Security of comms to server questions

[samyoue]

Hi all, I've been asked by a big potential client "what protocol/type of message is sent to the exterior vera server."

I've searched and searched and can only find scraps of info which I'm not sure answer my clients concerns. Somewhere I read that Vera uses SSL encryption but is this from phone/desktop to server or Vera controller to server?

I also read that it uses MMS authentication (of which I could find very little info online) from UI6 upwards but again is this from client to server or controller to server?

On top of the encryption method, is there a particular type of message the Vera is sending to the server? ie PHP data or HTML info (I dont have a clue on this bit)

to clarify I'm a hobbyist programmer with a little DIY experience in JavaScript and Lua and my client asking the questions is an IT Project Manager... The Vera is a small but critical component of this project and my lack of knowledge of the deeper details is stalling the whole thing so please help me ASAP!!!

Thank you very much

Sam

Edit: If it makes a difference it will be a Vera Plus running UI7

[RichardTSchaefer]

See:
http://forum.micasaverde.com/index.php/topic,24942.msg174468.html#msg174468

This is used by all mobile apps for remote access since UI6.

There is a simple interface for LAN access to Vera.
To view the interaction between the client and Vera (LAN Access) or the client and Vera remote servers (Remote access)
1) Use Chrome to display the Vera control panel.
2) Right mouse button in the Vera window ... and select Inspect
3) Select the Network tab.
4) Interact with Vera web page, and see the messages/responses to/from Vera/Remote Servers.

[samyoue]

OK thanks for the link, so is my understanding of the remote access connection flow correct?

Vera Plus > (no encryption but read only? ie reads requests left at relay server) > MCV Relay server > (using MMS encryption) > MCV Device server > (using MMS encryption) > MCV Authentication Server > (using SHA1 encryption) > External computer accessing Vera

Thanks for your assistance on the matter

Sam

PS I tried the network monitor and found it to be very interesting but the only security info I could see/understand was on the login page it said secured using TLS1.2 encryption but I'm not sure where this goes in my Network diagram...? Is it just alternative wording for SHA1?

[kigmatzomat]

TLS 1.2 is an evolution of ssl. It replaces SHA1 with SHA256 everywhere by default except message authentication hashes, although it is possible to specify alternates, like rsa or different Hellman. You'd have to watch the initial negotiation process to see the specific cipher suite in use.

https://en.m.wikipedia.org/wiki/Transport_Layer_Security
https://en.m.wikipedia.org/wiki/Cipher_suite

What gets sent to the server depends on UI version. In general event logs and system backups go to the vera cloud. Ui7 also includes some camera video storage.

If you wanted to sever the vera from the net, you could put it on an isolated network segment with no external access behind a VPN server to allow remote access, but then you lose things like weather-driven apps and notifications.

[samyoue]

Ok thats great so the flow should be :

Vera Plus > (no encryption but read only? ie reads requests left at relay server) > MCV Relay server > (using MMS encryption) > MCV Device server > (using MMS encryption) > MCV Authentication Server > (using TLS 1. 2 encryption) > External computer accessing Vera

?

Thanks,

Sam

[kigmatzomat]

My understanding is that veras use an https tunnel back to the main servers for commands and uses ftp for log uploads. I seem to recall from another thread that while the UI7 events are sanitized, applications that write to the log could contain store data,so the use of FTP vs FTPS/SFTP can expose data in the clear.

And for some reason your map direction bothers me. I want the remote client to be the start of the chain as they initiate the connection.

I think you are possibly getting into deeper waters than you want to swim in. Going straight from hobbyist coder to freelance coder has a lot of pitfalls. You might want to consider an alternate platform that doesn't have default remote connectivity, like a Universal Devices ISY994 zwave controller. There is no remote connectivity unless you pay the annual fee for that feature, so the network security issues are less.

[samyoue]

I've already done the plugin which periodically polls a serial device for particular information and emails it as requested, it also sends data to the serial device when i dial in. The plugin works fine and won't need any adjustment once finalised, the client just wants to know their network can't be hacked via the vera system. It's a small but fairly important part of a much bigger project... Hence the network diagram starting from the vera as that's the majority of the data flow from vera out. The data isn't necessarily sensitive its more that people can't get into the network that they are concerned with...

So swap out the one way bit from vera to relay server with a https tunnel and we are good?

Once again thank you for all your help in this!

Sam

[Catman]

How do you secure a data centre e.g. for a bank which has a huge attack surface?

That won't take more than three or four weeks to answer....


C