|
These kind of devices are usually called "remote access points" and are available for quite some time now.
What distinguishes your solution from solutions like e.g. this one? =>?
(it?s not meant to be "know-all", i?m really curious)
Regards, Thorsten
|
Thorsten, giving a quick look, it might probably be quite the same thing tbh.
I didn't know that "remote access points" were out in the market, didn't know that solution existed.
Besides that, here in Latam not only Aruba products are not masive (and probably not easy to buy either, no local stock, etc), but also way more expensive than the MT boxes.
For me is not the same to have 10 or 20 $30 MT boxes around that have the same amount of Aruba's.
One thing i can differentiate is that i can use my boxes as routers where no network is present and give them internet with a cellphone.
And finally, my MT boxes are customizable to whatever i need.
Just one more note: i'm developing an upgrade that would allow any computer to act as this box also, so any tech with any notebook without having my box could connect to the vpn and be the gateway for me. This way i can gain direct access either pluging the box (permanently or momentarily), or run something (not sure yet if an app, a script, or what) on the person's computer that is onsite without having to run any of our programmers software on them and do teamviewer or alike.
But yes, they look more or less the same, and i didn't know they existed.
Cheers!
|
The product you linked to is a Wireless Access Point that establishes a VPN back to a central wireless controller, intended for branch offices or telecommuters connecting to an enterprise network.? Not relevant to AV remote access that I can tell.
These kind of devices are usually called "remote access points" and are available for quite some time now.
What distinguishes your solution from solutions like e.g. this one? =>?
(it?s not meant to be "know-all", i?m really curious)
Regards, Thorsten
|
Hi Martin, I would like to get information about your product. I will also be attending ISE. ? What we do is use an IoT mini PC with an USB HDMI capture device and have control software to allows us to operate the matrix. One of the outputs of the matrix is connected to the capture device. Here is a video showing the software.
? We have found that a lot of businesses and Universities are now blocking programs like TeamViewer and AnyDesk from running on their campus. Best to work out a VPN access with them on their network. Putting any tunneling device on their network without them knowing of it would be very bad idea. Also placing open Windows PCs does not go over very well either. We use Windows IoT with an open User account that is very restrictive and does not allow any unauthorized programs to run. The User account can only run the control and video window software. A password protected Admin account is setup to run any program. ? We have also done this with Crestron by using the same mini PC running a capture device with a program called ShareView to display selected sources and size the video on the screen. All of the Crestron equipment and all other room equipment are on the second NIC of the PC. Still allowing for one network drop. We then can run XPanel on the PC to operate the room. ?? ? ? Mike ?
toggle quoted message
Show quoted text
From: [email protected] [mailto:[email protected]] On Behalf Of Martin Szmulewicz via Groups.Io
Sent: Monday, 3 February, 2020 12:56 PM
To: [email protected]
Subject: Re: [crestron] Preference for Mini PC for "jump" box ? @mike Slattery?
for video streaming you mean a couple of webcams so the programmer can see what's going on on the place? or what video do you stream?
To the rest, actually i've developed that solution and i'm comercializing it, at least here around to a couple of clients and other companies. Yet is a mouth to mouth solution for which i haven't done any website, brochure, etc. Basically it is a device that has a wan port, which you connect to the same network that your device is connected to.
If that network has internet, then we're done. If not, you can give internet to the box with your own cellphone, creating an access point with a predefined ssid and pwd.
(it also has lan ports in case there is no router or dhcp server and create a network on the go).
As it creates an outbound connection (vpn client), nothing has to be set on the network. The only exception is where a strong firewall is in place that won't allow outbound vpn connections (L2TP/Ipsec).
I have a VPN server that handles all the connections and the tunneling.
Then you just connect ("dial"?) your computer to this vpn server with certain credentials. Those credentials are the ones that identifies to which client you get connected.
Afterwards, you just can ping/connect/telnet/toolbox/http/etc whichever device IP you want at your clients networks as if your computer was wired there.
The only thing i haven't tried yet is network discovery or so, i'm not sure about that. But if you know its ip or you can specify the ip range to query, then its done.
I can just open a web at 192.168.0.240 or connect toolbox to 192.168.10.50, or whatever service on whatever ip.
