Keyboard Shortcuts
ctrl + shift + ? :
Show all keyboard shortcuts
ctrl + g :
Navigate to a group
ctrl + shift + f :
Find
ctrl + / :
Quick actions
esc to dismiss
Likes
Search
A wireless router for every rack...?
|
Hi Justin,
toggle quoted message
Show quoted text
The first thing that hit me was security. I've sat on both sides of the network security fence and my experience is that most network managers are extremely sensitive about network access - sometimes with rational justification, and sometimes verging on delusional paranoia ;-) I would guess that if the Crestron system was ever to be connected to another LAN (e.g. a corporate network), then having a 3rd party (you) put a WAP into the mix would send the network manager into convulsions. Even if you understand the nuances of wireless security better than the network guy, you'll probably have an impossible battle on your hands. And, no, I wouldn't trust the C2ENET-2 as a firewall. Perhaps that's not justified, but I don't know enough about it. Good luck with the boss! Ol --- In Crestron@..., "uscurtin" <jcurtin@...> wrote:
|
|
Hi Matt,
I guess I should have qualified my reply with "If you're racks get connected up to the general IT infrastructure ...". I was thinking of situations where the the client might want XPanels or Roomview or something... anyway... I'm not sure if I follow your point, but keeping traffic separate between AV & "the other" (business/resi) network wasn't what I was getting at. My concern, for Justin's argument, was that some miscreant might gain access to a private network via a poorly configured access point (and whether they're on the same subnet, or 50 hops down the line, isn't really relevant). I like the ENET-2 anecdote :-) You can probably get a dedicated Firewall/NAT appliance cheaper than the ENET-2 too! Cheerio! Ol --- In Crestron@..., "Matt" <mjrtoo@...> wrote: good the ENET2 card was because of this port translation feature and itrouter WAPshandling the actual DHCP licensing and remote access. Multiple bethroughout the residence, but not necessarily dedicated tothe "rack". putthemultiplein place into every rack we install from now on (or build, ifracks exist in a single build) so that a tech can hook up to rackyouproductswirelessly whenever they need to service the rack. This mandate argument,thought of this concept. I'm interested in all sides of theso please post whatever thoughts you have on this idea. |
|
I would have reservations about putting in more wireless devices than
need be for the required coverage area. For Resi, Chances are the neighbors have wireless, and clean channels that are already tight. I make it a habit to take one with me, as well as several "Long" ethernet cables you when you go out to service the site. This also helps when you can bypass an integrators cabling into a MD8x8 that was made up as A on one side and B on the other. For Corporate or even worse DOE & DOD it probably wouldn't fly. Not to mention the liability if you did put one in, and it was left open, and a company had a network intrusion. Your company could be held liable if the IT department hadn't approved it. Nate |
|
A Switch in every rack is a must !!! It's also a lot easier to get a
toggle quoted message
Show quoted text
stand alone switch approved than one with WiFi in it. --- In Crestron@..., "Matt" <mjrtoo@...> wrote:
|
|
Exactly.
