开云体育

Remote access with Crestron App

bryan_d_garcia All Messages By This Member #188017 I am thinking about updating my home system to allow remote access to do things like lock and unlock doors, etc from an iPhone.?? I have previously dissuaded customers from doing this as I felt it presented a serious security risk to the control system.?? I am curious when people doing this are they just doing a NAT to allow access to port 41794 from the internet facing router, or are you doing a VPN connection.?? I like not having to start a VPN connection, but it my security brain is very concerned with doing this without a VPN. Look forward to everyone's input and thank you in advance. Bryan
Neil Dorin All Messages By This Member #188018 开云体育 That's why the app has a password field.? toggle quoted message Show quoted text On Nov 14, 2013, at 4:16 PM, <bdgarcia@...> wrote: ? I am thinking about updating my home system to allow remote access to do things like lock and unlock doors, etc from an iPhone.?? I have previously dissuaded customers from doing this as I felt it presented a serious security risk to the control system.?? I am curious when people doing this are they just doing a NAT to allow access to port 41794 from the internet facing router, or are you doing a VPN connection.?? I like not having to start a VPN connection, but it my security brain is very concerned with doing this without a VPN. Look forward to everyone's input and thank you in advance. Bryan
Randall Gay #188019 开云体育 Lock but not unlock. In this day of hackers, you will be the First defendant in the lawsuit after the break-in. ?Experience talking here, my case, they caught the burglars and they cleared me with their testimony on how they broke in. ?Still a very expensive lesson. toggle quoted message Show quoted text On Nov 15, 2013, at 7:29 AM, Neil Dorin <neildorin@...> wrote: ? That's why the app has a password field.? On Nov 14, 2013, at 4:16 PM, <bdgarcia@...> wrote: ? I am thinking about updating my home system to allow remote access to do things like lock and unlock doors, etc from an iPhone.?? I have previously dissuaded customers from doing this as I felt it presented a serious security risk to the control system.?? I am curious when people doing this are they just doing a NAT to allow access to port 41794 from the internet facing router, or are you doing a VPN connection.?? I like not having to start a VPN connection, but it my security brain is very concerned with doing this without a VPN. Look forward to everyone's input and thank you in advance. Bryan
bryan_d_garcia All Messages By This Member #188021 Neil, I was not so concerned?by the user losing their phone or something, I was concerned about some hacker doing a brute force attack?to either penetrate the control system and/or perform a denial of service.?? In my corporate IT life we would protect things like this with a certificate so if?no certificate was presented there was no path to the upper levels of the stack where havoc could be wreaked. Bryan? ---In crestron@..., <touchscreenzh@...> wrote: Lock but not unlock. In this day of hackers, you will be the First defendant in the lawsuit after the break-in. ?Experience talking here, my case, they caught the burglars and they cleared me with their testimony on how they broke in. ?Still a very expensive lesson. toggle quoted message Show quoted text On Nov 15, 2013, at 7:29 AM, Neil Dorin <neildorin@...> wrote: ? That's why the app has a password field.? On Nov 14, 2013, at 4:16 PM, <bdgarcia@...> wrote: ? I am thinking about updating my home system to allow remote access to do things like lock and unlock doors, etc from an iPhone.?? I have previously dissuaded customers from doing this as I felt it presented a serious security risk to the control system.?? I am curious when people doing this are they just doing a NAT to allow access to port 41794 from the internet facing router, or are you doing a VPN connection.?? I like not having to start a VPN connection, but it my security brain is very concerned with doing this without a VPN. Look forward to everyone's input and thank you in advance. Bryan
