Best Practice: Remote Access Connectivity - balancing functionality with security

By Peter Aylett, Archimedia Middle East. Remote system access is a hot topic these days. From viewing CCTV cameras whilst on holiday, to allowing us to remotely monitor and fix problems, remote system access is now a feature on many systems that we install. It is, however, critical that we balance functional needs with security to ensure that our customers' privacy and data integrity are not compromised. An industry colleague recently had all of the data on his NAS drive encrypted by Ransomware - a type of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator(s) of the malware in order for the restriction to be removed. This is because an Internet port was left open overnight during some testing. Whilst seriously inconvenient for the integration company, at least this did not happen to one of its customers. [caption id="attachment_7070" align="aligncenter" width="400"] Don't leave your customers open to hackers.[/caption] If you don't know what 'Internet port was left open' means, you seriously need to go on a basic TCP/IP course, but for the majority of you who, I trust, do know what it means, the above catastrophe was caused by implementing PAT (Port Address Translation) on a router. PAT is one of a number of methods for implementing remote access, and in the above example, it failed because of a security loophole with a Synology NAS drive that allowed a hacker to install the ransomware thanks to 'back door' access. This should serve as a warning to all of you that increasingly-sophisticated hackers are finding new and profitable ways of compromising devices to which PAT gives them near unrestricted access. Rather than use PAT, consider the alternatives. Virtual Private Network (VPN) Not so long ago, VPNs were difficult and expensive to implement. Now VPNs are supported by the vast majority of phones and tablets, and enabled by home routers that have built-in VPN endpoint capability. [caption id="attachment_7071" align="aligncenter" width="400"] VPNs are now very easy to set up on mobile devices.[/caption] The advantages of using a VPN rather than PAT are as follows: 1. A connection using PAT is completely unencrypted, whereas a VPN encrypts the data travelling through the Internet, making it much more difficult to snoop on. 2. When connecting to a device using PAT, authentication to that device happens inside the LAN. Once a device has been hacked, it is possible that the hacker has unrestricted access to the entire network. Authentication on a VPN happens on the WAN side of a router. 3. Router security is usually far more robust than the average Chinese-made IP camera that is accessible over PAT. In all cases, ensure that firmware is always current on any device that is accessible via the Internet. Once implemented, connection over a VPN gives a user access to all of the resources and devices on a LAN. It is like having a virtual patch lead connected between your remote device, and the Ethernet switch in the home being that is being accessed. Cloud-based Services We are now installing a Raspberry Pi (a credit-card sized computer that plugs into your TV and a keyboard) running FingBox as standard, on all of our customers' systems. This allows us to remotely monitor all of the IP devices on the network. [caption id="attachment_7072" align="aligncenter" width="300"] The Raspberry Pi low-cost computer costs less than GBP25 and is made by the Raspberry Pi Foundation, a registered educational charity based in the UK.[/caption] The reason that this, and all other cloud-based services are so secure is that FingBox makes only an outgoing connection from the home to a cloud-based server. We then do not connect to the home, but connect to the cloud-based server without ever accessing the home network directly. Customers love this as we can never have direct access to any device on their network - we are simply able to remotely monitor the status of them all and proactively initiate service calls if we see a problem. This kind of functionality can be taken to an extremely high level with services such as ihiji that we use for our bigger and more complex systems. [caption id="attachment_7073" align="aligncenter" width="600"] Cloud-based remote monitoring gives you visibility of your customers' systems and allows you to be far more proactive with service and maintenance.[/caption] Similarly, there are many cloud-based CCTV services that have images streamed to them from a home. When access is needed to those images, a connection is not made to the home (with all the inherent security risks and complexity) but is made to a cloud-based server. Control system manufacturers are beginning to offer cloud-based control options to remotely control and monitor home devices. This is usually built into the system functionality and typically requires little programming or configuration on your part. [caption id="attachment_7074" align="aligncenter" width="300"] Cloud-based control is now very easy to implement.[/caption] Conclusion The performance of that home cinema will pale into insignificance if your customer's digital world is compromised and they lose data or have private information stolen. It is now our job, as curators of our customers' digital lifestyles, to ensure that their privacy and data integrity are looked after, so we must take the time to learn about and understand potential security issues. Whenever security is considered, there are usually compromises that have to made regarding functionality. Whilst PAT is simple to configure and simple to use, it has had its day as a remote access method due to the many security issues. The use of VPNs, or even better, cloud-based services allows us to offer remote access functionality without any of the inherent security risks. Peter Aylett is a world-renowned speaker and lecturer in residential technology, and the Technical Director at Archimedia, a multinational high-end residential integrator in The Middle East. He is also currently Chair of CEDIA’s International Technology Council Applied Content Action Team, and a regular contributor to HiddenWires. You are welcome to comment on this article. See below.

Article Categories