Author Topic: This can't be true ... no local security on UI7/Vera Edge???  (Read 6542 times)

Offline jtlns

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
This can't be true ... no local security on UI7/Vera Edge???
« on: February 18, 2015, 04:04:43 am »
Hi everyone,

I just got a Vera Edge and some zwave devices. Configuration of these devices, scenes etc. went smooth! :)

I was really amazed by the fact that if you browse to the device using it's local IP address, you end up directly on it's web user interface (without providing a username/password). And I can't seem to find an option to add some security locally. The only option I could find is "Secure your Vera" which appears to disable local access to the Edge completely (so you have to go via home.getvera.com). BUT this only works if there is internet connectivity ...

Please tell me there is another way you can secure the Vera Edge locally ...

Thanks!
Jan

Offline garrettwp

  • Beta Testers
  • Master Member
  • *****
  • Posts: 6376
  • Karma: +227/-128
  • Vera 3, Lite, ISY994
Re: This can't be true ... no local security on UI7/Vera Edge???
« Reply #1 on: February 18, 2015, 09:26:34 am »
This has been discussed many times on the forum. The answer is no you can not. I suggest you have a look over the forum for previous discussions on this topic. Google will be a better search utility than the built in search.

- Garrett


Offline andreyklinger

  • Newbie
  • *
  • Posts: 15
  • Karma: +1/-0
Re: This can't be true ... no local security on UI7/Vera Edge???
« Reply #2 on: February 19, 2015, 04:19:40 am »
Actually there is something you can do, but it it depends on your usecase.
I didn't try it, but I guess you can just put an .htaccess file that will require username/password.
However if you use any local device that needs to report status (via http) to you Vera - it won't work

Offline RichardTSchaefer

  • Master Member
  • *******
  • Posts: 9731
  • Karma: +737/-136
    • RTS Services Plugins
Re: This can't be true ... no local security on UI7/Vera Edge???
« Reply #3 on: February 19, 2015, 10:36:02 am »
That would break all remote apps (mobile).


Offline BOFH

  • Sr. Hero Member
  • ******
  • Posts: 2410
  • Karma: +112/-139
Re: This can't be true ... no local security on UI7/Vera Edge???
« Reply #4 on: February 19, 2015, 12:33:26 pm »
Only for local access. Remote access (even if you are local) should still work as it goes via the GetVera servers.
But I agree on it not being a good idea to use a .htaccess file if you use apps.
Vera3 UI5 UI7 Edge Plus
Trane TZEMT400AB32 | Schlage BE369 FE599 | GE 45601 45602 45603 45604 45606 45609 45631 | Intermatic HA01C HA03C HA05C HA07C CA600 CA3000 | Aeon DSC06106 | Telguard GDC1 | Foscam FI8910W FI8905W FI9821W | D-Link 930L | Wanscam JW0011 | ZModo ZPIBH13W

Offline RichardTSchaefer

  • Master Member
  • *******
  • Posts: 9731
  • Karma: +737/-136
    • RTS Services Plugins
Re: This can't be true ... no local security on UI7/Vera Edge???
« Reply #5 on: February 19, 2015, 01:23:14 pm »
Also .htaccess would not restrict access to the  LUAUPnP app either (only the access through /port_3480)

Offline andreyklinger

  • Newbie
  • *
  • Posts: 15
  • Karma: +1/-0
Re: This can't be true ... no local security on UI7/Vera Edge???
« Reply #6 on: February 20, 2015, 12:24:00 pm »
Port 3480 can be blocked via the router. (Since apps can't work locally anyway)
I don't think it will block apps working remotely, would it?

Offline AnttiK

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
Re: This can't be true ... no local security on UI7/Vera Edge???
« Reply #7 on: September 14, 2015, 01:17:34 pm »
I'm thinking of dumping Vera for this specific reason. Now I have been moving my "no need to be in LAN" devices to other VLAN without LAN access, but still the problem remains.

Offline Fryswatter

  • Jr. Member
  • **
  • Posts: 99
  • Karma: +0/-0
Re: This can't be true ... no local security on UI7/Vera Edge???
« Reply #8 on: September 09, 2016, 03:53:46 pm »
I know this post is old, but if you secure your local network properly then you have nothing to worry about.