Cheers ;) ?
|
Martin, I would also like more info on your product, if it's ready to deploy or still in development.? It makes sense that your described solution is not "off the shelf" as I wasn't aware of boxes that did what you are describing. Yes, business are blocking some of the remote access software now days.? Randomly seeing TeamViewer blocked the most.? Some places are also blocking file sharing sites like Dropbox and Box making sending revisions to tech's a bit more difficult as well if they are operating off the client network.? I have Tech's that I work with that we've had to try several different software to get a connection going, first TeamViewer, if that's blocked, then RemotePC, if that is blocked, then Bomguard or AnyDesk, or UltraViewer or...?? I had to start researching different options from TeamViewer a couple years ago when I started running into more sites that had it blocked.? Now I have several options to use, and usually the lesser known ones aren't blocked (yet). -- Jason Mussetter
Control Systems Designer
Mussetter Programming Services
www.mpsav.com
|
Hi, last time i checked, there were also devices with a LAN port available (wired RAP). But the Arubas were only an example. Sometimes they are called "VPN boxes" or "VPN gateways" - basically a box you connect with the remote LAN and then it call home to the preconfigured VPN server. But it?s true, most of them are not cheap and hard to configured, especially on the server side.?
The problem i see with all these solutions (inlcuding Martin?s): the corporate networks i know would block unknown devices from calling home, best move them automatically to a guest LAN (e.g. for BYOD) where you need to register first and with very limited internal connectivity. So you need to deal with the IT dep. anyway.?
Am 03.02.2020 21:37:56 schrieb Jeremy Weatherford <jweather@...>: The product you linked to is a Wireless Access Point that establishes a VPN back to a central wireless controller, intended for branch offices or telecommuters connecting to an enterprise network.? Not relevant to AV remote access that I can tell.
These kind of devices are usually called "remote access points" and are available for quite some time now.
What distinguishes your solution from solutions like e.g. this one? =>?
(it?s not meant to be "know-all", i?m really curious)
Regards, Thorsten
|
Mike and Jason, i'll send you out an email.
And to all, yes, i'm aware of the downsides of mine and others solutions. This is an outbound connection which is probably not liked or even allowed on businesses.
I've developed this more for residential clients or some corporate clients but where my gear is off-network (we have our own stand-alone network disconnected from everything else, including internet).
I also agree that for corporate you/we have to sit down with the IT dpt and figure out the best way to deal with it.
I have a customer where the only option is to go fisically there. Then another where our gear is on a vlan similar to the guests network which has internet but isolated from corporate data.
Etc.
Anyway, i'd be happy to learn better ways and also how to face corp clients.
Cheers!!
|
Hi Martin?
Can you please include me in the information about your system . I do residential system so don’t have the same ?headache with the IT department?
toggle quoted message
Show quoted text
On 4 Feb 2020, at 18:26, Martin Szmulewicz via Groups.Io <crestron.uruguay@...> wrote:
?Mike and Jason, i'll send you out an email.
And to all, yes, i'm aware of the downsides of mine and others solutions. This is an outbound connection which is probably not liked or even allowed on businesses.
I've developed this more for residential clients or some corporate clients but where my gear is off-network (we have our own stand-alone network disconnected from everything else, including internet).
I also agree that for corporate you/we have to sit down with the IT dpt and figure out the best way to deal with it.
I have a customer where the only option is to go fisically there. Then another where our gear is on a vlan similar to the guests network which has internet but isolated from corporate data.
Etc.
Anyway, i'd be happy to learn better ways and also how to face corp clients.
Cheers!!
|
Bruce, i've just sent you an email too.
I forgot to answer about if it was already deployed or in development.
It is running right now, i have quite a few boxes already out there, which i also monitor and get email notifications if something is down (which i forgot to mention).
The VPN works, remote connection, and the wifi client to gain internet from anybody's mobile too.
Which i plan on add soon is to have some sort of software run on a laptop to do this same thing without having to have a real fisical device there. It just happened a few times (not so often thou) that the tech in place didn't have the box with him, or even runing this software on my clients computer so i could give support but without having to run any crestron or whichever brands software on his computer, but just to act as a gateway to my personal computer. (i'm not sure if i had explained this successfuly, sorry for that. if not clear just say so and i try to rewrite).
anyway, here are my two cents for the whole discussion on the PC for "jump" box. I have develped my own boxes :)
Cheers everybody!
|
Can you please send me an information-email as well? I?m coming from corporate IT, but am now moving to residential clients. So your box could definitely be helpful with "more relaxed" IT environments :-)
Am 04.02.2020 20:03:50 schrieb Martin Szmulewicz via Groups.Io <crestron.uruguay@...>: Bruce, i've just sent you an email too.
