boojew

Two Factor Authentication to Portal

37 posts in this topic

Although adding 2FA should be the highest priority, I want to re-surface a related request I submitted at the beginning of this thread:

 

In lieu of implementing 2FA, can you add a configuration option to have Domotz disallow any remote access capability?

 

This would be a viable short-term solution for increased security.

0

Share this post


Link to post
Share on other sites

I suspect that 2FA will not be implemented until Domotz or one of its customers suffers a data breach. Seem to be the trend. Companies pledge to take customers security seriously but don't put in the necessary resources or effort into actually securing their systems. Domotz has been great to work with but I think the lack of 2FA is a HUGE deal and I sincerely hope it does not take a compromise to make it a priority. Security should come before features when our customers systems are concerned. 

0

Share this post


Link to post
Share on other sites

When I looked at Domotz Pro as a monitoring option, my main concern was security. Not only 2FA, but also my data and more importantly my network devices because of the Connect option. I contacted Domotz and they took away some of my concerns (@VarnoTek, I cannot agree more that security is a major deal and a major issue, but because we don't know the facts, I won't go as far as "accusing" Domotz to ignore our security tightening requests :-) ).

One of my major concerns was the "Connect" feature, because when your login has been compromised, there is instant access to your devices through this feature and a brute force attack could be initiated and basically go unnoticed because it comes from inside the network. I have asked for a "light" agent version which does not include this feature (I'm accessing the devices through an OpenVPN connection anyway when needed), which actually makes it a lot more secure (even though this does not prevent turning devices on or off with a supported PoE switch or PDU and UPS's). They are thinking about this option and in the meantime they offered me another option which SpivR is actually asking for: Blocking the Connect feature.

 

What you need is a firewall at the site where the Agent is running. Create a rule in the firewall to block the following traffic from your Agent's device to WAN:

 

block destinations (FQDN): sshg.domotz.co, us-east-1-sshg.domotz.co and us-west-2-sshg.domotz.co

on ports: 32700 to 32849

 

This will block the Connection feature. You will still have it available in your app, you will still see the connection options, but you won't be able to actually connect to these services!

I have tested this and this works like a charm!

 

However (and this cannot be reproduced by Domotz support), I noticed that adding "Eyes" to devices is not working when the firewall rule is active! I have to disable the firewall rule, add the "Eye" and then I can activate the rule again. When the rule is active. the "Eye" that was added is actually working (updating). Maybe someone can have a look at this in their environment when they choose to add the Firewall rule to add an important layer of security.

 

I hope this helps!

Edited by dreedijk
0

Share this post


Link to post
Share on other sites
3 hours ago, dreedijk said:

 

What you need is a firewall at the site where the Agent is running. Create a rule in the firewall to block the following traffic from your Agent's device to WAN:

 

block destinations (FQDN): sshg.domotz.co, us-east-1-sshg.domotz.co and us-west-2-sshg.domotz.co

on ports: 32700 to 32849

 

This will block the Connection feature. You will still have it available in your app, you will still see the connection options, but you won't be able to actually connect to these services!

 

 

This is a great workaround!

 

In some of my smaller deployments, I use a Synology router and it allows direct access to all the firewall rules.  (It also has inbound VPN which I use for remote access without reliance on Domotz.)

This is actually better than a mode switch in the Domotz agent to shut-off the Connect feature because without 2FA, it is possible a hacker that brute-forces their way into the box would simply be able to re-enable the Connect option again and then have full access to the entire network anyway.
 

0

Share this post


Link to post
Share on other sites

As promised, I would have provided a more realistic date after CEDIA. 

As you know we have been quite buy over the past summer delivering a number of new features (see release notes), and now also very busy with work with manufacturers integration. But, definitely we have managed to give priority. Certainly will be there before Christmas. 

0

Share this post


Link to post
Share on other sites

Thanks for the temporary firewall workaround, dreedijk and SpivR. 

 

Silvio, it’s good to hear we can expect something before Christmas.

0

Share this post


Link to post
Share on other sites

Two-factor authentication is in production! 

To enable it, just enter our portal and go into Account->Two Factor Authentication.

If you are the master account and have created accounts for your teams, you can also check whether your team members have enabled it or not. In this way you can enforce a company policy to use it.

Enjoy it and contact our support team if you encounter any issue.

 

1

Share this post


Link to post
Share on other sites

Awesome!

 

Just enabled it and found a few minor glitches (sending support email) but overall a great job and a welcome security addition!

 

 

Now, if you could add direct integration in the app with 1Password login manager (as many other apps are doing) it would be an ideal solution since 1Password has built-in support for both passwords & generating and using 2FA codes all in one place.

(1Password is also cross platform with clients/apps for iOS, Android, Windows, & Mac so it has broad appeal/usage.)

0

Share this post


Link to post
Share on other sites
On 1/7/2018 at 3:26 AM, Silvio said:

Two-factor authentication is in production! 

To enable it, just enter our portal and go into Account->Two Factor Authentication.

If you are the master account and have created accounts for your teams, you can also check whether your team members have enabled it or not. In this way you can enforce a company policy to use it.

Enjoy it and contact our support team if you encounter any issue.

 

 

THANK YOU!!! I can finally consider Domotz a serious tool for use in my network.

0

Share this post


Link to post
Share on other sites

Two-factor authentication is a great addition!

 

I have a security-related question:  Is there a document or description of the security policies of Domotz?  (Not privacy and user data, but security practices and any independent audits or standards compliance.)

What level of access is provided to Domotz via the automated software update and provisioning process?

Is the access provided through this mechanism a "Back Door" that bypasses the normal login credentials, including 2-Factor authentication?

In the theoretical but possible situation of a disgruntled employee or engineer, how much access do they have to my client's networks?  Can they initiate remote connections and remote sessions without my knowledge or control?

1

Share this post


Link to post
Share on other sites

Happy to hear positive feedback about the 2FA.

 

About the last questions from SpivR:

- In our website, under Knowledge Base -->Technical Documents, there is a  high-level overview of  our security practices. Please have a look.

- All components of our system (cloud, apps, box - including provisioning) obey to our practices, and we do regular pen testing. Moreover please note that we have, among customers, also very large companies that are periodically executing pen testing against us and scrutinising our processes. This is in addition to what we do internally.

- Remote sessions to client site: please note that all the remote accesses to devices are logged inside the report & logging section of each agent. So, if one of your team members connected to a given devices you will see logged there he date+time+account+session_type. In this logging part you can also add manual comments, to keep track of special activities you may have done.

 

 

0

Share this post


Link to post
Share on other sites
On 1/17/2018 at 3:18 PM, SpivR said:

 

 


What level of access is provided to Domotz via the automated software update and provisioning process?

Is the access provided through this mechanism a "Back Door" that bypasses the normal login credentials, including 2-Factor authentication?
 

 


Can a remote access session or HTTP/TCP remote access be initiated via the Domotz provisioning/update mechanism?  Is that access logged?  Can that access for anything other than auto-updating the software/firmware be required to also use two-factor authentication?

I'm concerned that his represents a "back door" that cannot be audited or closed.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now