Network Security

[LORisAwesome]

I am interested in running pixels using e1.31, using either the new Pixcon or the Sandevices controller.

 

Since this requires connecting my Ethernet network outside the house, I am concerned that someone could gain access to my network.

 

Just curious if anyone else worries about this, and what can be done to stop it from happening?

 

Jerry

[SteveL]

Don't worry about it.  I already have access to your network.

[k6ccc]

Ooh!  Someone besides me that thinks about such stuff...

 

The first part of this is based on using a PC for show control.

One of the common recommendations (for other reasons) is to put the E1.31 onto a dedicated network.  That way even if someone unplugs your controller and plugs their laptop in, they don't get to much.  They could get to your E1.31 controller cards configuration (I don't know about others, but the SanDevices cards have no security).  If you have no password on the show computer (or someone hacks the one you have), someone could map the C:\ drive using the C$ drive mapping.  From that they could at least see what's on the show computer, and potentially access other stuff (depending on how security aware you are, and how good they are).  If all they are trying to do is get to the internet, they would be out of luck if your E1.31 network has no internet connection.

 

If you are running your E1.31 on your regular home network, you ARE giving someone full access to your LAN inside your firewall - not good!

 

If you are running smart enough routers or switches, you can do MAC lockdowns that prevent the wrong MAC from doing anything, although that can be faked by someone who knows what they are doing.  Most consumer routers and switches are not that smart however.

 

If you are running your E1.31 from a director, or something like a Falcon player, you are most likely running on a stand alone LAN.  About the only things someone could get to is your E1.31 controllers so you should be pretty safe.

 

In my case, I have my E1.31 network out in the yard year round, but it is it's own network with no internet access, and no DHCP server, and MAC port lockdowns.  The only access is in locked cabinets.  For Christmas, I add two additional E1.31 controllers.  One is in my attic, and the other is about 15 feet in the air so I'm not too worried about it.

[SteveL]

Ok, let's be serious for a moment.  In order for this to even be an issue, this "Christmas Hacker" would have to know:

A- that you have controllers in the yard that are network connected.
B- which controllers are on an e1.31 network.  Plug into a DMX cat5, they get nothing.  Plug into an LOR cat5, they get a nasty surprise.

C- That you have shared resources on the network.

D- That there is something shared worth gaining access to.

Then, on top of this, picture this person physically on your property, unplugging controllers, setting up his laptop, and "hacking."  Completely unnoticed to you or your neighbors.  Someone so brazen is far more likely to throw a brick through your window and steal your TV and jewlery.

Honestly, the only way any of this would even be phathomable is if you're the type of person who posts those ridiculous "behind the scenes" videos on your webpage where you walk around and explicitly point out, "look at this controller here if someone plugged into it they'd have access to my whole network and all my bank accounts.  Isn't it so advanced?" 

Edited August 11, 2015 by SteveL

[LORisAwesome]

SteveL

 

I understand the chances of this are slim, I just don't like the exposure.   I am more concerned about someone doing something illegal using my internet connection, than having information stolen.  They could attach a wireless access point and then sit in a car within range and get me into all kinds of trouble.

 

Jim

 

My show computer is set up to access a mapped drive on a NAS to get the sequences when the show is running.  This allows me to tweak sequences while the show is running without disturbing the show.  So I would prefer not to disconnect the show computer from the network if possible.

 

There is nothing of consequence on the show computer.  It is off and will remain off until I start testing during setup.

 

I had the idea of adding another NIC to the show computer for the e1.31 network to isolate the house network from outside  Not sure if this is possible or not, or if it would help.

[SteveL]

I mean seriously....  I guarentee you it is far more likely that they physically break into your home and attach an access point if that's their goal.  Or just go to McDonalds and use the free WiFi.

[LORisAwesome]

Jim

 

My NAS that I mentioned in my previous post is also a UPnP (video & music) server, and I stream video from it to smart TV's, DVD players, etc... through the network..   I would prefer to keep the e1.31 traffic off the network because I'm am not sure how much bandwidth it uses, and I know that streaming video needs a lot of bandwidth.   I also stream video from Amazon.

[wmilkie]

I am interested in running pixels using e1.31, using either the new Pixcon or the Sandevices controller.

 

Since this requires connecting my Ethernet network outside the house, I am concerned that someone could gain access to my network.

 

Just curious if anyone else worries about this, and what can be done to stop it from happening?

 

Jerry

 

 

I use a second router to run my show, all my dmx stuff; its disconnected from my home router when the show is running

 

That way, mys show doesnt effect my home router and vice versa; ran it that way last year no problems

[k6ccc]

SteveL,

Granted it is fairly unlikely, but it's stuff like this that give network security professionals heartburn.  Please don't dismiss the concern from those of us who do care.  Frankly it's not something I had given much thought to until LORisAwesome posed the question.  Although as I said, mine are pretty hard to get to.  That and switches that are smart enough to do MAC lockdown.  Having the E1.31 on a separate network is a large step.  At least it's going to keep someone from plugging into your network on your side of your firewall (normally provided by your router).

[plasmadrive]

I use a second router to run my show, all my dmx stuff; its disconnected from my home router when the show is running

 

That way, mys show doesnt effect my home router and vice versa; ran it that way last year no problems

This is exactly what I do..  That way there is no load on my home network

[LORisAwesome]

WMilkie and Plasmadrive.