toggle quoted message
Show quoted text
I've done work for a handful of dealers who shoved a random wireless router in the system -- usually for a TPMC-8X, just as usually not connected to the corporate network. I'd say 90% of the time (and 100% of those projects at clients who are concerned about PCI Compliance, HIPAA, or FERPA) -while I was there- the dealer's contact with the corporation got a rather curt email from the network security folks. One of them that I remember rather well was something along the lines of "at xxxxxxxx we detected a rougue access point with the ssid yyyyy. It appears to be in <building name> <floor> near conference room <number>. We are attempting to locate and destroy the access point." There have been others with similar wording but only one where I remember the use of the word "destroy". There's a distinct difference in philosophy between "company where IT department is one person" and "company where IT department has their own floor". At the university (IT department had a couple floors) if you were running an unauthorized access point on the campus you'd have two very angry 6'+ 250+ pound Ex-Marines banging on your door within a couple days (same thing, actually, if they detected an unauthorized switch)... Our Network Operations folks were awesome, but they could scare the $!@$ out of someone who broke policy (that occasionally came in handy for us :) ). For good reason: Every wireless access point is a hole in the network that they have no control of the stopper for; every switch that they don't have management control of is potentially dozens of holes in the network. And it's just bad practice to piss off Network Admins. Whomever contracted for the project may be "above" or "sideways" but ultimately the network admin is responsible for keeping the network happy. If the network's not happy and they start raising fuss about the "unauthorized devices" that an "idiot vendor" installed as being the cause, chances of you getting called back may drop. You should read the Chronicles of BOFH ;) -- Lincoln King-Cliby, CTS Applications Engineer ControlWorks Consulting, LLC V: 440.729.4640 x1107 F: 440.729.0884 I: Crestron Authorized Independent Programmer -----Original Message-----
From: Crestron@... [mailto:Crestron@...] On Behalf Of Chris Erskine Sent: Wednesday, January 21, 2009 10:18 PM To: Crestron@... Subject: RE: [Crestron] Re: A wireless router for every rack...? A lot of it depends on the size of the corporation and what their rules are. A number of places are scanning for foreign routers and will take and remove them from the network. If connections get left undone, they do not care. Also depending on the company, it does not matter who signed off on it. If this is to provide a nice to have for the service tech, why can they not plug-in to the network like everyone else. Some shops do not allow wireless period. Chris -----Original Message----- From: Crestron@... [mailto:Crestron@...] On Behalf Of uscurtin Sent: Wednesday, January 21, 2009 5:37 PM To: Crestron@... Subject: [Crestron] Re: A wireless router for every rack...? Chris, I agree with you completely!!! And we do primarily commercial. And I have argued your take in previous discussions to no evail. I didn't however take the liability standpoint that you have here. I will adapt my argument in further discussions. THANKS! One note I will mention that works against what you've said (not that I condone it in any sense), is that in my experience so far, the Network Admin never really gets a say until after someone with a less network savvy background has already signed off to on the build plans. The network admin generally isn't aware of my aspect of the project until I communicate to them about the MAC addresses that need access to their network. The argument there is that since the client who signed off on the build is generally above the network admin in stature, the network admin doesn't necessarily get say in the matter (except that there's a confict with what's been ok'ed by the client and what's (un)acceptable by the network admin), which is unfortunate since I would side with you and the network admin that it is a security hole and shouldn't be allowed. --- In Crestron@..., Chris Erskine <chris@...> wrote: I had the network support group for a building, I can tell you that it would not be accepted. If you told us beforehand that you were adding the wireless, you would be told to not install it. If you did not notify us, there would be strong chances of legal action since we would assume that you were trying to hack our network. most of the encryption routines are being cracked so adding the router as a convenience for your service personnel is not a good reason to add to each system. As a liability issue, if you were to add the router into the environment and it is used to hack a corporate network, you would be opening yourself up to major liability issues. Behalf Of uscurtin Sent: Wednesday, January 21, 2009 1:06 PM the Database area. Yahoo! Groups Links ------------------------------------ Check out the Files area for useful modules, documents, and drivers. A contact list of Crestron dealers and programmers can be found in the Database area. Yahoo! Groups Links ------------------------------------ Check out the Files area for useful modules, documents, and drivers. A contact list of Crestron dealers and programmers can be found in the Database area. Yahoo! Groups Links |
