Foscam Calling Home

[nayr]

yes but he at least has control over what his BI Server does and the software it runs; his cameras not so much.. so while its not perfectly secure, it takes care of the problem at hand.. the cameras

now windows and its security issues is best left for a whole different discussion, but he should be using a VPN for access to BI and not forwarding ports to it either

 

[mcorzine]

Either way - it sounds like you are exposing a PC on the network to the internet via some unspecified method. That PC it seems has full access to your network.
That's not actually a secure method - it simply adds a bit more obscurity.
If the PC that's accessible from the internet was compromised, you have to assume that the whole network is also.

You're absolutely correct, allowing the world to access my Windows PC would be worse in almost all circumstances. I use the Windows firewall to restrict access to the blue iris webserver then OpenVPN on a separate box to access the home network. The OpenVPN server also has firewall rules on it to only allow traffic from my cell provider's network and family member's ISP.

In this scenario I do loose the ability to directly connect to my cameras remotely.

Sent from my SAMSUNG-SM-N900A using Tapatalk

 

[smiticans]

unless that stunnel is doing x509 auth or something its not doing anything but providing crypto.. you also need secure and external authentication which that strategy does not provide...

now if you setup like Nginx and do an a x509 TLS Proxy to BI, that would be fine.. cant brute force x509 certs, and thats how I access my HomeAutomation system.. I wrote the entire thing up, you should be able to apply it to BI instead of Domoticz, it'd be much the same: https://www.domoticz.com/wiki/Secure_Nginx_Proxy_Setup

Thanks for the info. When I connect, it states the connection is "encrypted using a modern cipher suite. The connection uses TLS 1.2. The connection is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism."

It might be easier for me to just use a VPN. Do you have any suggestions for VPN software or VPN apps for the iPhone? I have the Asus RT-AC87U router, I have two choices for a VPN, PPTP or OpenVPN.

 

[nayr]

PPTP should already be built into your phone with no need for apps.

 

[alastairstevenson]

then OpenVPN on a separate box to access the home network. The OpenVPN server also has firewall rules on it to only allow traffic from my cell provider's network and family member's ISP.

That is a useful extra level of protection and provides quite a lot of threat mitigation.
Much better than a simple but risky 'port forward' that I didn't really want to accuse you of!

 

[alastairstevenson]

PPTP should already be built into your phone with no need for apps.

Deprecated - and has been for some years - in it's un-enhanced form.
But I have to admit, I have no idea what form might exist in a mobile phone.

 

[nayr]

yeah it is, You should use L2TP-IPSec over PPTP if given the opportunity, its just as widely deployed as PPTP by now and anything that supports it should do IPSec also.

 

[ruppmeister]

I agree to not use PPTP if at all possible. Here is what is available on iPhone built in for those that care.

Sent from my iPhone using Tapatalk