NetLinx Security
Spire_Jeff
Posts: 1,917
in AMX Hardware
I'm in the process of setting up an NI-3000 to be accessed from the internet. I am reading through the security portion of the Netlinx manual, but I thought I'd throw this out there as a double check of what I am doing. I have a D-link router and I am setting up port forwarding to do the following:
Public Port / Private Port - IP
800 / 80 - Netlinx Master IP
801 / 443 - Netlinx Master IP (For secured Connections)
811 / 5900 - First G4 Panel IP
812 / 5900 - Second G4 Panel IP
....
I will also set up a general user with limited rights to allow access to the touchpanels. I will add the touchpanel external IPs to the list of touchpanels. And I will change all of the default passwords to something more secure.
Is there anything that I missed? Is there anything that will cause more headaches than it's worth?
Thanks for the input,
Jeff
Public Port / Private Port - IP
800 / 80 - Netlinx Master IP
801 / 443 - Netlinx Master IP (For secured Connections)
811 / 5900 - First G4 Panel IP
812 / 5900 - Second G4 Panel IP
....
I will also set up a general user with limited rights to allow access to the touchpanels. I will add the touchpanel external IPs to the list of touchpanels. And I will change all of the default passwords to something more secure.
Is there anything that I missed? Is there anything that will cause more headaches than it's worth?
Thanks for the input,
Jeff
0
Comments
Jeff
I want to keep it as tight as possible. The home owner wants to be able to view (and control) his house from out and about. I don't want to open anything more than is required to accomplish this. I was also thinking that I could remove access to the G4 panels from abroad and code a G3 panel with limited control if the G4 access was a security concern. Thanks for the thought tho.... it would be nice to do the majority of my coding from the office instead of driving 60 miles to the customers house all of the time
Jeff
I don't think I'd expose panels to the Internet. VNC, while it *can* be a secure protocol, is NOT a secure protocol the way that AMX uses it. It doesn't support VNC encryption, so passwords and other data would be clear text.
I want access from everywhere, but I achieve it differently:
I have an SSH server running on my network. Via SSH, I can redirect ports of my choice. Ports that get redirected are encrypted and totally secure. So, at home, I have an SSH server running (they ship for free on Linux, although you might have to buy one for Windows). Then, on my laptop, I have SecureCRT installed (http://www.vandyke.com) - note that Putty is a less powerful but totally free version of SSH for Windows.
So, I allow port 22 in from the "outside" of my LAN. That port is wicked secure (SSH configured to require certificates, and only allow logins to specific accounts - without certificate, which is itself encrypted, you can't get in). If I bring up a SecureCRT session to home, then port 5900 redirects to the Modero panel.
End result: Launch SecureCRT, connect to "localhost" with a VNC client, and I'm looking at my Modero panel. Totally encrypted and secure.
I imagine you could also redirect other ports that way (i.e. 1319, etc), although I've never tested that to see if it works. It should work unless the master tries to open a connection back to you or something ...
-- Jeff
Jeff
All that said, you might want to reconsider not leaving port 1319 forwarded in some way. It's saved my bacon many times to be able to update a program remotely. I understand there is zero security on NetLinx studio...but you need Studio, you need to know what the public port is, and the public IP address. Just don't dump source code on your master without a password.
Well, I got the security cameras covered because I have a Channel Vision W-4000 serving up the security cameras so I can view them on the wireless moderos. I can just open up a port directly to the W-4000's web server. As for the port 1319, maybe I'll show the customer how to add and remove it from his router. This way I don't have to worry about the possibility of hearing how I must have changed something because now NOTHING works! He will have control over when I can and cannot remotely access his system. Now that I mention this, most of our customers would probably be opposed to the port being opened at all times without their control. Is it just this area, or does this happen all over? (I think there may have been a problem with a company or maybe a programmer in the area abusing this feature..... or maybe there was a rumor of such happenings)
Jeff
I currently recommend using PPTP VPN for customer remote access and dealer service.This capability is inexpensive today. There is no reason to begin punching holes forwarding ports or creating sophisticated security processes that are difficult to manage. Creating a VPN client configuration in WIN 2000/XP takes seconds. IMHO
That's a great suggestion. Thanks
Jeff
Jeff
Wondering what the Dynamic Image settings for the W-40000 are - can't find the File Path info on the Channel Vision web site
Thanks
Ian
It took me a lot of calling around to find this info, but it turned out that AMX Tech support has a PDF on this.... it is hidden on some double secret probation server tucked in some basement corner somewhere, but they have it. I am going to assume you know how to create a dynamic image and I will just post the info pertaining to the W-4000. (I'd upload the PDF, but it comes in at 233000ish bytes.... just over the limit)
Let me know if you need any other info.
Jeff
Thanks many - looks like what I needed
Ian