I have two scenarios for implementing IoT devices and I want to know which one has most security? Because I am a programmer and I have bit knowledge on network issues
Main Goal is to implement IoT devices and have modification and configuration from outside of local network. Assume we have IoT device in smart house and I want to change its configuration from outside of house by changing some parameters.
NOW:
First Scenario:
On the below picture indicates with red color on the left.
Writing our own web services and make it accessible by setting up "static ip" and and using "Port Forwarding" + SSH in order to have high secure connection.
In this story, user write static ip on address bar from outside of smart house and connect to web services and can have modification
now my question is if this way can harmful for our firewall and network?
If this way open firewall port permanantly?
If all users can send request so do we have attackers that can attack other devices or not?
We can have our authentication to have more safty.
Second Scenario:
On the below picture indicates with blue color on the right.
In this scenario we are using APIs from IoT company instead of writing our own services and user send request to IoT Company and on the our smart house we have gateway from IoT company which send request for instance per 1 second to check if ther is any on IoT company server or not and if there is any so make a modification.
Because in this scenario Iot Company might to use DHCP IP instead of static ip , is it possible to have some hurt to fire wall?
Because I am not sure but I think firewall will be opened whenever ther is any request so is it possible that this way is more secure?
If possible, I would suggest not opening any port on the IoT device. This does create a lot of worries as the question suggests.
Instead, would it make sense in your case to have the IoT device poll a web service for instructions? You could use web sockets or long-polling if it's important for the devices to be highly responsive to incoming requests.
Mahsa's description is not detailed enough, so i decided to add some more information... otherwise it would be a "what tastes better: a pear or an apple?" discussion.
More precise scenarios
The first scenario (S1) uses port forwarding. This port can be used by everybody in the internet. Security is based on the software and implementation of that webservice. Which has to be maintained good and updated regulary.
The Second scenario (S2) does a polling from a internet-server, maintained by the manufacturer (Philips). The local IoT-gateway initiates a TCP/HTTP-rest-request to the philips-hue server in the internet. The firewall/NAT does not need to be changed at all. "Open Port whenever we need" is not 100% correct, it's a NAT-firewall which accepts only packets from request destination of Philips-server (SPI)
Please read about how networks, firewall and NAT works in most environments before making assumptions:
Network: OSI Layers 3,4,7 (and at the moment we talk about IPv4 ;-)
Firewall/SPI: Stateful Package Inspection
NAT: Port-restricted cone or symmetric
Questions of safety
What is "safety" in your case? You have to define what you want to protect. In this case it's the local network,so that no intrusion is possible. The detailed questions "what is more safe?" are:
A1) port-forwarding or A2) port-restricted/symmetric NAT and SPI?
B1) pattern user ⇒ firewall ⇒ own webservice ⇒ gateway or B2) pattern user ⇒ Philips-server ⇐ firewall ⇐ gateway
C1) security is based on higher layer 5-7 or C2) based on lower layers 3+4
Side aspects
The picture should tell that the "own web service" can NOT directly talk to the IoT-device. It has to talk over the gateway/bridge with the IoT-device.
This means you have to setup a local webserver parallel to the IoT-gateway.
D) Costs, effort and the maintennance of such local webservice... is it really needed to have a secure scenario?
Please send your answers A-D
and some arguments would be nice. Perhaps you find also some other security issues E,F,G,H... let us know. Thanks Frank
Related
This has taken me about a year to understand and get to, but I am the limit of my capability so reaching out to a StackOverflow guru please...
I would like to, if possible, secure my network model. The model is as shown in the diagram. To explain:-
All the aspects I have control of, is within the green shaded area. I cannot change anything outside this.
I run a simple application web server which is the VPN IPsec/L2tpd client. Static IP.
My router is ISP provided. It receives a DHCP Dynamic IP from the ISP.
My Digital Ocean Virtual Private Server has a static IP. It runs an NGINX reverse proxy that channels traffic through the VPN tunnel. It also runs the IPsec/L2tpd server.
A IPsec/L2TPD VPN tunnel is established and working.
A working VPN tunnel.
A cellphone that runs an app that communicates with my application server app. My cellphone receives a dynamic IP from my Network Operator.
I have three IP camera feeds served by my application server. Not a great speed but watchable in real-time.
I cannot change my ISP, or bandwidth/download/upload speed.
I cannot install VPN clients on the cellphone and I may want to access my app server through another cellphone provided by work so cannot install apps on it but does have unfettered web access through a browser.
Everything is now working, can't believe I've done it !
Anyway, my question is:-
Is there any way to secure the network so that only traffic from my mobile reaches - or rather is accepted - by my application server.
