Port forwarding - Not sure which community to post this in

Question

I would like to assure my boss that port forwarding a raspberry pi is safe. I plan to be doing port forwarding the web port, so I can run an Apache server, and also port forwarding my own program (C command line socket server).

Q1: As I understand it, the only way to hack the raspberry pi (in this case) would be to hack the program that is being port forwarded. Is that true? Could the hacker get to another computer, or hack something else?

Q2: Is Apache unhackable if you port forward it?

Q3: Let's say that the only thing my program does is a ->ping->pong type program. Could there be a way that the program could be used to hack my pi?

Q4. If my pi is hacked, could the hacker then use it to gain access to other computers on the network? What could be done to prevent it?

Thank you very much for any response. If you are only able to answer one of my questions, that is perfectly fine.

Answer 1

An attacker can hack the program running the server and any program/service it relies on e.g. SSL, the webserver, logins etc.). No system connected to a network and plugged in is unhackable. If they can successfully exploit your Pi, they can then use it to attack your other servers - this will likely be far easier since they already accessed your network and there is likely a degree of trust between your Pi and other machines on your network. You need far more than port forwarding to protect your Pi and the rest of your network. This would include but is not limited to a firewall, intrusion detection, an update/patching plan, backups hardening of all exposed services and programs etc.

What value would you get from having a ping/pong or echo server running internally open on the web, it would be simpler to use a cloud provider and let them handle the security issues while you focus on your applications core functionality.

I would suggest doing much more homework before attempting this or trying to convince your boss - unless you want to be unemployed. You may want to start with this question, and this recent blog post.

Properly securing the Pi is not impossible, but requires a lot of knowledge, skill and time.