Remote access with dyndns account.

G'Day guys & girls,
I'm having trouble finding were I put in the remote dyndns address. I am able to access the remote network by putting into toolkit the remote IP address & Port works fine. The customers place has a dynamic IP so I have set up a dyndns account but have no idea were I put the address. Toolkit seems to only let me put in an IP address under the CNI edit network radio button. I have setup port forwarding in the router. I feel I'm close but no cigar.

Any help cheers

Shane

 

I know this doesnt directly solve your problem, but it is a work-around that might help you in the mean-time.

If you open the windows Command Prompt (go to start menu, then Run, or hold down the windows key, then tap R, then once the Run window is open, type in CMD and hit enter)

Then type the ping command, then a space, then the dyndns website address of your customer's account, it will resolve the IP address for you.

So in other words, once you are in the windows shell (command prompt), type in the following:
ping www.sample.com
this will give you a response similar to the following:
Pinging www.sample.com [192.168.0.1] with 32 bytes of data:
As in the above example, it resolves your hostname (www.sample.com) to it's IP address shown in the square brackets (192.168.0.1)

You would have to do this each time before running toolkit, but it should only take you 10 or 15 seconds total, so it isnt that big a deal.

Hope this helps in the mean time,

Darpa

 

not sure if i'm barking up the right tree or not here, but could some of the issues here be solved with windows remote desktop?

This would allow the client security of accepting or denying remote connections, and you can access tookit or anything else you want on the machine at the remote site, as if you were right there....

 

Yes and no,

To use Remote Desktop, whether it be the windows flavour, or something like VNC, would still require port forwarding, which still leaves ports exposed to the outside world, and as Ashleigh pointed out, this is bad.
Also, using remote desktop requires a PC at the remote site to always be switched on, which is fine if you have HomeGate or SchedulePlus running on one, but not so good if you are simply using a CNI plugged directly into the site's LAN.

A far better solution is to use a VPN, which requires both authentication, as well as encryption. That way, the connection to the remote site is encrypted, making it near impossible for an attacker to gain access to the session, as well as not leaving any services openly exposed to the outside world.

You will find that alot of domestic broadband routers/modems have VPN server functionality built-in, making setting one up quite easy.

 

I guess what I'm askings guys is, what sort of remote connection is the norm these days. It looks like the phone interface is not used as much these days with broadband around.
Also keeping in mind that colour touch screens may also need new logic etc.

On a couple of other posts, it is mentioned about shutting the door or turning off the port forwarding. Is this done by remotely connecting straight to the router.

I'm just looking for a simple solution to change the odd timer, add a button too the touch screen. Not major surgury to the project, while I'm out on the road with a wireless broadband connection.

cheers
Shane

 

As Darpa said VPN's are pretty much the universal secure solution to this problem.

VPN = Virtual Private Network

Putting a CNI directly on the Internet is bad. Exposing any other software directly to the Internet requires careful configuration and maintenance of the software to ensure vulnerabilities are patched ASAP (this includes the Operating System).

Using a VPN router which is firmware updateable is the best way to go. Something like Astaro http://www.astaro.com is a very good solution with the added bonus that you can download it and install it on your own hardware for free (it uses linux as it's OS) if you don't want to purchase their router.

There are several other linux based router projects that are very good for this that you can set to update automatically with securing updates from the web.

Using a brand name router with VPN capabilities is also an option, but the cheapies are almost never upgraded so I would worry about them not being kept secure over time as the embedded software has vulnerabilities discovered.

 

Im not sure if the question has been answered or not but my 2.2 cents worth.

- DDNS usually goes into the router
- Any router sold in 2008 does a reasonable job of handling DDNS.

There is also a thing called DMZ but that is like having the machine directly connected to the internet with no protection at all.

Most people doing this use VNC which is like PCanywhere. This allows a remote desktop.

If the remote client is a fixed corporate network then you can in some cases install validation of useage by only allowing the IP address which is valid to enter the network.

By then you are almost in VPN territory but those VPN systems are another level of technical setup not easily transported to any machine in any location.

With a DDNS and a port mapping and a browser setup you can install a logon setup at the home end to stop anyone just fiddling with the house.

I think Clipsal needs to make an Mobile phone client which runs over WifI and install Verisign certificates in the software. Then at least it can be made portable, intelligent and secure. Then all we need is www.clipsal.homegate.com.au to centrally logon to the house and have a handover after verification.

I dream !


Generally I use Apple routers and Netgear routers because those have some interesting user features. The rolls-royce of routers has a CISCO badge on it. (not Linksys)

 

Im sorry Ashleigh but I dont think it is either so complicated or so dangerous.

I routinely operate distant appliances through some very clever hardware at the far end. Not withstanding that I can handle several devices on port 80 (WWW) and map those to another port in the router.

Someone with a port scanning robot can find a hole in a firewall but what then. It makes no difference. The only exploits people have are those for which they know the hack - such as Microsoft known problems.

When it comes to beating a custom password on a remote page and then also finding the ports it's either the owner or a very serious hacker. You can never block a serious hacker.

Remote access can be stabilised and secured. That is part of the way internet operates.

If clipsal held the sites in a corporate tracker and handled the authentication it would be even more simple and more secure. Then it can be done with issued certificates.

Otherwise, any high quality product is adequate. The doom and gloom painted isn't justified. This forum is online and I dont see anyone hacking it.

Notably, you can make your own hack-proof web server and launch the required application as a link within that system.

 

Man, have I opened up a can of worms.

I'm just a little sparky wanting to access a few of my sites.

I had no idea it would be this complicated.

