Remote control from anywhere: Difference between revisions

(created)
 
(fleshing out)
Line 1: Line 1:
''Advanced Topic''
The information on this page assumes that you have the Church Bell Remote app installed on your phone or tablet, Management Suite installed on a PC connected to you Chime Master bell system, and you are able to remote control the bells from inside your facility using the local WiFi network.
The information on this page assumes that you have the Church Bell Remote app installed on your phone or tablet, Management Suite installed on a PC connected to you Chime Master bell system, and you are able to remote control the bells from inside your facility using the local WiFi network.


Line 6: Line 8:


The system requires user authentication before accepting commands from the remote control. This authentication process is only as strong as your user name and password that you have created in Management Suite. You should also lock the Management Suite host computer with a good password to prevent unauthorized users from changing the authorized users of the bell system.
The system requires user authentication before accepting commands from the remote control. This authentication process is only as strong as your user name and password that you have created in Management Suite. You should also lock the Management Suite host computer with a good password to prevent unauthorized users from changing the authorized users of the bell system.
Search the Internet for more information regarding IoT risk management. James Andrew Lewis in his ''[https://csis-prod.s3.amazonaws.com/s3fs-public/legacy_files/files/publication/160217_Lewis_ManagingRiskIoT_Web_Redated.pdf Managing Risk for the Internet of Things]'', says, "Being risk averse makes us poorer, not safer. There is risk in every technology we use. Hold IoT captive to our fears and we will sacrifice opportunity."
Chime Master continues to develop new products using the latest technologies that will balance ease of use with the highest security practices.


==== Best Practices ====
==== Best Practices ====


Putting any port of any device of your primary network on the public internet should always be done with planning, forethought and advise from your IT professional. We recommend that all Internet of Things (IoT) devices you install in your facility be connected using a dedicated network (IP address subnet such as 192.168.120.''node'') apart form your file servers and database systems. Most newer routers and firewalls allow you to have more than one subnet for guests and devices.
Modern routers have firewalls built in, but the most IT professionals will add a dedicated firewall appliance between the incoming internet router or modem and their internal network. In the absence of a dedicated firewall, try to understand and implement as many of the items on this [http://routersecurity.org/checklist.php Router Security Checklist] as you can.
 
Putting any port of any device of your primary network on the public internet should always be done with planning, forethought and advise from your IT professional. We recommend that all Internet of Things (IoT) devices you install in your facility be connected using a dedicated network (IP address subnet such as 192.168.120.''node'') apart form your file servers and database systems. Most newer routers and multi-port firewalls allow you to have more than one subnet for guests and devices (see Guest Networks in the Security Checklist linked above).
 
Another way of setting up a secure dedicated network for IoT devices if you have an older unused router available is to configure a [https://www.grc.com/nat/nats.htm Multi-NAT router network] as described by security guru Steve Gibson.
 
=== Setup ===
 
==== Management Suite PC ====
 
Every device on the network needs to have a unique IP address. By default, Windows PCs will get their IP addresses from the DHCP server on the network. This may be your Windows file server, or it may be the Internet Router. Typically the DHCP server will be set to provide a range of addresses dynamically. Outside this block of dynamic addresses will be static IP addresses that are reserved for file servers, printers and any other devices that are always connected.
 
It is more convenient for us to connect to the bell system if it doesn't move as dynamic IP leases expire. Before you set a static address on the PC, you need to know which addresses are already used. After setting it, you should document or inform others that manage the network which address you have taken.
 
==== Port Forwarding ====
 
If you have your tablet or phone already controlling the bell system on an internal network we can add it to the public network by forwarding the port of the bell systems server out through the router's firewall. The port we want to forward is 6777 and the address we want to limit access of this port to is the PC hosting the Management Suite remote control server.
 
You will set this up either on your firewall appliance if you have one or the Internet connected router if you don't. The menu items for this will vary for different devices. The pfSense firewall appliance put this under Firewall > NAT > PortForward. The following parameters will be entered to create a new Port Forward:
 
  Interface: WAN
  Protocol: TCP
  Destination: WAN Address (could be another selection from a your static block if available)
  Destination Port Range: From 6777 To 6777 (port the phone is set to connect to)
  Redirect target IP: (the static internal IP address of the Management Suite host PC)
  Redirect target port: 6777 (port the host PC is listening to)
  Description: Church bell remote control (for others to understand what you are doing)
  NAT reflection: Disable
  Filter rule association: Pass
 
==== Dynamic Public IP ====
 
Static IPs and blocks of IPs are normally a part of a commercial Internet where you have your own web servers and such. Most of us have ordinary residential type Internet service from a provider such as the phone or cable companies provide at a more reasonable fee. These types of connections have a dynamic address assigned by the Internet provider (using DHCP) that may change over time.
 
