnP can tell the router to give it an open port to receive communications from the internet.  This is a problem, because it creates a hole in your network’s defenses that quite often users aren’t aware of.  Also many malicious attacks take advantage of the router’s willingness to create holes in its firewall functions.  The recommendation is to disable UPnP.  If a device really needs to be reached from the internet, manually configure port forwarding, and use some kind of authentication, if available.