Scottmichaelj Posted February 16, 2016 Posted February 16, 2016 Michel, Sorry, no one (I think, at least not me) is saying you need a DDNS account. My point is that the portal is doing the DDNS work for you as it keeps track of any changes to the public IP of ISY. The issue is the mechanism of how all this works, as we can only speculate for certain having not written the code. Not sure what the conversation on Elk is about. Lou ...and now we are back to the external IP address discussions I brought up in another thread. Interesting how this circle completes itself.
larryllix Posted February 17, 2016 Posted February 17, 2016 The dynamic dns runs between the proxy server and your ISY public IP. The proxy server tracks your public IP but only shares that with itself. The difference from standard ddns is that it gives out your public IP to anyone with the url so they can go directly to it. With a proxy, the URL goes to the proxy and the proxy tunnels it. The proxy server in concert with ISY has maintained the open port on the router by continuing to pass data back and forth, even when you are not using it. Your router only knows that it is talking to the proxy and your router only holds the port open to ISY for packets delivered from the proxy. This info is held in the NAT table on your router. The advantage I see to this is that it could be more secure since your port is only open to traffic from the proxy's IP rather than anyone with your public IP. However, the proxy server is open to all IP's and could be hacked and if successful then the hacker has a tunnel to your ISY. My guess is that the proxy server is pretty well protected. My other guess is that not to many people really want to control your ISY. But there are certainly nut jobs out there who just hack for the sake of hacking. This may apply if the ISY portal is used but my router and ISY do not restrict any traffic, from any source, and receive and process anybody's data that talks nice using my ISY's (LAN) or router's (WAN) appropriate IP addresses, ports, and user/password combinations. I can see that the cloud based ISY Portal could act as a DDNS service with ISY doing the DDNS client end, keeping the Portal updated. I am also hearing ISY just acts similar to your browser which causes responses to be allowed back to it, through all the routers and switches, in a much safer method, not using any DDNS. "Tunnel underground to Orlando". Either way I understand that no third party DDNS gadgetry is required for the ISY Portal.
apostolakisl Posted February 17, 2016 Posted February 17, 2016 This may apply if the ISY portal is used but my router and ISY do not restrict any traffic, from any source, and receive and process anybody's data that talks nice using my ISY's (LAN) or router's (WAN) appropriate IP addresses, ports, and user/password combinations. Yes, well I think that may be the point. When you open a port you direct all external sources soliciting that port to the LAN IP you listed in your port forward settings. So anyone could start a brute force attack on your ISY. Or, should a security flaw be found, a quicker route in. I want to say Foscam had an issue like that a few years back. When you use the portal, I assume it is using the router's dynamic NAT to hold the port open only for traffic originating from the ISY portal IP, in concert with the ISY plug in that originates that link from behind your firewall. Of course if someone were to hack the ISY portal server, it is possible they might get access to all ISY's on the service. Though they would still need to hack the password as I suspect the portal does not need or contain your password. The article I linked above does a very nice job with describing the process. Outbound traffic opens the port for replies from the outbound destination (obviously or you would never get any reply to anything you did on the internet), but I didn't know the details, particularly as to length of time. It would appear that the default time for a TCP NAT route is quite long which makes this process very doable and to me makes it the likely mechanism. Even a ping once a day would probably work. With my curiosity piqued, I poked around my new router and found that the tables as to which WAN IP/ports are linked to which LAN IP/ports and the length of time they are open for. The table tells you all the locations anyone on your network has visited.
Scottmichaelj Posted February 17, 2016 Posted February 17, 2016 Which raises a good question. Where is the portal located and how secure is it? Is it a computer in Michels bathroom or a AWS/Azure/etc server? Has anyone checked the security of the portal? We all seem to assume that port forwarding is the weak link but maybe its not and actually the portal is. Edit: While the portal working as a DDNS service is the underlining service, all the real functions people want are all for usability. People wouldnt need to use services like mobilinc connect and could use apps like mobilinc with the portal url for external secure https access, ekeypad, secured maker channel, external IP address, etc based on the numerous threads scattered throughout this forum.
