Remote control from anywhere: Difference between revisions

Line 11: Line 11:


==== Best Practices ====
==== Best Practices ====
Don't network your bells unless you really need to control them when you are away.
Keep your Windows, phones, tablets, software and firmware up to date. We are not fans of third party anti virus software. Windows 10 comes with all of the security you should reasonably need. Always add Microsoft Security Essentials to Windows 7. Don't use any other version of Windows than these two. Don't visit nasty websites. Don't respond to email asking for personal information or taking you to web pages that do the same. Don't run with scissors.
Keep your Windows, phones, tablets, software and firmware up to date. We are not fans of third party anti virus software. Windows 10 comes with all of the security you should reasonably need. Always add Microsoft Security Essentials to Windows 7. Don't use any other version of Windows than these two. Don't visit nasty websites. Don't respond to email asking for personal information or taking you to web pages that do the same. Don't run with scissors.



Revision as of 19:31, 6 December 2016

Advanced Topic

The information on this page assumes that you have the Church Bell Remote app installed on your phone or tablet, Management Suite installed on a PC connected to your Chime Master bell system, and you are able to remote control the bells from inside your facility using the local WiFi network.

Making your bell system available on the public internet

Risks

We always think more than twice about connecting lights, cameras and other Internet of Things (IoT) devices to our own network. So we understand your reluctance to it too. Search the Internet for more information regarding IoT risk management. James Andrew Lewis in his Managing Risk for the Internet of Things, says, "Being risk averse makes us poorer, not safer. There is risk in every technology we use. Hold IoT captive to our fears and we will sacrifice opportunity."

Chime Master continues to develop new products using the latest technologies that will balance ease of use with the highest security practices.

Best Practices

Don't network your bells unless you really need to control them when you are away.

Keep your Windows, phones, tablets, software and firmware up to date. We are not fans of third party anti virus software. Windows 10 comes with all of the security you should reasonably need. Always add Microsoft Security Essentials to Windows 7. Don't use any other version of Windows than these two. Don't visit nasty websites. Don't respond to email asking for personal information or taking you to web pages that do the same. Don't run with scissors.

The system requires user authentication before accepting commands from the remote control. This authentication process is only as strong as your user name and password that you have created in Management Suite. You should also lock the Management Suite host computer with a good password to prevent unauthorized users from changing the authorized users of the bell system.

Modern routers have firewalls built in, but the most IT professionals will add a dedicated firewall appliance between the incoming internet router or modem and their internal network. In the absence of a dedicated firewall, install a router that includes as many of the items on this Router Security Checklist as you can.

Putting any port of any device of your primary network on the public internet should always be done with planning, forethought and the wise advice of your IT professional. We recommend that all IoT devices you install in your facility be connected using a dedicated network (IP address subnet such as 192.168.120.node) apart form your file servers and database systems. Most newer routers and multi-port firewalls allow you to have more than one subnet for guests and devices (see Guest Networks in the Security Checklist linked above).

Another way of setting up a secure dedicated network for IoT devices if you have an older unused router available is to configure a Multi-NAT router network as described by security guru Steve Gibson.

Unfortunately, by putting the Management Suite host PC on a VLAN or other isolated subnet, you lock yourself out of being able to use a simple remote desktop to operate the Management Suite from your office PC. LogMeIn or GoToMyPC will allow you to use the Mangement Suite (even from home).

Setup

Management Suite PC

Every device on the network needs to have a unique IP address. By default, Windows PCs will get their IP addresses from the DHCP server on the network. This may be your Windows file server, or it may be the Internet Router. Typically the DHCP server will be set to provide a range of addresses dynamically. Outside this block of dynamic addresses will be static IP addresses that are reserved for file servers, printers and any other devices that are always connected.

It is more convenient for us to connect to the bell system if it doesn't move as dynamic IP leases expire. Before you set a static address on the PC, you need to know which addresses are already used. After setting it, you should document or inform others that manage the network which address you have taken.

Port Forwarding

If you have your tablet or phone already controlling the bell system on an internal network we can add it to the public network by forwarding the port of the bell systems server out through the router's firewall. The port we want to forward is 6777 and the address we want to limit access of this port to is the PC hosting the Management Suite remote control server.

You will set this up either on your firewall appliance if you have one or the Internet connected router if you don't. The menu items for this will vary for different devices. The pfSense firewall appliance put this under Firewall > NAT > PortForward. The following parameters (similar prompts will be available on other firewalls) will be entered to create a new Port Forward:

 Interface: WAN
 Protocol: TCP
 Destination: WAN Address (could be another selection from a your static block if available)
 Destination Port Range: From 6777 To 6777 (port the phone is set to connect to)
 Redirect target IP: (the static internal IP address of the Management Suite host PC)
 Redirect target port: 6777 (port the host PC is listening to)
 Description: Church bell remote control (for others to understand what you are doing)
 NAT reflection: Disable
 Filter rule association: Pass

Dynamic Public IP

Static IPs and blocks of IPs are normally a part of a commercial Internet where you have your own web servers and such. Most of us have ordinary residential type Internet service from a provider such as the phone or cable companies provide at a more reasonable fee. These types of connections have a dynamic address assigned by the Internet provider (using DHCP) that may change over time.

It has been our experience that as long as the Internet router is on a battery backup and is never turned off that these connections retain their IP address over long periods of time. To determine what address your public Internet is currently using, browse to a search engine and enter the search term "what is my ip?"

Mobile Device

Add a host to the Church Bell Remote app Hosts setup menu for the public internet address. You may want to keep the WiFi host connection for troubleshooting. Use the public IP address you discovered in the search above and port 6777.

You will select this host when you are away from the church. When you are at church, you can either disable WiFi on the phone and continue to use the public host connection, or enable WiFi on the phone and and select the WiFi host connection in the Hosts menu of the app. The public host connection does not work when you are connected to WiFi because the router only redirects access from outside the LAN.