Skip to main content
BluINFO

CONTROL PANEL SECURITY DESIGN

Networking

In most IP networks, any device on the network is susceptible to hacking or unauthorized access. First and foremost, this is because most devices listen to network traffic in order to receive communications that might be intended for them: commands, broadcast messages, network management interactions, and so on. The willingness of a networked device to accept unsolicited external communications is its key vulnerability.

BluBØX’s control panel will not accept inbound connections. It will only listen to network traffic within the HTTPS session which was initiated by the control panel itself. This protects the control panel against unauthorized access because it simply will not accept unsolicited communications. For example, it is not possible to do any of the following to a BluBØX control panel; initiate a telnet, FTP, HTTP/S or any other type of communications session; burden the device through a denial of service (DoS) attack (although the rest of your network may be affected); give the device a virus; or gain access to the file system.

IP Configuration and DHCP

The control panel must still have some communications with the rest of the IP network on which it resides, particularly with respect to establishing network operating parameters.

First, the control panel will need to have an IP address. This can be established in one of two ways: by a command line interface (CLI) accessible via a crossover Ethernet port, or via the “DHCP” protocol.

The BluBØX control panel supports the DHCP protocol for ease of configuration. DHCP has become the preferred method of managing network devices on most corporate LANs. Supporting DHCP presents no additional security risks for the control panel or the BluSKY® service itself due to other precautions BluBØX has designed into its products. Specifically, our implementation of certificate-based authentication (see section titled “Authentication”) defeats “DNS spoofing” and “host impersonation” types of attacks which can arise when a DHCP server points to a compromised or malicious DNS server.

For networks that do not support DHCP, or network administrators who would prefer to assign an IP address manually, the BluBØX control panel has a local web interface that allows the administrator to enter all network configuration parameters using a laptop and an Ethernet cable.

 

OVERVIEW OF DHCP

DHCP stands for dynamic host configuration protocol. Before DHCP, network administrators had to enter various configuration parameters into every networked device in order for it to know how to communicate with the rest of the devices on the network.

DHCP is a mechanism for allowing a network device to query a “DHCP server” to obtain an IP address, a subnet mask, a default g


Non-Routable IP Address and NAT

The BluBØX control panel initiates all communication sessions with BluBØX’s data center, so the IP address assigned to the panel need not be a static or routable IP address. Non-routable IP addresses cannot be transported over the Internet. This protects the device from exposure to the Internet because it is shielded behind the corporate routers and firewalls like all other devices on the network with non-routable IP addresses.

Specifically, this means that the control panels will operate with routers and firewalls configured to use Network Address Translation (NAT).

Compatible with Firewalls and Proxy Servers

Many corporate networks are protected with proxy servers (stand-alone or in combination with a firewall). BluBØX anticipated this network architecture and built in support for the SOCKS53 and HTTP proxy protocols, so that it can authenticate itself to the proxy service and access the BluBØX data center.

For network administrators, this design ensures that no changes will have to be made to your existing IT architecture. For example, the BluBØX control panel does not need to have a “hole” put into the corporate firewall to listen for incoming traffic. All it requires is that outbound HTTPS traffic be allowed to go to BluBØX’s data center. Nor does the control panel need to be situated in a “DMZ” on your network. Since the panel operation does not depend on externally initiated transactions, there is no need to expose it to open Internet traffic. For networks with a proxy server, normal operations can continue, with only the addition of a login and password for the control panels added to your LAN.

 

  • Was this article helpful?