|
i did not understand ! wy u need connect one router in every rack u can
connect all the rack to one wirless router (i mean one cable from every pross to one routter). for security thing u can restrict the unkown ip from ya network by enterning to the setup page of ya router ,simply go to security section and go to ip filtation....add the permitted ip if u r using static ips, else use ip reservation of the prossesors if dynamic ips in the main lan). and static ips for ya prossesors . rabih brahim +96566129409 marselle001@... |
|
Jason Dravet
--- On Wed, 1/21/09, uscurtin <jcurtin@...> wrote:
The setup:Personally I don't like wireless. Most are not secure (and I am not just talking about WEP/WPA. A friend just purchased a Wireless AP and installed it. The router was a NetGear wpn842 I think. It worked great after I installed it. When I install equipment I always check for updated firmware. It is a good thing to as router would lose its settings after a power failure without this update. Two weeks later his house lost power and all of the settings were erased. That router was returned and another purchased from a different vendor. But this illustrates APs have to be maintained whereas popular belief is set it up and forgot about it. For installs I do for business I usually spec Cisco as people know Cisco. But having extra functions just because is not a good thing. Even if the AP is strictly for Crestron and not connected to the home or internet it is a way in. If someone were to hack into the network via a AP that the customer didn't spec or know about who knows what trouble the hacker could get into. You might be responsible for any damage that occurred. Say the hacker figures out how to open and close the curtains. Depending on the motor he could overheat it (open/close repeatedly, or figure out how to jam up the motor) and cause a fire. Even if in the equipment specs you say you are installing a AP and the customer signs off you might be responsible as the customer really doesn't know what he is signing for and the AP has no legitimate function. Of course always check with a lawyer. Jason |
|
Is that really true - if you have a legal signoff they can still hold
you responsible? Then what's the point of a signoff, in general? (Note that I think having a WAP installed by default is a bad idea as much as the rest of the people here.) --- In Crestron@..., Jason Dravet <jason.dravet@...> wrote: Even if in the equipment specs you say you are installing a AP andthe customer signs off you might be responsible as the customer really doesn't know what he is signing for and the AP has no legitimate function. |
|
You know, I can see some bored CS or EE students screwing with a classroom
system just for kicks, that is how we learn ;) But, in the real world who has the time and resources, inclination and product knowledge to do this sort of hacking on a system where there is not the slightest profit in doing so. Why not spend their time trying to hack into Obama's Crackberry if they want some fun? WRT to drapes and other motorized devices, your program or your hardware should make such jammage impossible, because it is much more likely that a user (most are dangerous) will damage something. I know, you were just trying to provide an illustrative example. I guess if I was worried about it I would be more concerned about someone initializing the processor and wiping out the program. But, unless you are familiar with control systems it would take quite a bit of fishing to figure out how to do it. My old linksys with talisman firmware never forgets who it is, and I can turn down the transmit power so the signal is unavailable at the street. If you think through the application and select the proper component and settings, as with any portion of the system, it will most likely do what you intended without causing trouble. After all, knowing how to do all that is why we get the big bucks. JM$.02 Kol _____ From: Crestron@... [mailto:Crestron@...] On Behalf Of Jason Dravet Sent: Friday, January 23, 2009 12:34 PM To: Crestron@... Subject: Re: [Crestron] A wireless router for every rack...? --- On Wed, 1/21/09, uscurtin <jcurtin@usc. <mailto:jcurtin%40usc.edu> edu> wrote: The setup:Personally I don't like wireless. Most are not secure (and I am not just talking about WEP/WPA. A friend just purchased a Wireless AP and installed it. The router was a NetGear wpn842 I think. It worked great after I installed it. When I install equipment I always check for updated firmware. It is a good thing to as router would lose its settings after a power failure without this update. Two weeks later his house lost power and all of the settings were erased. That router was returned and another purchased from a different vendor. But this illustrates APs have to be maintained whereas popular belief is set it up and forgot about it. For installs I do for business I usually spec Cisco as