Jump to content

ISY Portal and Elk M1


cyberk

Recommended Posts

Posted

Scott: I am using the elk module, unfortunately the software I'm using doesn't pass over the elk security stuff when connecting via ISY. I'm using ekeypad

 

 

Sent from my iPhone using Tapatalk

Posted

Scott: I am using the elk module, unfortunately the software I'm using doesn't pass over the elk security stuff when connecting via ISY. I'm using ekeypad

 

 

Sent from my iPhone using Tapatalk

Maybe I should ask then what are you trying to achieve and maybe I can be some assistance?

Posted

Scott: I'm looking to get away from having to open incoming ports to my m1xep. I've considered setting up a reverse proxy but 1. Not sure if it will work, 2. Figured I'd try to find another solution first.

 

 

Sent from my iPhone using Tapatalk

Posted

Scott: I'm looking to get away from having to open incoming ports to my m1xep. I've considered setting up a reverse proxy but 1. Not sure if it will work, 2. Figured I'd try to find another solution first.

 

 

Sent from my iPhone using Tapatalk

Understood. Although Im still waiting to see if SSL support ever gets re-implement-ed from the ISY to Elk, so...

 

This may gain traction since people are moving away from Mobilinc Connect for the new portal so maybe this could be a nice side result.

 

You are concerned about security with port forwarding to the Elk?

Posted

Precisely! not to mention that eKeypad has a horrible connection delay when connecting via SSL to the elk.

 

Security is always a concern, I'm not familiar with the Elk connection protocols but something tells me that it's not very secure...especially since ISY can connect to the m1xep and bypass the port username/password, as can ElkRP.

 

I've been using VPN for a while now but that gets pretty annoying. I keep meaning to look into iOS VPN on demand, but that's another story.

 

 

Sent from my iPhone using Tapatalk

Posted

Precisely! not to mention that eKeypad has a horrible connection delay when connecting via SSL to the elk.

 

Security is always a concern, I'm not familiar with the Elk connection protocols but something tells me that it's not very secure...especially since ISY can connect to the m1xep and bypass the port username/password, as can ElkRP.

 

I've been using VPN for a while now but that gets pretty annoying. I keep meaning to look into iOS VPN on demand, but that's another story.

 

 

Sent from my iPhone using Tapatalk

I know there was a post about the SSL a while back. Ill go find the thread and refresh my memory. Then go from there. I am not sure if this is an Elk issue or UDI module update that really needs to happen.

 

I do know I been meaning to look into the Elk notifications available as the module doesnt appear to be able to send me what zone was trigger when the Elk is triggered/violated. Seems like something so standard should be there but is missing. Again not 100% clear if this limitation is due to Elk or the module.

 

Ill post back my findings and interested to see what Michel has to say about this too.

Posted

I'm glad I'm not the only one having issues with the triggered zone notification. Just today I added some additional variables to my "intruder alert" notification, I thought I was perhaps including the wrong variable.

 

Keep us posted on your findings, I will do the same.

 

 

Sent from my iPhone using Tapatalk

Posted

Hello guys,

 

Scott, cyberk does NOT want to open port to M1XEP. This has nothing to do with ISY so I am not sure what ISY/SSL has to do with this topic.

 

cyberk, if:

1. You already have eKeypad

2. Your eKeypad is configured to work with ISY

3. You have the ELK Module

4. YOu have ISY Portal

Then, you can simply have eKeypad configurd to ISY Portal (as if it's an ISY) with your portal credentials. It should work.

 

With kind regards,

Michel

Posted

Hello guys,

 

Scott, cyberk does NOT want to open port to M1XEP. This has nothing to do with ISY so I am not sure what ISY/SSL has to do with this topic.

 

With kind regards,

Michel

Actually thats not 100% true but I don't want to fight with you. The reason he wants to use the portal is because recently the SSL/Username/Password was broke and never fixed. You actually responded to him in the other thread about this.

 

Firmware upgrade to 4.2.30 broke secure port link with Elk - how to fix?

http://forum.universal-devices.com/topic/16529-firmware-upgrade-to-4230-broke-secure-port-link-with-elk-how-to-fix/?hl=%2Belk+%2Bssl

 

Your response was:

 

Hi cyberk,

 

4.2.30 disabled SSL ... ELK was still using SSL up until recently with their new firmware.

 

True: you cannot secure TLS with username/password as it's an out of band from TLS specs perspective.

 

With kind regards,

Michel

 

So based on that we are looking is for an alternative way to secure our security system with the ISY. Thats why I believe he asked the question. If we leave SSL unchecked and open on a nonsecure port, then without a username/password in the Elk module then we open it up to the web. Am I misunderstanding?