jerlands Posted February 17, 2016 Posted February 17, 2016 Which raises a good question. Where is the portal located and how secure is it? Is it a computer in Michels bathroom or a AWS/Azure/etc server? Has anyone checked the security of the portal? We all seem to assume that port forwarding is the weak link but maybe its not and actually the portal is. The portal seems to be hosted by Amazon Technologies Inc. ping.eu NetRange 52.0.0.0 - 52.31.255.255 CIDR 52.0.0.0/11 NetName AT-88-Z NetHandle NET-52-0-0-0-1 Parent NET52 (NET-52-0-0-0-0) NetType Direct Allocation OriginAS: Organization Amazon Technologies Inc. (AT-88-Z) RegDate 1991-12-19 Updated 2015-03-20 Ref http://whois.arin.net/rest/net/NET-52-0-0-0-1 OrgName Amazon Technologies Inc. OrgId AT-88-Z Address 410 Terry Ave N. City Seattle StateProv WA PostalCode 98109 Country US RegDate 2011-12-08 Updated 2014-10-20 Comment All abuse reports MUST include: Comment * src IP Comment * dest IP (your IP) Comment * dest port Comment * Accurate date/timestamp and timezone of activity Comment * Intensity/frequency (short log extracts) Comment * Your contact details (phone and email) Without these we will be unable to identify the correct owner of the IP address at that point in time. Ref http://whois.arin.net/rest/org/AT-88-Z Jon...
jasont Posted February 17, 2016 Posted February 17, 2016 Not sure what the conversation on Elk is about. Lou The thread started because vbphil was looking for best practices so he could use manage his Elk remotely using eKeypad. By post #7, he got everything working via the port-forwarding method (except when connecting via cellular). By post #12, he had successfully switched to using the ISY Portal (except when connecting via cellular). By post #14, he resolved the cellular issue (which was related to a setting on his phone). Your post #15 (after everything was solved) brought Dynamic DNS into the conversation as "a viable method" ... for what? It was good information, but since the OP had resolved his problem and it didn't have anything to do with DDNS, it seemed like a non sequitur, or as cyberk phrased it, "off target".
larryllix Posted February 17, 2016 Posted February 17, 2016 I don't really see any difference, in accessibility, cracking a password on a Portal server vs. cracking the password on my ISY994. However the technique described by cyberk would limit the type of access to my ISY with ISY only permitting the types of operations that could be accessed remotely. I mean with a cracked Portal password an attacker could probably operate the heck out of of my HA but not upload a trojan horse into my ISY to get further access to the rest of my LAN equipment unless the ISY end Portal client allows that type of actions (eg:upgrade firmware via the portal?) With a cracked ISY password we definitely could because that type of action is part of ISY's makeup.
larryllix Posted February 17, 2016 Posted February 17, 2016 The thread started because vbphil was looking for best practices so he could use manage his Elk remotely using eKeypad. By post #7, he got everything working via the port-forwarding method (except when connecting via cellular). By post #12, he had successfully switched to using the ISY Portal (except when connecting via cellular). By post #14, he resolved the cellular issue (which was related to a setting on his phone). Your post #15 (after everything was solved) brought Dynamic DNS into the conversation as "a viable method" ... for what? It was good information, but since the OP had resolved his problem and it didn't have anything to do with DDNS, it seemed like a non sequitur, or as cyberk phrased it, "off target". I suggest you read cyberk's comment, again, with particular attention to the subject matter being commented on. The DDNS discussion is in conjunction with the OP's "answer" for his OP request and the interpretation is of the thread flow is more "off target", and a distraction of the OP, than the conversations happening, as is my comment, on your comment, on the other comments.