I forgot to answer about if it was already deployed or in development.
It is running right now, i have quite a few boxes already out there, which i also monitor and get email notifications if something is down (which i forgot to mention).
The VPN works, remote connection, and the wifi client to gain internet from anybody's mobile too.
Which i plan on add soon is to have some sort of software run on a laptop to do this same thing without having to have a real fisical device there. It just happened a few times (not so often thou) that the tech in place didn't have the box with him, or even runing this software on my clients computer so i could give support but without having to run any crestron or whichever brands software on his computer, but just to act as a gateway to my personal computer. (i'm not sure if i had explained this successfuly, sorry for that. if not clear just say so and i try to rewrite).
anyway, here are my two cents for the whole discussion on the PC for "jump" box. I have develped my own boxes :)
Cheers everybody!
|
|
|
Martin, I would like the info as well please.
Dan
|
Sent and thanks for the interest guys. If anybody wants to get in touch, my email is martin@...Thanks again.
|
Question to those who say this type of connection would be blocked by IT Dept on a corporate network.? HOW?? How would the network prevent this device from calling/tunneling home? Since VPN is encrypted, it would look like any other encrypted traffic to the network.? The network doesn't block HTTPS connections or other encrypted connections usually, so how would it know it's a VPN connection and not something else?? If the answer is a specific port #, can't you just configure the VPN to use a different port that isn't blocked? I know some Corps block TeamViewer and Dropbox/Box and things, but I always assumed these were blocked by both standard port usage and endpoint/host connection. ie: they all call home to a limited number of IP addresses owned by TeamViewer or Dropbox, and those can be blocked if you have a list of them.? But if you're doing your own VPN, they wouldn't have a list of what VPN server address you are using to block, it would be some random IP to them.? Unless this rely's on a very well known VPN server service that they have on a block list (I doubt it). Just like my ISP can't tell if I VPN outside of their network or not, I don't think a corporate network can tell easily either.? I'm not a VPN expert though, am I missing something? -- Jason Mussetter
Control Systems Designer
Mussetter Programming Services
www.mpsav.com
|
It depends on how uptight ITSec is and the threat posture, among other things I’ve seen with some regularity and in various combinations
?
- Computers have to be authenticated using 802.1X. Without being a proper 802.1X client you either have no access, “walled garden” access to specific resources (e.g. download the antispam
and systems management software), or access to internal resources only.
- Outbound traffic is permitted on ports 80 (HTTP) and 443 (HTTPS) only
- In addition to this arbitrarily short ?max TTLs drop connections after “long enough to download a webpage or average graphic” but before “you can transfer any substantial amount of
data”
- All outbound traffic is routed through a man-in-the-middle proxy/compliance agent.
- Depending on the aggressiveness of the MITM configuration you may see certificate errors (because the traffic is being decrypted and encrypted along the way – and usually in such a
configuration a root cert with the proper signatures is pushed as part of GPO and/or software images so machines properly on the network don’t see the MITM cert as invalid) ?
- Even if you aren’t snooping encrypted traffic you can pick up a lot from non-encrypted header info – or lack thereof
- This seems to be particularly common in large healthcare
- Traffic patterns relative to assets and assigned users can be monitored. If a box appears on the network that has no known owner user, isn’t monitored by the device management/deployment
solution the client is using, and is generating unusual outbound traffic (non-HTTP/HTTPS) it will raise eyebrows
- Likewise, traffic flow alone can raise flags – is a device that’s not classified as a server/not on a server VLAN/etc pushing a large amount of data out towards the Internet especially
relative to the data that is being pulled in from the Internet
- HTTPS SSL VPN traffic, broadly speaking, looks different over time than “standard” HTTPS traffic. If you/the network monitoring solution is just looking at a few packets it might not
be distinguishable but over day(s) or longer it stands out to humans and automation.
?