people know Cisco. But having extra functions just because is not a good thing. Even if the AP is strictly for Crestron and not connected to the home or internet it is a way in. If someone were to hack into the network via a AP that the customer didn't spec or know about who knows what trouble the hacker could get into. You might be responsible for any damage that occurred. Say the hacker figures out how to open and close the curtains. Depending on the motor he could overheat it (open/close repeatedly, or figure out how to jam up the motor) and cause a fire. Even if in the equipment specs you say you are installing a AP and the customer signs off you might be responsible as the customer really doesn't know what he is signing for and the AP has no legitimate function. Of course always check with a lawyer. Jason |
|
In a country where you can sue because the chainsaw did not have a
prominently displayed warning "Do not try to stop the moving chain with your bare hands" anything is possible. And, in California it could be considered likely. _____ From: Crestron@... [mailto:Crestron@...] On Behalf Of fooguy89 Sent: Friday, January 23, 2009 1:17 PM To: Crestron@... Subject: [Crestron] Re: A wireless router for every rack...? Is that really true - if you have a legal signoff they can still hold you responsible? Then what's the point of a signoff, in general? (Note that I think having a WAP installed by default is a bad idea as much as the rest of the people here.) --- In Crestron@yahoogroup <mailto:Crestron%40yahoogroups.com> s.com, Jason Dravet <jason.dravet@...> wrote: Even if in the equipment specs you say you are installing a AP andthe customer signs off you might be responsible as the customer really doesn't know what he is signing for and the AP has no legitimate function. |
|
Matt
I agree, there's a lot of talk about 'poorly configured' and 'rouge
routers'. IMHO that shouldn't even be part of the discussion, because if we put them in, they should be properly configured AND not rouge. classroom system just for kicks, that is how we learn ;) But, in the realworld who has the time and resources, inclination and product knowledge to dothis sort of hacking on a system where there is not the slightest profitin doing so. Why not spend their time trying to hack into Obama'sCrackberry if they want some fun? WRT to drapes and other motorized devices, yourprogram or your hardware should make such jammage impossible, because it ismuch more likely that a user (most are dangerous) will damage something. Iknow, you were just trying to provide an illustrative example. I guess if Iwas worried about it I would be more concerned about someoneinitializing the processor and wiping out the program. But, unless you are familiarwith control systems it would take quite a bit of fishing to figure outhow to do it. My old linksys with talisman firmware never forgets who it is,and I can turn down the transmit power so the signal is unavailable atthe street. component and settings, as with any portion of the system, it will most likely dowhat you intended without causing trouble. After all, knowing how to do allthat is why we get the big bucks.Behalf Of Jason Dravet40usc.edu> edu> wrote:justThe setup:Personally I don't like wireless. Most are not secure (and I am not talking about WEP/WPA. A friend just purchased a Wireless AP andinstalled it. The router was a NetGear wpn842 I think. It worked great after Ifirmware. It is a good thing to as router would lose its settings after apower failure without this update. Two weeks later his house lost powerand all of the settings were erased. That router was returned and anotherpurchased from a different vendor. But this illustrates APs have to bemaintained whereas popular belief is set it up and forgot about it.Cisco. But having extra functions just because is not a good thing. Evenif the AP is strictly for Crestron and not connected to the home or internetit is a way in. If someone were to hack into the network via a AP that thecustomer didn't spec or know about who knows what trouble the hacker couldget into. You might be responsible for any damage that occurred. Say thehacker figures out how to open and close the curtains. Depending on themotor he could overheat it (open/close repeatedly, or figure out how to jamup the motor) and cause a fire. Even if in the equipment specs you say youare installing a AP and the customer signs off you might be responsibleas the customer really doesn't know what he is signing for and the AP hasno legitimate function. |
|
Matt
It's sad...very, very sad when you read on a pizza box 'remove
plastic from pizza before cooking'. with your bare hands" anything is possible. And, in California it could beconsidered likely.Behalf Of fooguy89hold you responsible? Then what's the point of a signoff, in general?as much as the rest of the people here.)s.com, Jason Dravet <jason.dravet@> wrote:reallyEven if in the equipment specs you say you are installing a AP andthe customer signs off you might be responsible as the customer doesn't know what he is signing for and the AP has no legitimate |
|
Jeremy Weatherford
Good luck convincing your local IT Mafia^WDepartment of this.