apostolakisl Posted February 17, 2016 Posted February 17, 2016 The thread started because vbphil was looking for best practices so he could use manage his Elk remotely using eKeypad. By post #7, he got everything working via the port-forwarding method (except when connecting via cellular). By post #12, he had successfully switched to using the ISY Portal (except when connecting via cellular). By post #14, he resolved the cellular issue (which was related to a setting on his phone). Your post #15 (after everything was solved) brought Dynamic DNS into the conversation as "a viable method" ... for what? It was good information, but since the OP had resolved his problem and it didn't have anything to do with DDNS, it seemed like a non sequitur, or as cyberk phrased it, "off target". I suppose if this were a technical support page and I were paid to answer questions in a chat window that would be about right. But it is a forum. Forum's are places to discuss ideas. You are supposed to expand the topic. You quote me as saying "viable method" relating to dyndns. Well, I guess it is, but I didn't say that and that wasn't the point. The point was that the portal was brought up as a way to keep in touch with ISY as opposed to taking care of it on your own hardware. In the context of a forum, I wanted to compare and contrast the newly discussed method (portal) vs the standard, and to that end, how the portal works. My point was that the portal was doing the work of tracking your dynamic IP for you. Reading my post, I can see where the was some confusion that perhaps I meant that the portal was a regular dynamic dns server. What I was really getting at was the paragraph related to how the portal is managing the ports.
apostolakisl Posted February 17, 2016 Posted February 17, 2016 I don't really see any difference, in accessibility, cracking a password on a Portal server vs. cracking the password on my ISY994. The difference is on the pathway to cracking the password. With an open port on your router, every IP in the world can access that port and go to town trying to crack your ISY password. With the portal, there are no open ports. It is a one one link between portal IP/port and end user IP/port. Of course the portal has open ports. So now it is a two step process to hack your ISY. First they have to hack the portal. Once in the portal, they can use the portal as a proxy to get to your ISY. Then they have to hack the ISY password. Presumably the portal, being a paid professional service, has better monitoring than your home router (which you probably never check stats on) and would pick up on a hack before it gets all the way through. While I think the portal is kind of cool, I don't really see that it is all that necessary. I have a dyndns service since I need access to lots of things besides ISY. Setting up port forwarding is a skill which I am very comfortable with. And finally, I don't really think my ISY is much of a target, and even if it were hacked I'm not sure the repercussions would be all that bad. Perhaps someone could turn it into a proxy on my LAN and get control of the whole thing? That would be bad.
Michel Kohanim Posted February 17, 2016 Posted February 17, 2016 Hi apostolakisl, ISY Portal is NOT at all NAT and/or DDNS based. ISY makes and outbound connection to my.isy.io, the user must approve this connection in the Portals tab (and you cannot approve/revoke permissions while you are on ISY Portal connection; you MUST be local to ISY). Once the connection is approved and the email account is verified, then the Portal acts as a proxy between the user and ISY. The online status in the Portal as well as the Portals tab (Admin Console) simply says that this connection is active. With kind regards, Michel
rccoleman Posted February 17, 2016 Posted February 17, 2016 Back on the original topic, is there a way to access the Elk through the ISY portal using eKeypad? It seemed like the thread was moving in that direction, but eKeypad doesn't seem to expose a security-related tab for the ISY. The only way I can get it to talk to my Elk is to go directly to the Elk via port forwarding. My goal here is to avoid the long authentication delay that I always see when I launch eKeypad. It always takes 5-10 seconds to connect and that's annoying when I want to arm or disarm my alarm system.
apostolakisl Posted February 17, 2016 Posted February 17, 2016 Hi apostolakisl, ISY Portal is NOT at all NAT and/or DDNS based. ISY makes and outbound connection to my.isy.io, the user must approve this connection in the Portals tab (and you cannot approve/revoke permissions while you are on ISY Portal connection; you MUST be local to ISY). Once the connection is approved and the email account is verified, then the Portal acts as a proxy between the user and ISY. The online status in the Portal as well as the Portals tab (Admin Console) simply says that this connection is active. With kind regards, Michel Yes, I know. My point was that it is doing the work of dyndns. I was just try to point out how having a portal compares to using your own port forwarding. Anyone trying to log into ISY remotely has 2 problems two solve. 1) The IP address of their home 2) The port through the router The portal solves both in one entity. The whole thing I wanted to discuss was the port management. I thought the IP address thing didn't need but a quick acknowledgement since it is pretty obvious so I only wrote like 5 words to acknowledge it was handled and then wrote a whole bunch on the port management expecting that to be the conversation, not dynamic IP address tracking. The NAT discussion was about the home router.
