Jump to content

Polyglot Cloud vs. Poking Holes in the Firewall


Recommended Posts

This is a philosophical/technical security question/discussion.  With PGC shutdown now the only means of controlling a Polyglot device which doesn't have an open local API is to poke holes from some third party webhook through my firewall into PG3x.  Coming from a guy who has spend 35 years in IT, I don't trust those 3rd parties to keep there internet facing systems safe and secure.  Yes I know the same thing could be said of the code on the devices I put in my home but these are different to me.  One is the work of bad actors trying to do harm in the code of the device and the other is a lack of time, effort, and money it takes to keep a public facing service safe and secure.  Michel shutdown PGC for security reasons, isn't poking these holes in the firewall to my local PG3x just as bad or worse?

Link to comment

What are you trying to do exactly?   If you trying to reach the IoX API, you can do that via the portal.  

Log into my.isy.io  > Select Tool > Information > ISY Information > URL to ISY

You will be asked for credentials, don't supply the normal admin console credentials instead supply portal credentials.  Same holds true if you use the long ISY url to open the admin console remotely through the portal.

 

  • Like 1
Link to comment
  1. That's cool Javi, but that's not the same thing.  UDM is talking "to" the portal and PG3x is talking "to: the portal.  Those are both outbound communications from inside my network out to the internet to a joining place, the portal.  I don't have to poke any inbound holes in my firewall for that to happen.  This is about some other non UDI company communicating inbound to my local PG3x in order to enable the services of a node server.  I'm looking for others thoughts on that from a security standpoint from those who are security minded.
Edited by theitprofessor
Link to comment
29 minutes ago, theitprofessor said:

This is about some other non UDI company communicating inbound to my local PG3x in order to enable the services of a node server. 

Nothing is inbound. At least I don't think so. Since you have to setup the connection from the PG3x node server side it's making the link directly with the other system and updating on the short or long poll schedule. PG3x node servers are run locally on the eisy or Polisy. They connect directly to the service they are designed for. Nothin is needing to blindly communicate back to the PG3x service. 

Are there specific node servers that you're interested in to ask specific questions about? Otherwise, I think you're assuming something that isn't happening.

 

Link to comment

The other company would need a service similar to Portal if their service needs an inbound connection to equipment/services inside your network. What equipment/service are you trying to connect?

Your UD equipment establishes a persistent connection to Portal. This allows your UD  equipment to accept inbound commands using the same persistent connection.  So non-UD equipment, such as a Sprinkler Controller, to be controlled from a remote location if it can be controlled by your UD equipment.

Link to comment

Yes, Rachio is one (probably of only a couple) that require opening a port. 

We've recently added the ability to route webhooks through the Portal so that opening a port isn't necessary. Instead, Rachio would be configured to a unique URL for the Portal system and the Portal would relay that to the node server via a secure remote connection.  

But as I don't think the original Rachio author is actively maintaining the node server, someone would have to take on the task to re-write to use the new webhooks API.

Rachio allowing for local control would be even better.  People have been asking for that for almost 7 years now: https://community.rachio.com/t/api-call-to-local-sprinkler-ip/4152/12

 

  • Like 1
  • Thanks 2
Link to comment
3 hours ago, bgrubb1 said:

i think I figured it out  "from the portal" means the AC via the cloud. Not via UD mobile

 

Currently remote configuration ot PG3x and it's Node Servers is only available from UD Mobile. We don't (yet) have a remote web version.

Link to comment
Guest
This topic is now closed to further replies.

×
×
  • Create New...