--
Lincoln King-Cliby, CTS, DMC-E-4K/T/D
Commercial Market Director
Sr. Systems Architect | Crestron Certified Master Programmer (Platinum)
ControlWorks Consulting, LLC |
D: (+1)440.771.4807 | O: (+1)440.449.1100? | F: (+1)440.449.1106
Crestron Services Provider | Biamp Authorized Independent Programmers | Extron Qualified Independent Programmer
?
toggle quoted message
Show quoted text
From: [email protected] < [email protected]> On Behalf Of
Jason Mussetter
Sent: Tuesday, February 4, 2020 10:02 PM
To: [email protected]
Subject: Re: [crestron] Preference for Mini PC for "jump" box
?
Question to those who say this type of connection would be blocked by IT Dept on a corporate network.? HOW?? How would the network prevent this device from calling/tunneling home?
Since VPN is encrypted, it would look like any other encrypted traffic to the network.? The network doesn't block HTTPS connections or other encrypted connections usually, so how would it know it's a VPN connection and not something else?? If the answer is
a specific port #, can't you just configure the VPN to use a different port that isn't blocked?
I know some Corps block TeamViewer and Dropbox/Box and things, but I always assumed these were blocked by both standard port usage and endpoint/host connection. ie: they all call home to a limited number of IP addresses owned by TeamViewer or Dropbox, and those
can be blocked if you have a list of them.? But if you're doing your own VPN, they wouldn't have a list of what VPN server address you are using to block, it would be some random IP to them.? Unless this rely's on a very well known VPN server service that
they have on a block list (I doubt it).
Just like my ISP can't tell if I VPN outside of their network or not, I don't think a corporate network can tell easily either.? I'm not a VPN expert though, am I missing something?
--
Jason Mussetter
Control Systems Designer
Mussetter Programming Services
|
Not much to add here. With the right appliance, you can do DPI (deep packet inspection) - which checks not only the header of a package, but also the content of the package.
Another buzzword to look for is NAC (network access control) - endpoints will be scanned as soon as they are connecting to the network. If they are not compliant (e.g. required software like virus scanner or agents are installed), machine is moved to a specific (quarantine) network segment.
One of the simpler methods is just to check machines? MAC addresses and block them if they are not known.
Am 05.02.2020 05:12:50 schrieb Lincoln King-Cliby <lincoln@...>:
It depends on how uptight ITSec is and the threat posture, among other things I’ve seen with some regularity and in various combinations
?
- Computers have to be authenticated using 802.1X. Without being a proper 802.1X client you either have no access, “walled garden” access to specific resources (e.g. download the antispam
and systems management software), or access to internal resources only.
- Outbound traffic is permitted on ports 80 (HTTP) and 443 (HTTPS) only
- In addition to this arbitrarily short ?max TTLs drop connections after “long enough to download a webpage or average graphic” but before “you can transfer any substantial amount of
data”
- All outbound traffic is routed through a man-in-the-middle proxy/compliance agent.
- Depending on the aggressiveness of the MITM configuration you may see certificate errors (because the traffic is being decrypted and encrypted along the way – and usually in such a
configuration a root cert with the proper signatures is pushed as part of GPO and/or software images so machines properly on the network don’t see the MITM cert as invalid) ?
- Even if you aren’t snooping encrypted traffic you can pick up a lot from non-encrypted header info – or lack thereof
- This seems to be particularly common in large healthcare
- Traffic patterns relative to assets and assigned users can be monitored. If a box appears on the network that has no known owner user, isn’t monitored by the device management/deployment
solution the client is using, and is generating unusual outbound traffic (non-HTTP/HTTPS) it will raise eyebrows
- Likewise, traffic flow alone can raise flags – is a device that’s not classified as a server/not on a server VLAN/etc pushing a large amount of data out towards the Internet especially
relative to the data that is being pulled in from the Internet
- HTTPS SSL VPN traffic, broadly speaking, looks different over time than “standard” HTTPS traffic. If you/the network monitoring solution is just looking at a few packets it might not
be distinguishable but over day(s) or longer it stands out to humans and automation.
?
--
Lincoln King-Cliby, CTS, DMC-E-4K/T/D
Commercial Market Director
Sr. Systems Architect | Crestron Certified Master Programmer (Platinum)
ControlWorks Consulting, LLC |
D: (+1)440.771.4807 | O: (+1)440.449.1100? | F: (+1)440.449.1106
Crestron Services Provider | Biamp Authorized Independent Programmers | Extron Qualified Independent Programmer
?
From: [email protected] <[email protected]> On Behalf Of
Jason Mussetter
Sent: Tuesday, February 4, 2020 10:02 PM
To: [email protected]
Subject: Re: [crestron] Preference for Mini PC for "jump" box
?