toggle quoted message
Show quoted text
Jeremy On Fri, Jan 23, 2009 at 3:31 PM, Matt <mjrtoo@...> wrote:
I agree, there's a lot of talk about 'poorly configured' and 'rouge |
|
we generally stick to resi. I tend to set up mac filtering and some
encryption. i think that is acceptable protection. My general description to home owners is that Mac ID filtering is like a gate that checks your drivers license and encryption is like a lock. (i'll give a little wep=door lock, wpa==boltlock, etc description) Then I'll tell them that just like a house, if someone with some skill wants in, they are flat out coming in. last rack i did for an actual company had an 8X in it. I set the router up wide open. I got their IT department involved from the start and left it up to them to lock it down. |
|
Does anyone here think that a IT department will adopt a Jericho mentality
with their network. i.e. keep unwanted out of the server and not the network. From: Crestron@... [mailto:Crestron@...] On Behalf Of jschaud Sent: Saturday, January 24, 2009 12:12 PM To: Crestron@... Subject: [Crestron] Re: A wireless router for every rack...? we generally stick to resi. I tend to set up mac filtering and some encryption. i think that is acceptable protection. My general description to home owners is that Mac ID filtering is like a gate that checks your drivers license and encryption is like a lock. (i'll give a little wep=door lock, wpa==boltlock, etc description) Then I'll tell them that just like a house, if someone with some skill wants in, they are flat out coming in. last rack i did for an actual company had an 8X in it. I set the router up wide open. I got their IT department involved from the start and left it up to them to lock it down. |
|
Hi John,
I'd expect you'd meet resistance here too: One reason is; it would be orders of magnitude more diffcult to "harden" your server to the same level as a commercial security product sitting on the edge of your network - every bit of software on your server could be exploitable, and you'd have to re-test (expensive and inconclusive) every time you upgraded or patched. Another is that human nature is to store data locally, regardless of what the security/data policy dictates. So your server is really only one piece of a much bigger jigsaw - and it's probably all seen as sensitive to prying eyes. Hope that helps, Ol --- In Crestron@..., "John Gabler" <ComeAlive@...> wrote: mentality with their network. i.e. keep unwanted out of the server and notthe network. |
|
Chris Erskine
A lot of this depends on the IT department. Everyone is different and has different concepts on how much of a risk 'feature' adds. Some would have the ability to put the AP on its own network and not allow access to anything out of the network. Others will state no AP at all. Some would offer to add an unsecured AP to the network for you.
toggle quoted message
Show quoted text
Chris -----Original Message-----
From: Crestron@... [mailto:Crestron@...] On Behalf Of Oliver Hall Sent: Tuesday, January 27, 2009 2:52 AM To: Crestron@... Subject: [Crestron] Re: A wireless router for every rack...? Hi John, I'd expect you'd meet resistance here too: One reason is; it would be orders of magnitude more diffcult to "harden" your server to the same level as a commercial security product sitting on the edge of your network - every bit of software on your server could be exploitable, and you'd have to re-test (expensive and inconclusive) every time you upgraded or patched. Another is that human nature is to store data locally, regardless of what the security/data policy dictates. So your server is really only one piece of a much bigger jigsaw - and it's probably all seen as sensitive to prying eyes. Hope that helps, Ol --- In Crestron@..., "John Gabler" <ComeAlive@...> wrote: mentality with their network. i.e. keep unwanted out of the server and notthe network. ------------------------------------ Check out the Files area for useful modules, documents, and drivers. A contact list of Crestron dealers and programmers can be found in the Database area. Yahoo! Groups Links |
|
Jason Dravet
But that is part of the problem. If I configure a wireless AP and lock it down using the best methods available today who is to say that those methods will still be secure next year. WEP was thought to be secure (only by those who invented it), MD5 hashes were thought to be secure. WPA (not WPA2) was thought to be secure and WPA has taken the first step to being broken. Time has proven that nothing will remain secure long term. So you lock the AP down today, but next month might see a vulnerability in it and who is going to fix it? The home owner? Doubtful. Are you going to call every client who has a vulnerable AP and tell them you need to come on site to fix something? Are you going to charge the client? Will you walk the home owner through it so they can fix it themselves?
toggle quoted message
Show quoted text
Personally I go for the minimalist solution available. If I don't need it I don't spec it. This approach works for me but of course your mileage may vary. Jason --- On Fri, 1/23/09, Matt <mjrtoo@...> wrote:
From: Matt <mjrtoo@...> |
to navigate to use esc to dismiss