ayatec logo
Home Store Blog Contact
unicontrol user guide by ayatec
Home Store Blog Contact

Topics

  1. Welcome
  2. Getting started
    1. What is unicontrol
    2. How it works
    3. Connectivity
    4. Integration options
    5. Default hardware
    6. Hardware extensions
    7. Special sensors
    8. RGB driver
    9. Audio driver
    10. Network API - HTTP
    11. Network API - MQTT
    12. Network security
    13. Downloads
  3. Web Interface
    1. Processes
      1. Process
      2. Name
      3. Main state
      4. Initial state
      5. Display
      6. Constraints
        1. Process timer
        2. Variable contraints
        3. Force output
      7. Input
        1. Input source
        2. Channel
        3. Control period
        4. Value
        5. Publish
        6. Frequency
        7. Subtopic
      8. Events
        1. On/Off event
        2. Condition
        3. Idle/running time
        4. Delay on/off
        5. Fade in/out
        6. High/low input
        7. Mid point/Tolerance
        8. Out on when
      9. Output
        1. Primary output
        2. Action
        3. Type
        4. Invert
        5. Duty cycle
        6. Mem value
        7. High/low output
        8. Folder/Track
        9. RGB mode
        10. RGB color
        11. RGB brightness
        12. RGB speed
        13. Publish
        14. Subtopic
        15. Secondary outputs
      10. Cycle
        1. Cycles
        2. High/Low phase
      11. On/Off button
    2. Peripheral
      1. Hardware
      2. Type
      3. Calibration
      4. Mapping (edit)
      5. IR remote (edit)
      6. Impulse_counter (edit)
      7. RGB driver (edit)
      8. DS18B20 (edit)
    3. Device
    4. Network
    5. System
    6. License
  4. Tutorials
    1. First boot
    2. First process
    3. Connect to MQTT
    4. Process sequencing
    5. DIY Project: Bath Fan

In this article

  • Introduction
advert
unicontrol > Getting Started > Network security

Network security

When building your own IoT network, protecting against unauthorized access is paramount. Due to the limitations of the ESP8266 in terms of memory and computational power, full support for TLS/SSL protocols for internet communication is not feasible. Therefore, alternative security measures are necessary.

Much of the security for unicontrol devices is inherited from the local network to which they are connected. It is imperative to only connect unicontrol devices to trusted, secured local networks with restricted access. Using public or inadequately secured wireless networks will compromise security.

HTTP

HTTP connection established between a unicontrol device and a user.

unicontrol devices use HTTP connections for communication with users. While all relevant URLs intended for HTTP communication are protected with usernames and passwords, they naturally lack a TLS/SSL layer. This setup is sufficient for operation within a protected local network but is inadequate for use in unrestricted networks or accessible from the internet.

The username and password protection, although available, may not be sufficient to protect against potential attackers who have access to the same network, as without encryption, credentials are susceptible to interception. However, this vulnerability cannot be exploited if the potential attackers do not have access to the local network.

SSL protection by intermediary

To address the lack of direct TLS/SSL support on unicontrol devices, a possible workaround involves setting up a locally hosted intermediary service like Node-RED. This intermediary is capable of adding an additional layer of security by establishing an SSL-protected connection externally. This secure connection forwards messages to the unicontrol device's unprotected local IP address, mitigating security concerns.

Do not forget to properly set up the SSL-protected listener port on the MQTT broker to ensure that this strategy works.
Node-RED working as an intermediary adding an SSL layer.

MQTT

Multiple unicontrol modules with Wi-Fi connection to the local network.

Connection via MQTT consists of two legs, each with different security options:

  • unicontrol to MQTT broker: The connection between unicontrol devices and MQTT brokers typically lacks SSL encryption and should only be used within a protected local network.
  • MQTT broker to User Device: The link between the MQTT broker and user devices can typically be encrypted with an SSL layer, providing more secure communication externally from user devices such as smartphones or PCs.

This implies that while unicontrol device's connection with an MQTT broker is only safe as long as it is taking place within a secured local network with no access from the outside, connection to the MQTT broker established from the user's mobile device or PC can be secure also externally.

Many MQTT servers can maintain both SSL-protected and non-SSL ports simultaneously, serving both secured and unsecured devices concurrently. It's common practice to expose only the SSL-protected listener port to the internet while keeping the unprotected listener inaccessible from outside the secured local network, serving only devices within the network.
Don't forget to properly configure firewalls and network rules to fortify overall network security. It is also recommended to regularly update firmware/software on IoT devices and maintain best security practices to mitigate emerging threats.
© 2024 ayatec.eu • Found a mistake?  Let us know!