apostolakisl Posted February 17, 2016 Posted February 17, 2016 Back on the original topic, is there a way to access the Elk through the ISY portal using eKeypad? It seemed like the thread was moving in that direction, but eKeypad doesn't seem to expose a security-related tab for the ISY. The only way I can get it to talk to my Elk is to go directly to the Elk via port forwarding. My goal here is to avoid the long authentication delay that I always see when I launch eKeypad. It always takes 5-10 seconds to connect and that's annoying when I want to arm or disarm my alarm system. If the portal did Elk, it would advertise it. The portal is a proxy, meaning that it behaves on behalf of your remote client. A proxy can behave on behalf of a client if it can in certain ways emulate the client, and that would not happen by accident. Of course, with ISY and the Elk module, you can run damn near everything on Elk from ISY. However, not owning ekeypad, I don't know if it includes the Elk functions.
rccoleman Posted February 17, 2016 Posted February 17, 2016 So, my question is whether I can access my Elk using eKeypad via the ISY portal through the Elk module. Does anyone know if that's possible?
apostolakisl Posted February 17, 2016 Posted February 17, 2016 Since ekeypad sells an elk module separate from an ISY module, I would say that it is very unlikely that the ISY module would control the Elk. EDIT: of course you can write programs to display Elk things (like zone status, arm status) as variables on ISY and you can write programs in ISY that control Elk (arm system, relays, etc). I would expect that ekeypad would display variables and allow you to run programs so the indirect method would probably work. Though it isn't very elegant.
rccoleman Posted February 18, 2016 Posted February 18, 2016 I reached out to Jayson from eKeypad and he confirmed that they don't and don't have plans to support the Elk through the ISY portal. He said that it would limit the functionality that they could provide for the Elk in eKeypad. He's also looking at building a module that establishes a VPN or VPN-like connection to improve security vs. simply opening the Elk port to the world.
Scottmichaelj Posted February 18, 2016 Posted February 18, 2016 Yup that $100 Elk module is worth it huh? Lol Broken now for months.
apostolakisl Posted February 18, 2016 Posted February 18, 2016 Yup that $100 Elk module is worth it huh? Lol Broken now for months. Wow, its $100. Point is moot to me, I have Android. I would hope that for that price it is good on all of your devices? You could pick up a router with a vpn server on it and run a vpn client on your iphone. With that you can connect to everything in your network without opening up ports.
rccoleman Posted February 18, 2016 Posted February 18, 2016 To be clear, eKeypad Pro is $100, but it includes all available modules including Elk. There is one specifically for replicating an Elk keypad (eKeypad Alarm) that costs $29.99 and one with more Elk features for $49, but neither support non-Elk devices without additional purposes. Still expensive, but you choose the level of functionality that you're willing to pay for.
Scottmichaelj Posted February 19, 2016 Posted February 19, 2016 $100 is the cost of the ISY Elk module which now does not support SSL. This is why the portal has become important to us. There was value in having it but now without SSL I could have had access via my RTI remote for FREE!
Michel Kohanim Posted February 19, 2016 Posted February 19, 2016 Hi Scott, Does your FREE RTI provide programming/automation interface to INSTEON and everything else? With kind regards, Michel
Scottmichaelj Posted February 19, 2016 Posted February 19, 2016 Hi Scott, Does your FREE RTI provide programming/automation interface to INSTEON and everything else? With kind regards, Michel Yes it does.
Michel Kohanim Posted February 19, 2016 Posted February 19, 2016 Hi Scott, I did answer the question in another post you made. If it does, then why do you need ISY? Why not just use RTI? With kind regards, Michel
apostolakisl Posted February 19, 2016 Posted February 19, 2016 VPN would solve all issues. It tunnels you through to your router, and then it drops you off in your LAN like you were actually there. No need to open ports or use any security protocol on top of the VPN for anything in your network. Unless your LAN is used by people you don't trust. The only downside is that you have to first establish your vpn connection before running the apps on your remote device. You could set your phone to always use the vpn, but you probably lose speed when surfing the internet since you will be limited to your home ISP upload speed (all downloads get relayed through your home router and then back out to your device). On the plus side, always using vpn means you don't have to worry about people snooping on you when using wifi hotspots.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.