Offline integlikewhoa

  • Master Member
  • *******
  • Posts: 5585
  • Karma: +152/-368
Re: This can't be true ... no local security on UI7/Vera Edge???
« Reply #9 on: September 09, 2016, 05:36:36 pm »
I know this post is old, but if you secure your local network properly then you have nothing to worry about.

There is alot of other reasons and solutions also. But for example you want to keep your teenage kids out of certain devices. Some people have roomates or share internet in vacation homes/condos. I know there are many reasons to allow people to share internet but not leave vera wide open to anyone. Sure you can Vlan and other things but why not just allow a user and password to connect to local connections vs. going threw vera servers or isolating a vera on its own Vlan?

Offline Fryswatter

  • Jr. Member
  • **
  • Posts: 99
  • Karma: +0/-0
Re: This can't be true ... no local security on UI7/Vera Edge???
« Reply #10 on: September 10, 2016, 12:23:12 am »
I know this post is old, but if you secure your local network properly then you have nothing to worry about.

There is alot of other reasons and solutions also. But for example you want to keep your teenage kids out of certain devices. Some people have roomates or share internet in vacation homes/condos. I know there are many reasons to allow people to share internet but not leave vera wide open to anyone. Sure you can Vlan and other things but why not just allow a user and password to connect to local connections vs. going threw vera servers or isolating a vera on its own Vlan?

I couldn't agree with you more. However in those instances described above, I would be concerned with Internet access for those types of individuals if I were alowing such a thing. Especially considering those circumstances. But whole heartedly agree with you as far as simplicity is concerned.

Offline integlikewhoa

  • Master Member
  • *******
  • Posts: 5585
  • Karma: +152/-368
Re: This can't be true ... no local security on UI7/Vera Edge???
« Reply #11 on: September 10, 2016, 12:43:43 am »
However in those instances described above, I would be concerned with Internet access for those types of individuals if I were alowing such a thing.

I think I lost you or I don't understand what you mean.

So my teenagers/kids should not have internet access or local wifi? They are old enough and smart enough to eat up cell data if I block them from local wifi nor do I want to regularly block them from wifi or internet. My solution was a Vlan or guest network which works great for my kids and guests. I also could have enabled secure my vera, but that also has its own issues. 

Offline Fryswatter

  • Jr. Member
  • **
  • Posts: 99
  • Karma: +0/-0
Re: This can't be true ... no local security on UI7/Vera Edge???
« Reply #12 on: September 10, 2016, 12:52:45 am »
However in those instances described above, I would be concerned with Internet access for those types of individuals if I were alowing such a thing.

I think I lost you or I don't understand what you mean.

So my teenagers/kids should not have internet access or local wifi? They are old enough and smart enough to eat up cell data if I block them from local wifi nor do I want to regularly block them from wifi or internet. My solution was a Vlan or guest network which works great for my kids and guests. I also could have enabled secure my vera, but that also has its own issues.

Lol...no didn't lose me..those are perfectly good options...when i say "allow such a thing" I'm implying that good security measures are the way to go in such an instance. Lol I never stated that one should just not allow internet access.

I haven't used UI7...and don't think I will anytime soon. Still has alot of bugs. So, do the older UI's, however I am perfectly happy with the UI5.

Aside from that even if you password protect the UI,encrypted or not its still included in the Query string and easily sniffed using for example Wireshark if the traffic is monitored from within your network..
« Last Edit: September 10, 2016, 12:58:24 am by Fryswatter »

Offline rene.rpv

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
Re: This can't be true ... no local security on UI7/Vera Edge???
« Reply #13 on: December 18, 2016, 10:09:42 am »
Aside from that even if you password protect the UI,encrypted or not its still included in the Query string and easily sniffed using for example Wireshark if the traffic is monitored from within your network..
Thats just like saying; oh, i don't need a lock on my door since someone is still able to duplicate my key. Or not needing pin-codes since someone is able to see you typing it in.

Username/password authentication should be the first barrier. It is only secure if you have a good encrypted connection, yes.
But not having it a huge flaw. Anyone with a connection to your network could just manage your system as if it were you.