Neil Dorin All Messages By This Member #188022 I'm not sure what a user losing their phone has to do with what I was talking about.? The Crestron Mobile and Crestron Apps have a password field that can be set up from within the app that has to match the password in the hardware definition before a connection will be accepted by the processor from a mobile device.? A complex enough password should prevent all but the most determined attackers from being able to interact with the program on any level. Otherwise, go with the VPN. toggle quoted message Show quoted text On Thu, Nov 14, 2013 at 5:13 PM, <bdgarcia@...> wrote: ? Neil, I was not so concerned?by the user losing their phone or something, I was concerned about some hacker doing a brute force attack?to either penetrate the control system and/or perform a denial of service.?? In my corporate IT life we would protect things like this with a certificate so if?no certificate was presented there was no path to the upper levels of the stack where havoc could be wreaked. Bryan? ---In crestron@..., wrote: Lock but not unlock. In this day of hackers, you will be the First defendant in the lawsuit after the break-in. ?Experience talking here, my case, they caught the burglars and they cleared me with their testimony on how they broke in. ?Still a very expensive lesson. On Nov 15, 2013, at 7:29 AM, Neil Dorin <neildorin@...> wrote: ? That's why the app has a password field.? On Nov 14, 2013, at 4:16 PM, <bdgarcia@...> wrote: ? I am thinking about updating my home system to allow remote access to do things like lock and unlock doors, etc from an iPhone.?? I have previously dissuaded customers from doing this as I felt it presented a serious security risk to the control system.?? I am curious when people doing this are they just doing a NAT to allow access to port 41794 from the internet facing router, or are you doing a VPN connection.?? I like not having to start a VPN connection, but it my security brain is very concerned with doing this without a VPN. Look forward to everyone's input and thank you in advance. Bryan
bryan_d_garcia All Messages By This Member #188106 Neil, From what I can tell, the password?is for protecting access to the web?server (for downloading the?project to the iDevice)?and not access to port 41794 or am I?misunderstanding.?? I am basing this on being able to set the web server password in VTPro and then using that password for the configuration of the project in the Crestron App. Bryan ---In crestron@..., <neildorin@...> wrote: I'm not sure what a user losing their phone has to do with what I was talking about.? The Crestron Mobile and Crestron Apps have a password field that can be set up from within the app that has to match the password in the hardware definition before a connection will be accepted by the processor from a mobile device.? A complex enough password should prevent all but the most determined attackers from being able to interact with the program on any level. Otherwise, go with the VPN. toggle quoted message Show quoted text On Thu, Nov 14, 2013 at 5:13 PM, <bdgarcia@...> wrote: ? Neil, I was not so concerned?by the user losing their phone or something, I was concerned about some hacker doing a brute force attack?to either penetrate the control system and/or perform a denial of service.?? In my corporate IT life we would protect things like this with a certificate so if?no certificate was presented there was no path to the upper levels of the stack where havoc could be wreaked. Bryan? ---In crestron@..., <touchscreenzh@...> wrote: Lock but not unlock. In this day of hackers, you will be the First defendant in the lawsuit after the break-in. ?Experience talking here, my case, they caught the burglars and they cleared me with their testimony on how they broke in. ?Still a very expensive lesson. On Nov 15, 2013, at 7:29 AM, Neil Dorin <neildorin@...> wrote: ? That's why the app has a password field.? On Nov 14, 2013, at 4:16 PM, <bdgarcia@...> wrote: ? I am thinking about updating my home system to allow remote access to do things like lock and unlock doors, etc from an iPhone.?? I have previously dissuaded customers from doing this as I felt it presented a serious security risk to the control system.?? I am curious when people doing this are they just doing a NAT to allow access to port 41794 from the internet facing router, or are you doing a VPN connection.?? I like not having to start a VPN connection, but it my security brain is very concerned with doing this without a VPN. Look forward to everyone's input and thank you in advance. Bryan