Question to those who say this type of connection would be blocked by IT Dept on a corporate network.? HOW?? How would the network prevent this device from calling/tunneling home?
Since VPN is encrypted, it would look like any other encrypted traffic to the network.? The network doesn't block HTTPS connections or other encrypted connections usually, so how would it know it's a VPN connection and not something else?? If the answer is
a specific port #, can't you just configure the VPN to use a different port that isn't blocked?
I know some Corps block TeamViewer and Dropbox/Box and things, but I always assumed these were blocked by both standard port usage and endpoint/host connection. ie: they all call home to a limited number of IP addresses owned by TeamViewer or Dropbox, and those
can be blocked if you have a list of them.? But if you're doing your own VPN, they wouldn't have a list of what VPN server address you are using to block, it would be some random IP to them.? Unless this rely's on a very well known VPN server service that
they have on a block list (I doubt it).
Just like my ISP can't tell if I VPN outside of their network or not, I don't think a corporate network can tell easily either.? I'm not a VPN expert though, am I missing something?
--
Jason Mussetter
Control Systems Designer
Mussetter Programming Services
|
I second Lincoln.
I haven't seen as many cases as he did, but i've came across webportals for authenticating your device, and also taking the port down if the device connected to that lan port is not a known mac address, or set to a public/internet only vlan.
|
Hey Jason. Thanks for the reply!
I was curious about y’alls experience with IT departments refusing a request to have a personal tunnel into their lan. I have worked with several corporate CIO that would blow a fuse ?if they found a private tunnel into their network. (Especially if it was not disclosed) ?That being said, I’m sure there is a method to satisfy both parties security concerns, but at what cost to our design of the system/network.
|
While I haven't done a lot of corporate jobs (we mainly do
residential), all of them were willing to give me my own public IP
and I put in my own router with an OpenVPN server.? So I had no
access to their private VLANs.? If something on their network needed
access to Crestron like an iPad, they would create a firewall rule
to allow the iPad to access my private network without have to go
out on the WAN and back in again.? Maybe I just have been lucky to
have IT departments willing to work with me.
Steve
On 2/5/20 10:16 AM, davedunaway1 via
Groups.Io wrote:
toggle quoted message
Show quoted text
[Edited Message Follows]
Hey Jason. Thanks for the reply!
I was curious about y’alls experience with IT departments refusing
a request to have a personal tunnel into their lan. I have worked
with several corporate CIO that would blow a fuse ?if they found a
private tunnel into their network. (Especially if it was not
disclosed) ?That being said, I’m sure there is a method to satisfy
both parties security concerns, but at what cost to our design of
the system/network.
|
Not only CIO (or CISO) but if there’s a breach while your tunnel is in place there’s a potential liability that could come back on you. I don’t know a single CISO who would be on board with having a non-corporately managed tunnel touching
their network just the data exfiltration risks alone are astounding.
?
In the cases where we have remote access I’ve never had an issue once the stakeholders understand the scope and need and can communicate it to IT/Security getting VPN access. In some cases it’s a perpetual VPN (can connect at any time)
and in some it’s an on-demand VPN (accounts get enabled/disabled in only when needed) but in all cases it’s under the explicit control (and more important monitoring) of IT
?
--
Lincoln King-Cliby, CTS, DMC-E-4K/T/D
Commercial Market Director
Sr. Systems Architect | Crestron Certified Master Programmer (Platinum)
ControlWorks Consulting, LLC |
D: (+1)440.771.4807 | O: (+1)440.449.1100? | F: (+1)440.449.1106
Crestron Services Provider | Biamp Authorized Independent Programmers | Extron Qualified Independent Programmer
?
toggle quoted message
Show quoted text
From: [email protected] < [email protected]> On Behalf Of
davedunaway1@...
Sent: Wednesday, February 5, 2020 11:16 AM
To: [email protected]
Subject: Re: [crestron] Preference for Mini PC for "jump" box
?
Hey Jason. Thanks for the reply!
I was curious about y’all experience with IT departments refusing a request to have a personal tunnel into their lan. I have worked with several corporate CIO that would blow a fuse ?if they found a private tunnel into their network. (Especially if it was not
disclosed) ?That being said, I’m sure there is a method to satisfy both parties security concerns, but at what cost to our design of the system/network.?
|