 

I could get a second router.  This is also something that I have thought about.

 

If I understand this correctly the show computer and my internal network would be connected to the LAN side of the router, and the pixel controller(s) would be on the WAN side?

 

I could turn off DHCP, what other configurations should be made to the router to disallow traffic WAN traffic getting to the rest of the network, but still allow the pixel controllers to work?

 

I use the private IP addressing scheme of 192.168.xxx on my network, so the pixel controllers on the WAN side of the new router would have to be 192.168.yyy, right?

 

What services on the show computer should be stopped?   Two that come to mind are telnet, and remote desktop connection.

 

 

Jerry

[k6ccc]

Jerry, not quite right on the second router. I will upload a graphic when I get to a computer. You will only be using the LAN side of a router - or use a switch. More in a couple hours.

[k6ccc]

OK, this graphic should help.  Of course the IP addresses are just examples.  In most cases for a home LAN, the "Home network router" will function as a DHCP server and most computers will operate in DHCP so the computers get an IP addresses assigned by the router.  Your "Home network router" may also function as a WiFi access point.

 

On the E1.31 LAN, the E1.31 controller cards will have a static address since it's rather important that the IP address stay the same.  The "E1.31 network router" really only needs to function as a switch, so of course a dumb switch will work just fine (and is in fact preferred since you don't need to dumb it down).  If you are using a router, you want to disable it's ability to function as a DHCP server, and if it has WiFi, turn the WiFi off.  There will be nothing connected to the WAN connection on the E1.31 router (if you're using a router).  If you are using a router (rather than a dumb switch), the router will have a static IP address that you can use to access the configuration pages, but once you set it up, you really won't have any reason to access it again.

 

If you are using a smart (or managed) network switch in place of a router on the E1.31 network, one of the things you can do is MAC lockdown.  Each ethernet connection device has a specific hardware address called a Media Access Control (MAC).  The MAC is assigned by the manufacturer when the device is built and in theory can't be changed.  For example, the MAC of the network interface on the computer I'm typing this from is 00:1A:A0:A7:A5:D5 (sometimes written with hyphens instead of colons).  Many smart switches have the ability to specify what MAC (or MACs) can operate on a particular port.  That way if some other device is plugged into the switch port, they switch will take some action - might be just send or log an error message, up to disabling the port so the "wrong" device can't use the port.  Most consumer switches are not smart enough to do MAC lockdown.

 

 

This is simplified version of how I am running my network at home.  She show computer has two LAN ports with one on each network.  All the show files are stored on a file server on my home network, but all the E1.31 traffic is kept off the home network.  I am using smart switches (I have 4 switches at home), and as I mentioned in an earlier post, I had not given the security part any thought until this thread brought it up.  I will likely add the MAC lockdown since I can.

 

Note that any of these security precautions can be broken, but just like the lock on your front door, you can make it harder go get in with added security measures.

 

Make sense?

[Al Saunders]

I have what is probably a dumb question related to this topic. If you have a laptop as the show computer and the wireless off so no internet connection do you need to worry about "network security"? If running a e682 via E1.31, the only access someone would have if plugging in the cat5 cable would be to the laptop itself, right? In which case the laptop should be a pretty stripped down PC with no personal info on it. Correct?

 

Thanks,

Al

[k6ccc]

Al,

You've got it.

[Al Saunders]

Hey Jim,,

 

Cool, thanks!

 

Al

[LORisAwesome]

Jim

 

Thanks, so you are using two NIC's in the show computer....

 

That would make it harder to get from the e1.31 network into the house network.

 

With this setup, I would think you not want to allow remote desktop connection, I'm pretty sure I can turn that off.

 

Any idea of anything else that needs to be shut off to block access through the show computer to the network?

[k6ccc]

Yes.  There is one on the motherboard and I added a second NIC for the E1.31 network (about $10 from Amazon). 

 

The show computer does not route between the two networks.

 

Correct.  Windows firewall almost everything on the E1.31 network.  I use a remote application for access to the show computer (but only from the home network) since the show computer does not normally have a mouse, keyboard, or monitor.

 

Make sure the computer has good password protection.  My show computer logs on with a user account when it boots up (every day), but that is a restricted account.  Also the first thing that happens after the auto logon is to lock the computer, so even if someone thought that they could gain access by re-booting, the PC locks immediately.  The administrator account is a strong password.

[wmilkie]

My setup is slightly different. I only use one NIC

I don't normally have anything connected to my home network unless I need to temp download something. Then I just plug the home router into the show router

I don't have anything to the left of Jim's show computer; but the rest is the same; also I turned the wireless off the router

Edited August 12, 2015 by wmilkie

[Max-Paul]

There is only one sure way to keep your house network safe from the outside. Get rid of your wireless Access Point. And your show computer has to have NO house network access. And if that means you have to deploy a sneaker network to get files to your show computer. So be it. Better to be secure and have to manually take files to the show computer via thumb drive, than chance someone hacking into your home network.

 

Hackers cant access your home network if you dont give them an access point. Be it hardwired or via radio signals. Take those away and then the only alternative is to enter your house and make a hard wire connection. No ifs or buts about it.