I accept IPsec/L2tpd is not great, but it is fast and I use this because I have tried OpenVPN, SoftEther and key based OpenSwan. These are waaaay to slow. The camera feeds are unwatchable and update one frame about every 5 seconds.
So with the limitations above, what can I do, what is possible? Please may I respectfully ask that you refrain from suggestions and concerns requiring a change to that which I cannot control, i accept all critique but that is not what I need here. I am asking for advice on how to secure , that which I can influence. Thank you
I cannot install VPN clients on the cellphone and I may want to access
my app server through another cellphone provided by work so cannot
install apps on it but does have unfettered web access through a
browser.
Due to the limitation that at the end, even a phone where you are not allowed to change anything but use the web, i suggest to configure proxy authentication on the nginx reverse proxy. I don't have experience with setting this up with nginx in particular but that's what should do the trick according to the network architecture and description you provided.
An example configuration on how to configure nginx for basic / client certificate auth can be found at: https://www.cloudsavvyit.com/1355/how-to-setup-basic-http-authentication-on-nginx/
I have a security question about games and network.
Today most games (like Call of Duty) uses a 'on client side host' server system. So for some time, one client becomes the host of the game. I'm looking for some resources on how to do this properly (in a technical and safe way) because I'm working on a project like that.
But for now the only solution I found is to share the IP address of my host clients to other guest clients. And I'm not proud of this. So I am looking for a method or technology like IP masking or another stuff like that would protect my customers from other malicious customers that could retrieve IP of my customers and maybe hack them?
EDIT:
But what I'm asking is if there is any solution like services like on the fly subdomains redirections with parameters for connecting to specific clients or anything like that? I mean
subdomain.mygame.com/clientname
If you want true peer-to-peer connections in your game there is no way around sharing the IP address. After all if they are to talk with one another then they need to know how to reach the others.
Alternatively you can route all their traffic through your server and each client connects to it independently. That way they do not have to know any information about each other except your in-game user id.
In BitTorrent, client connects to the tracker specified in .torrent file. Tracker is a kind of centralized server and it is the starting point. So BitTorrent is not pure p2p.
If we want to develop pure p2p system, we should design routing overlay network. All nodes will have routing table like routers do. But even in routing overlay network, each node should know at least one existing node(GUID, IP address) initially. So how can we determine this? Should we keep 'one existing node to connect initially' forever like fixed centralized server? If so, I think this is not fully decentralized method.
The solution you describe (defining a central peer wit well-know ip address) is not the only one.
The other solution is to post an html page (or json file) in a well-know URL on the net, and make sure this item contains an updated list of peers this peer can initialy connect. This list can be updated if a peer goes down. Eventually, you can use multiple URLs.
Pure P2P system is a theoretical concept which cannot be implemented fully in reality.
You could use an anycast. So the first other client will answer and may send such an initial "client list". Where your client can connect to them to get more lists.
Classically I would implement a multicast to a adress and wait for an answer of other clients.
Firstly, a true peer to peer network is not necessarily decentralized. Secondly, decentralization does not necessarily mean that the network doesn't make use of secondary services which may themselves be centralized.
The main question in both of these issues is wheather the primary resources of the network solution are distributed through correlated peers.
For example, peer-to-peer video conferencing may use a central contacts service but still be pure peer-to-peer as long as the peers resolve such issues before entering a true peer-to-peer scope. This would also be decentralized.
What it comes down to is what your trying to solve by using peer-to-peer. A video conference is a video conference - it starts with a video being recorded on one peer and ends with the video being viewed on another. As long as each byte of this data is transferred directly between the peers (even if there's hundreds of peers in the conference, and regardless of how these peers found each other) it is a true peer-to-peer video conference.
Note that the video peers will still be in your typical ring, and that the contacts lists may still use the node key for location information rather than an IP. This will still be a network overlay as it will still be built over IP, replacing it's addressing scheme on the peer level to facilitate true peer-to-peer networking.
What it realy comes down to is the concepts of a network connection. IP just pushes packets to unspecified routers until it gets to a specific address. 'connections' between each endpoint only exist within the higher software levels (including when dealing with TCP/IP). A connection is just the data used within software to understand who is who and how each point can handle data etc. Peer-to-peer network overlays effectively distributes this data, eliminating the need for each peer to create massive amounts of connections to communicate on a massive scope. Decentralization is not required for this (as long as peer to peer communication is not centralized), and a secondary service within the system wont necessarily limit a network's scope or otherwise centralize actual peer-to-peer networking.
So to answer your question, it doesn't matter where it initially connects in order to be considered peer-to-peer, and different peer-to-peer services will handle this based on their service design.
Ok so I am thinking about writing a p2p protocol for a number of different services for an AI project, and I thought I'd come here to see if i could get some ideas on how to get the initial connection.