It has been our experience that as long as the Internet router is on a battery backup and is never turned off that these connections retain their IP address over long periods of time. To determine what address your public Internet is currently using, browse to a search engine and enter the search term "what is my ip?"
 
==== Mobile Device ====
 
Add a host to the Church Bell Remote app for the public internet address. Use the IP address you discovered in the search engine and port 6777. You will select this host when you disable WiFi on the phone because the router can only make the connection when you are getting public internet from your 4G/LTE provider. To use the WiFi to control the bells, select the host you originally set up using the internal static address of the Management Suite host PC.

Revision as of 18:27, 6 December 2016

Advanced Topic

The information on this page assumes that you have the Church Bell Remote app installed on your phone or tablet, Management Suite installed on a PC connected to you Chime Master bell system, and you are able to remote control the bells from inside your facility using the local WiFi network.

Making your bell system available on the public internet

Risks

The system requires user authentication before accepting commands from the remote control. This authentication process is only as strong as your user name and password that you have created in Management Suite. You should also lock the Management Suite host computer with a good password to prevent unauthorized users from changing the authorized users of the bell system.

Search the Internet for more information regarding IoT risk management. James Andrew Lewis in his Managing Risk for the Internet of Things, says, "Being risk averse makes us poorer, not safer. There is risk in every technology we use. Hold IoT captive to our fears and we will sacrifice opportunity."

Chime Master continues to develop new products using the latest technologies that will balance ease of use with the highest security practices.

Best Practices

Modern routers have firewalls built in, but the most IT professionals will add a dedicated firewall appliance between the incoming internet router or modem and their internal network. In the absence of a dedicated firewall, try to understand and implement as many of the items on this Router Security Checklist as you can.

Putting any port of any device of your primary network on the public internet should always be done with planning, forethought and advise from your IT professional. We recommend that all Internet of Things (IoT) devices you install in your facility be connected using a dedicated network (IP address subnet such as 192.168.120.node) apart form your file servers and database systems. Most newer routers and multi-port firewalls allow you to have more than one subnet for guests and devices (see Guest Networks in the Security Checklist linked above).

Another way of setting up a secure dedicated network for IoT devices if you have an older unused router available is to configure a Multi-NAT router network as described by security guru Steve Gibson.

Setup

Management Suite PC

Every device on the network needs to have a unique IP address. By default, Windows PCs will get their IP addresses from the DHCP server on the network. This may be your Windows file server, or it may be the Internet Router. Typically the DHCP server will be set to provide a range of addresses dynamically. Outside this block of dynamic addresses will be static IP addresses that are reserved for file servers, printers and any other devices that are always connected.

It is more convenient for us to connect to the bell system if it doesn't move as dynamic IP leases expire. Before you set a static address on the PC, you need to know which addresses are already used. After setting it, you should document or inform others that manage the network which address you have taken.

Port Forwarding

If you have your tablet or phone already controlling the bell system on an internal network we can add it to the public network by forwarding the port of the bell systems server out through the router's firewall. The port we want to forward is 6777 and the address we want to limit access of this port to is the PC hosting the Management Suite remote control server.

You will set this up either on your firewall appliance if you have one or the Internet connected router if you don't. The menu items for this will vary for different devices. The pfSense firewall appliance put this under Firewall > NAT > PortForward. The following parameters will be entered to create a new Port Forward:

 Interface: WAN
 Protocol: TCP
 Destination: WAN Address (could be another selection from a your static block if available)
 Destination Port Range: From 6777 To 6777 (port the phone is set to connect to)
 Redirect target IP: (the static internal IP address of the Management Suite host PC)
 Redirect target port: 6777 (port the host PC is listening to)
 Description: Church bell remote control (for others to understand what you are doing)
 NAT reflection: Disable
 Filter rule association: Pass

Dynamic Public IP

Static IPs and blocks of IPs are normally a part of a commercial Internet where you have your own web servers and such. Most of us have ordinary residential type Internet service from a provider such as the phone or cable companies provide at a more reasonable fee. These types of connections have a dynamic address assigned by the Internet provider (using DHCP) that may change over time.

It has been our experience that as long as the Internet router is on a battery backup and is never turned off that these connections retain their IP address over long periods of time. To determine what address your public Internet is currently using, browse to a search engine and enter the search term "what is my ip?"

Mobile Device

Add a host to the Church Bell Remote app for the public internet address. Use the IP address you discovered in the search engine and port 6777. You will select this host when you disable WiFi on the phone because the router can only make the connection when you are getting public internet from your 4G/LTE provider. To use the WiFi to control the bells, select the host you originally set up using the internal static address of the Management Suite host PC.