Bypass login on LAN?

[ergodic]

Is there any way to suppress / bypass the ISY login for LAN subnet addresses? I don't really want it or need it on that end of things and it just seems to get in the way.

[Michel Kohanim]

Hi ergodic,

 

We can surely develop this feature which simply checks the remote IP address against ISY's address. The only problem is that there are many network tools out there than can fake the source IP address. As such, if your ISY is on the Internet, then it will be at a very high risk.

 

We are going to fix the fact that Admin console requires authentication even after you've been authenticated to ISY. But, we cannot change authentication on ISY itself.

 

With kind regards,

Michel

 

Is there any way to suppress / bypass the ISY login for LAN subnet addresses? I don't really want it or need it on that end of things and it just seems to get in the way.

[ergodic]

I really don't want to come off as some know-it-all here, but between NAT routing with private addresses, modern BGP routers at ISPs and a halfway decent premise router the risk of source routed spoofing seems about zero in AD2009.

 

But still, I take your point - it's always a remote possibility. I'd just like the toggle. My wife wants to know why she has to keep doing it every time and I don't have any good answer. I suppose if you really want to secure it, possibly use a MAC table of allowed logins instead of IPs, though I think that's overkill.

 

Anyway, if some antisocial kid in Uzbekistan wants to try to turn on my hall lights, good luck. He's a lot busier these days trying to spread Conficker-C for money. But if it happens I'll just turn the login back on. NBD.

 

On the topic, if anyone's interested and wants something more robust than your average (perfectly-fine) $50 Linksys, I've been running one of the new Sonicwall TZ100 firewalls for about a month at the house which I have to say is a just absolutely incredible deal. Unlimited connects, enhanced O/S, multiple VPN links with VPN client and SSL VPN, assignable ports, ICSA stateful firewall, packet logging, and on and on. For a $200-$300 firewall device you can't touch it.

[Michel Kohanim]

Hi ergodic,

 

LOL ... you might be right but - mostly from insurance purposes - we cannot take that risk especially since ISY integrates with ELK security system and can open/close garage doors (not just lights/thermostats).

 

Now, is your wife using the IE/Firefox version or is she using the admin console? On IE/Firefox, isn't there an option to save the passwords?

 

With kind regards,

Michel

I really don't want to come off as some know-it-all here, but between NAT routing with private addresses, modern BGP routers at ISPs and a halfway decent premise router the risk of source routed spoofing seems about zero in AD2009.

 

But still, I take your point - it's always a remote possibility. I'd just like the toggle. My wife wants to know why she has to keep doing it every time and I don't have any good answer. I suppose if you really want to secure it, possibly use a MAC table of allowed logins instead of IPs, though I think that's overkill.

 

Anyway, if some antisocial kid in Uzbekistan wants to try to turn on my hall lights, good luck. He's a lot busier these days trying to spread Conficker-C for money. But if it happens I'll just turn the login back on. NBD.

 

On the topic, if anyone's interested and wants something more robust than your average (perfectly-fine) $50 Linksys, I've been running one of the new Sonicwall TZ100 firewalls for about a month at the house which I have to say is a just absolutely incredible deal. Unlimited connects, enhanced O/S, multiple VPN links with VPN client and SSL VPN, assignable ports, ICSA stateful firewall, packet logging, and on and on. For a $200-$300 firewall device you can't touch it.

[RatRanch]

Now, is your wife using the IE/Firefox version or is she using the admin console? On IE/Firefox, isn't there an option to save the passwords?

 

One more suggestion. Most browsers *except* IE will let you specify login credentials right in the URL. For example:

 

http://username:password@192.168.x.x/devices

 

to access ISY's Devices page.

[ergodic]

Even if you enable the registry hack to allow imbedded credentials in IE URLs and specify it that way, the ISY still prompts for the username/password when the ISY Java app comes up. Perhaps there's more to it I don't know about that would get it to work? I know nothing of the Java side of things.

 

I just want the option to turn it off on the LAN, I don't mean to suggest that that should be a permanent change or even a default.

 

And let's be honest: if you use Insteon to control garage doors opening in the first place (and I actually do), any security risk from the ISY console is WAY down on the list of things to worry about.

[Michel Kohanim]

Hi ergodic,

 

Yes, multiple login for the Java applet is a bug which is going to be fixed so that you would not have to login twice once logged into ISY.

 

With kind regards,

Michel

 

Even if you enable the registry hack to allow imbedded credentials in IE URLs and specify it that way, the ISY still prompts for the username/password when the ISY Java app comes up. Perhaps there's more to it I don't know about that would get it to work? I know nothing of the Java side of things.

 

I just want the option to turn it off on the LAN, I don't mean to suggest that that should be a permanent change or even a default.

 

And let's be honest: if you use Insteon to control garage doors opening in the first place (and I actually do), any security risk from the ISY console is WAY down on the list of things to worry about.