I have come across several ways to establish the initial connection:
1) You have a static ip address on the internet that distributes information on other peers. This isn't good, because:
a) it's a single point of failure, the service could go offline, preventing any new connections from creating an initial connection to peers,
b) the IP address could change. This could be mitigated by using a domain name which is maintained to point to the current ip address of the location of a service which provides data on peers, however this can be subverted in theory by hackers by spoofing or arp poisoning, dns attacks etc.
2) You could force the user to provide an initial ip address or hostname for another peer, and it's up to the user to find the hostname / ip address / port number. This is good, but if someone posts disinformation or they cannot find a peer on google or some other search site then obviously it's fallable.
3) You could leave it to the peer to publish their own existence in a central location - for example a group of IRC channels or a group of websites. Again, unless it's going through a central trusted domain, it's hard to determine the authenticity of the peer.
4) You could use some kind of nmap style discovery algorithm that searches through subnets for appropriate protocols. The problem with this approach is it's slow and it's likely to attract attention from things like firewalls etc.
5) This is a variation of 3) you could allow the peers to advertise their own information on a website, then instead of having to look for the information in a suitable location (a specific website, or group of websites), you can let google's search algorithm find it, and do the discovery for you, however you could imagine that this may take a few days for google to cache the website data with information on the peers. Also again, it would be upto you to provide some way to verify the authenticity of the advertised data.
6) If you are interested in an exclusive p2p network that locks out certain people (for example, you might want to have a file sharing network and you don't want law enforcement to be able to access it, or MPIAA), then you could use 2) and then have a referral system where you require that the initial connection provide the referrer's ip address, and then the service could connect to the referrers ip address and ask the referrer if they did indeed refer the referee.
That's all I can think of currently, but if anyone comes up with any other ways to do this, i would be very interested.
Tough question. It has to do mainly with security, but also computers. Probably not been done yet.
I was wondering, is it possible to host for example a web application, yet be able to hide *where* the actual server is, and, or who is the originator, making it very very hard ( practically impossible ) for some one to track the origin of the server, and who is behind it?
I was thinking that this might be possible through a third party server, preferably with an owner unrelated to the proxy sites. But the question then also becomes an issue of reliability *of* the third party.
Does the TOR network have support for registering for recieving incoming requests rather than outgoing ones? How secure would that be? Might it be possible that the TOR network has been infiltrated by for example a big goverment ( read USA ) ( dont get angry, please enlighten me as I do not know much of how the TOR network is hosted ).
How can one possibly create such a secure third party server, that preferably does not even know who the final recipient of the request is? Third party companies might be subjected *to* pressure from goverments, either directly from powerful *nations* such as USA, or by the USA applying pressure on the goverments of the country where the server is, applying pressure on the company behind it, and force you to enable a backdoor. ( Just my wild fantasy, think worst case scenario is my motto :) ).
I just came with the idea, that being that this is probably *impossible*, the best way would be to have a bunch of distributed servers, across several nations, make it as hard as possible to go through each and one of them to find the next bouncing server. This would have to be in a linked list, with one public server being registered on a DNS. If compromised, the public server needs to be replaced with another one.
request from user0 -> server1 -> server2 -> server3 -> final processing server -> response to user0 or through the incoming server chain.
When sending a response to someone, could it be done using UDP rather than TCP and hide who the sender was ( also in a web application ) ? So that a middle man listening on user0 computer incoming responses ( and outgoing requests ) do not figure *out who the final* processing server is, if we decide to respond directly to user0 from the final processing server?
The IP of server1 will be public and known to anyone, server1 will send the message to server2 and it is possibly to figure out by listening directly behind server1 traffic node, but perhaps it could hide its own origin if not being listened to directly, so that if big goverments have filters on big traffic nodes or routers, they wouldn't be able to track who it came from, and therefore what the message to server2 is intended for. It would blend in with all other requests.
Anyhow, if you have followed my thoughts this far I think you should know by now what I am thinking about.
Could this be possibly through a P2P network, with a central server behind it, and have the P2P network deliver it to the final server respond in some pattern? The idea is to have one processing server, and then have "minor", "cheaper" servers that acts as proxys?
Why I keep saying central server, is that I am thinking web. But any thoughts on the matter is interesting.
For those that wonders, why... I am looking into creating as secure as possible, and that could withstand goverment pressure ( read BlackBerry, Skype and others ).
This is also a theoretical question.
PS.
I would also be interested in knowing how one have a distributed SECURE database ( for keeping usernames, friendlists and passwords for example ) but this time, it is not neccessery for it to be on the web. A P2P software with a distributed secure database.
Thanks!