Neil Dorin All Messages By This Member #188107 开云体育 Even in local project mode, where there's no web server involved, without a valid password in the Crestron App configuration, the processor will not allow any mobile device to connect on the CIP port.? toggle quoted message Show quoted text On Nov 16, 2013, at 2:04 PM, <bdgarcia@...> wrote: ? Neil, From what I can tell, the password?is for protecting access to the web?server (for downloading the?project to the iDevice)?and not access to port 41794 or am I?misunderstanding.?? I am basing this on being able to set the web server password in VTPro and then using that password for the configuration of the project in the Crestron App. Bryan ---In crestron@..., wrote: I'm not sure what a user losing their phone has to do with what I was talking about.? The Crestron Mobile and Crestron Apps have a password field that can be set up from within the app that has to match the password in the hardware definition before a connection will be accepted by the processor from a mobile device.? A complex enough password should prevent all but the most determined attackers from being able to interact with the program on any level. Otherwise, go with the VPN. On Thu, Nov 14, 2013 at 5:13 PM, <bdgarcia@...> wrote: ? Neil, I was not so concerned?by the user losing their phone or something, I was concerned about some hacker doing a brute force attack?to either penetrate the control system and/or perform a denial of service.?? In my corporate IT life we would protect things like this with a certificate so if?no certificate was presented there was no path to the upper levels of the stack where havoc could be wreaked. Bryan? ---In crestron@..., wrote: Lock but not unlock. In this day of hackers, you will be the First defendant in the lawsuit after the break-in. ?Experience talking here, my case, they caught the burglars and they cleared me with their testimony on how they broke in. ?Still a very expensive lesson. On Nov 15, 2013, at 7:29 AM, Neil Dorin <neildorin@...> wrote: ? That's why the app has a password field.? On Nov 14, 2013, at 4:16 PM, <bdgarcia@...> wrote: ? I am thinking about updating my home system to allow remote access to do things like lock and unlock doors, etc from an iPhone.?? I have previously dissuaded customers from doing this as I felt it presented a serious security risk to the control system.?? I am curious when people doing this are they just doing a NAT to allow access to port 41794 from the internet facing router, or are you doing a VPN connection.?? I like not having to start a VPN connection, but it my security brain is very concerned with doing this without a VPN. Look forward to everyone's input and thank you in advance. Bryan
Richard Fregosa All Messages By This Member #188111 If you're not using VPN you could just throw in a simple or complex "login" password in the SIMPL code itself upon launch of the app that enables control of the locks or any other "sensitive" subsystem - have the password system time out if you lose connectivity - this way you're only having to enter the password at initial remote connect. It's no different than having local system enable/disable controls on a touchpanel for access. If someone is determined to bash your network ad infinitum - at that point either they really don't like you or they're going to get in no matter what - anytime you decide to hang something out there and make it WAN accessible you now have to determine your own threshold of "acceptable risk" The only way to make sure 100% you won't get hacked is to not put connect your system on a LAN in the first place. Everything else is a matter of weighing "possible vs. probable"
bryan_d_garcia All Messages By This Member #188114 ?One idea I am contemplating is to have a MC3 located in a DMZ and have it communicate with the main processor over an EISC which only exposes to the MC3 the functionality I want to enable for internet access. Essentially the MC3 becomes a bastion host in the DMZ.??? That way only it can be readily attacked and the attacker can only attack the main processor if they have taken over the MC3 as an attack launch point (much harder to do). Thoughts? ---In crestron@..., <rich@...> wrote: If you're not using VPN you could just throw in a simple or complex "login" password in the SIMPL code itself upon launch of the app that enables control of the locks or any other "sensitive" subsystem - have the password system time out if you lose connectivity - this way you're only having to enter the password at initial remote connect. It's no different than having local system enable/disable controls on a touchpanel for access. If someone is determined to bash your network ad infinitum - at that point either they really don't like you or they're going to get in no matter what - anytime you decide to hang something out there and make it WAN accessible you now have to determine your own threshold of "acceptable risk" The only way to make sure 100% you won't get hacked is to not put connect your system on a LAN in the first place. Everything else is a matter of weighing "possible vs. probable"

Previous Topic Next Topic