Yes I am aware of the folk that live in dark rooms glued to computer screens never seeing the light of day. Do they realy want to hack into a lighting system, or is it that once they are in the CNI they can travel anywere on your network.

By the look of the responses, there is no clear cut way of remote access without the threat of outside attack. On my own site, I would probably give it ago. But there is no way I am risking someone elses data. If important info was breeched, we could all end up in court.

I liked the sound of the digital certificates (like the ATO with online BAS)

Well I think at this stage I'm going to sit on the fence & see what else comes along.

Cheers
Shane

 

You will notice that most if not all routers have a DMZ. This is one IP address where the machine at that location is totally unshielded from the internet.

It's a good way to poke around and get some experience with DDNS.

Beyond that I never had a problem with logging into PC anywhere server at a remote location. The server is setup at the client end not the installer end and DDNS takes you directly to the customers location.

The information on which ports need to be opened are included with the software.

Then if you want to see who is trying to attack your client you can look into the log of the router.

 

If anyone wants to take me to court they can do an ASIC search for Tobex and send me the summons.

All this scare and gloom is bordering on Henny Penny. Not withstanding that routers are about $80 and putting one machine on 10.0.0.1 and the other machines behind a second router on 192.168.0.1 would mean being able to crack DOUBLE NAT.

Now before you send in the QC's I suggest trying some experiments to see if I am wrong or not.

As for the death trample ... I should point out that they were able to replicate 'human factors' in an aircraft evacuation. Several people went to hospital in the death trample that followed. All they offered people was $10 for getting out of the plane first and that was enough to cause a panic. Since then it has been clearly understood that C-Bus doesnt change human nature. In addition to which all buildings built to code have battery powered safety lighting. THis is something you already know and given the level of natural light would generally only cause OHS problems for those sitting in the sub-300 lumens areas. Hardly a cause for alarm. Im sure those with iPODS welded to their ears would hardly have an idea there was a problem.

I have sent this URL to a Russian submarine crew. Apparently the Summer is too long, now that the North Pole is melting and submarines are popping up all over the place. So they sit on the deck of the sub getting a tan and hacking randomly searched ports. I dont suppose that since people can now port-transpose that popular but useless port numbers can be used to mask port80 (www) and thus incur attacks which are not profitable or able to yield results.

Even if the CEO of Cisco himself wrote a personal assurance there is no reason for Clipsal to give any kind of special promise to internet gateway applications. This is because Clipsal themselves are not hosting the gateways they are just making the tools for setting up your own service. But in a LAN situation there are far better ways to resolve that issue.

Now back to reality and poking around with tests and experiments.

 

Ignoring all the back-and-forth in this thread, and also ignoring the arguements, and in the interests of keeping things on a level that people who dont work in an IT department can understand, I'd recommend the following:

I would suggest you buy a good quality router that has a firewall built in.
Make sure that it is capable of accepting and authenticating VPN connections. (In other words, has a VPN server built-in)
Is compatible with DDNS (almost all recently released routers).
Does NOT have a wireless access point built in. (This only opens yet ANOTHER possible way of breaching the network, and unless it is a must have for the site, it is advisable to not have that feature present.)
(As was mentioned before, Netgear do a reasonable job of providing these features, and I have used them many times myself with good results on smaller installations).

These can be bought at very reasonable prices, usually between $70 and $300, depending on features and quality.
Make sure the brand of router you purchase has a history of releasing firmware updates on a regular basis, to ensure that updates for the one you select will be released in the future if the need arrises.

Next, once you have bought the router, check to see if there are any firmware updates, if so, do some checking on the internet to make sure that there are no major issues with that update (Google is your friend).
If all is okay, update the firmware.
Next, set up the router, configuring VPN, and DDNS. Make sure you use the best security options available in the unit.
Finally, install the router at the customer's premises, set up the ISP's login details, and connect it to the local LAN, or directly to the CNI.

Go back to your base, and using the VPN client relevant to the router installed, remotely login to that router using VPN and DDNS.
If all works, then great, you should now have remote access to the CNI, as well as a "reasonable" level of security for that site's network.

If you have done all of this right, there should now be no more risk to that site's LAN and CBus network than there is on most well set-up residential internet connections.
Nothing is infalible, nothing is foolproof, and nothing is hackproof, but you will have taken all reasonable steps, at a reasonable cost, to prevent the vast majority of nasties on the internet from affecting that site.

Of course there are more secure ways of doing this, but the costs and complexity escalate rapidly after that.
If you dont already have a detailed understanding of how to set up secure firewalls, VPN or other remote access methods, then going to that next level and setting up these things yourself will most likely leave you even more exposed to the threats that come with the internet.
Also, avoid opening ports, and avoid using port-forwarding, as this directly opens holes in the firewall through which hackers or who/whatever can penetrate.

If the site you are at has an extensive LAN, (which would mean it probably has an IT guy looking after it already), then I would suggest setting up a seperate internet connection just for the CNI. Even the cheapest plans from most ISPs will be more than enough for the occasional remote access to the CBus network, and by seperating the local LAN and the CNI onto physically isolated networks, you are simply adding another layer of security.

I hope this simplifies the arguements for you. I know that there is differences of opinion, and I am in no way saying that everything I have said is perfect, but I know from experience that if you follow the advice I've given above, you will have taken all reasonable steps to protect your client's site.

Regards,
Darpa

 

Close the thread??

Isnt it about time the thread was closed?

Has before because of difference of opinion

Mick

 

+ 1 for Darpa's comment. We see eye to eye on this one.

 

Hi Darpa,

I think you explained it all very well.