Yes, you're reinventing Tor. You should research Tor more fully before going further. In particular, see Hidden Service Protocol. Tor is not perfect, but you should understand it before you try to reinvent it.
If you want to find an ant's nest, follow the ants. If you want to find the original server, follow the ip packets. If you meet a proxy server not willing to provide their path, call the server administrator and have your men in black put a gun on his head. If he does not comply, eliminate the administrator and the server. Carry on following the ants in their new path. Repeat the operation until server is reached or server can't communicate anymore.
So no, you can't protect the origin and keep your server up and running when your men in black can reach any physical entity.
Let's say I want to make an application where stored data is encrypted so only my application is able to read it.
But I want the application to be accessed only if the user is on a particular network.
For instance the application is an Android app that deals with medical records in a hospital.
How to be sure that the device is connected to the network of the hospital ? The idea is that outside this network, the app won't work.
The question is not particularly related to wireless networks, wireless devices or Android, this is general to programming and network identification.
Could a certificate do that ? I'm new to this.
Does a network "identifier" could be faked ? For instance I'm pretty sure that a WiFi SSID is easy to fake.
Cheers.
More details:
Let's assume that the point of the local data is not for an "offline mode", but to avoid network latency. In that case, the data needs to remain accessible only if connected to a particular network, in case the device is stolen.
But if there is no way to be sure of the network's identity... What about a server that would answer to the question "Heya am I on the right network ?" and if no response comes out I know that I'm not on the right one ? (Or that the server just does not respond...) But, again, if the app is hacked, that can be faked too.
Interesting problem.
Generally speaking the purpose of storing data locally is so that it can be accessed while "offline".
However, I think there may be some underlying misconceptions here. Presumably the only reason you'd want to do this is to try and prevent a stolen device from giving up it's secrets. Fact of the matter is, you can't. If the device is no longer under your physical control then it's just a matter of time before it can be hacked.
If we are talking about sensitive data, it shouldn't be stored on the devices. Instead the device should retrieve the data it needs from your server when it needs it and delete it locally when no longer necessary.
The fact that you want the device to only work when connected to your local network implies that you can accomplish this goal.
As a side note, this is why things such as "remote wipe" exist. It's also why every time the device connects to your network it needs to test it's authentication and authorization. Point is if someone reports the device lost or stolen then you need to be able to ban it from your network AND, if the device supports this, remotely disable it.
Bearing in mind that it is entirely possible to pull a device from the network and therefore disable a remote wipe from executing.
With that out of the way, there is absolutely no way you can ensure the device is on a given network. All of that can be faked. It's kind of trivial to setup a router of a given name and change it's MAC to masquerade as whatever, and assign it certain IP addresses. For all intents and purposes it could be made to look exactly like an access point you have... And that's just with normal run of the mill wireless routers you can buy at your local computer store.
You could write your program so that the key to decrypt the data is stored on a server on the hospital network. If your program never stores the key, it makes it harder (although not impossible) for someone to access the device's data outside of the network.
As Chris pointed out a remote wipe would definitely be desirable. You could put in logic so that if the device ever attempts to read the data while not connected to the network, it wipes the data (this might lead to unintended wipes). Blacklisting is good too, so that if the device tries to reconnect to the network, you can essentially brick it. One thing that would be really bad is if you have a network outage, and all your devices accidentally get wiped.
Any network can duplicate another's SSID, so that's not reliable. You could start using a combination of SSID and a MAC address of a known router, but MAC addresses can be duplicated (although not on the same network) so that doesn't work either.
Frankly, unless the wireless network in question is using certificates to identify devices you're going to have no reliable way do it it, and even then this supposes you have a way in your application to get the certificate used the wifi network returns during network authentication.
Perhaps you could use IPSec tunnels. Many routers and firewalls support IPSec. What I'm thinking is something like this:
-----------------------------------
/ IPSec tunnel \
+---------+ \
A | IPSec | B Untrusted \
trusted network -------| capable |------- Networks ----------- Your application
| router | Internet, etc.
+---------+
The gateway router/firewall that provides access for the trusted network has an IPSec tunnel configured between itself and your application. On both the router and your application server, the tunnel looks like another network interface. A route on the router directs traffic for your application to the tunnel interface. A filter can be used on the router to ensure traffic is forwarded to the tunnel only if it arrives on interface A (i.e. the trusted network). Traffic arriving on interface B destined to your application can just be dropped by a filter on the router since it's obviously going the wrong way.
If your application binds its listening socket to just the tunnel interface, you'll know you're only accepting connections received over the tunnel.
You can use whatever combination of encryption and authentication mechanisms you want to to ensure the traffic is secure. Most IPSec implementations support just about anything you could want.