I don’t know if there are many other network savvy people out there that are paranoid about security, but if so, I thought I would share the implementation I have decided on for allowing secure access to my Vera from the internet without using Mios servers.
Objective: Securely access the Vera web interface remotely without having to use VPN all of the time, without changing the Vera
Methodology: Setup a server in the web DMZ to proxy the Vera web interface to remote users, after authenticating them
Topology: Vera is in the automation network segment and the Web proxy server is in the web DMZ. My desktops and laptops are on a primary Windows domain network
Firewall rules: Vera can only communicate outbound with specific third parties (for example, wunderground.com) as allowed via content filter on unified threat management gateway. Web server (reverse proxy) cannot initiate connections with anything except to the web interface on the Vera
Additional layers of security to be added (will not be opening it up to internet until these are implemented… I’ll update this post as I do): 1)Publicly signed SSL certificate on web server for connections from internet to encrypt traffic. 2)Client certificate based authentication rather than just password.
Traffic flow: 1)Remote user goes to URL of web server /cmh and is prompted for password (later, user certificate) 2)Web server proxies the web interface of the Vera through itself to the end user (if valid credentials are provided) 3)User interacts with Vera normally
Benefits (with future security additions): 1)Vera unchanged from inside 2)1.5 Factor authentication (client certificate, password… I don’t really care for Client certificates vs smart card or token… hence the 1.5) 3) Vera is never directly exposed to the internet 4)SSL encrypted external communications
Implementation: NginX on Ubuntu server configured as a reverse proxy for the following directories: /cmh/, /cgi-bin/, /port_3480/
Diagram attached
Purpose of this post: 1)Peer review, 2)share information