Posted (edited)

I'm kind of confused.  If the ISY Portal is in use, then nothing (neither the ISY or ELK) need to be open to the web?

 

It sounds like you can take the special ISY Portal URL and put it in any app that connects to the ISY (like eKeypad).

 

When you use that app, it's going to to connect to the ISY Portal, which then shoots it over to the tunnel to the ISY, when then can manage the Elk.

 

If that's correct, then no port forwarding needs to happen.  The ISY Portal and the ISY take care of that for you.  Nothing's open to the web.

 

The only vulnerability I can see is that if the ISY in the house uses regular HTTP to connect to the Elk in the house, then someone in your house could capture packets on your internal network and snag the login credentials.  But if you've got someone unknown that can access the network inside of your house, there are probably bigger issues that can be addressed first.

 

The fact that the Elk has https turned off doesn't make it open to the web.  Going to your router and port forwarding the port that the Elk uses to the Elk is what would make it open to the web (regardless of if it uses http or https).

Edited by jasont
Posted

I'm kind of confused.  If the ISY Portal is in use, then nothing (neither the ISY or ELK) need to be open to the web?

 

It sounds like you can take the special ISY Portal URL and put it in any app that connects to the ISY (like eKeypad).

 

When you use that app, it's going to to connect to the ISY Portal, which then shoots it over to the tunnel to the ISY, when then can manage the Elk.

 

If that's correct, then no port forwarding needs to happen.  The ISY Portal and the ISY take care of that for you.  Nothing's open to the web.

 

The only vulnerability I can see is that if the ISY in the house uses regular HTTP to connect to the Elk in the house, then someone in your house could capture packets on your internal network and snag the login credentials.  But if you've got someone unknown that can access the network inside of your house, there are probably bigger issues that can be addressed first.

 

The fact that the Elk has https turned off doesn't make it open to the web.  Going to your router and port forwarding the port that the Elk uses to the Elk is what would make it open to the web (regardless of if it uses http or https).

 

Jasont, short answer is, as of this post, with firmware 4.2.3 we now have to turn off username and password and not use SSL. We need to open ports on the router so we can remotely connect to the ELK outside of the portal. Therefore if I understand correctly this leaves us open and not secure connecting from the outside web.

 

To connect we all should be using a VPN to secure our credentials while logging in from the outside.

 

Now for your questions,

 

-If the ISY Portal is in use, then nothing (neither the ISY or ELK) need to be open to the web? - Right no no ports need to be open, thats why he was wondering about using the portal to connect to the Elk via other programs like EKeypad.

 

-When you use that app, it's going to to connect to the ISY Portal, which then shoots it over to the tunnel to the ISY, when then can manage the Elk. - Thats the idea.

 

-If that's correct, then no port forwarding needs to happen.  The ISY Portal and the ISY take care of that for you.  Nothing's open to the web. - Correct and how I see it too. BUT this is not how it works currently. Access to Elk is not via the portal.

 

-The only vulnerability I can see is that if the ISY in the house uses regular HTTP to connect to the Elk in the house, then someone in your house could capture packets on your internal network and snag the login credentials.  But if you've got someone unknown that can access the network inside of your house, there are probably bigger issues that can be addressed first. - True only if your not using the portal. If you are not then ports have to be open and then same response as above with regards to security.

 

-The fact that the Elk has https turned off doesn't make it open to the web.  Going to your router and port forwarding the port that the Elk uses to the Elk is what would make it open to the web (regardless of if it uses http or https). - Again true HOWEVER there is NO username and password or HTTP connection required so its completely open for attack or control.

 

This is how I understand it. Please correct me if I am wrong.

Posted

I think my confusion was thinking that cyberk was having problems getting his eKeypad app working via the ISY Portal, but I see from another thread that's not the case.

 

Sounds like he's asking for the ISY Portal to also act as a portal directly to the Elk, so other software that connects directly to the Elk can tunnel in from the outside.

 

Sorry about that.  

Posted

So just to clear things up, my eKeypad and ISY portal connection is working great. My m1xep to ISY connection is working great. I don't have any issues using the ISY portal at all.

 

This post was about adding an additional feature to the new ISY Portal. I was hoping that the ISY portal could include an option to use M1Cloud. So in other words, you could use the ISY portal to register both an ISY and an ELK m1xep using the M1Cloud infrastructure. M1Cloud is Elk's answer to a portal system but they don't do the full implementation.

 

 

Sent from my iPhone using Tapatalk

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...