Author Topic: Better network security features  (Read 2791 times)

larslengberg

  • Default Avatar
  • Posts: 5
  • Reply #0
    October 24, 2014, 10:44:19 pm

Hi! We are running an STL using two Merlins, and so far it all seems very smooth.

After consulting your sales rep, I hooked them up straight onto our DSL lines, using static public IPs. The codes are said to be "secure enough".

However, I still feel a bit worried that some day in the future, someone will attempt some kind of attack against a codec. Trying toi hack it, or just a (D)DoS attack.

In the current firmware, I miss these options (please let me know if they exist and I just haven't found them!) :

* The option to change admin port. Today I can config an "alternate" port, but the box still answers on port 80. I guess port 80 is the prime port being scanned on the Internet, so just changing to a random port like 8394 lowers the possibility that someone finds you.

* Disable ping reply. Many scanning tools will first attempt a ping, and will only "deep scan" IPs that responds to ping.

* Possibility to whitelist IP ranges that are allowed admin access.

* Maybe also the possibility to install your own SSL server certificate in the codec, and require a matching SSL client certificate to gain admin access? (Don't think we would use it though.. But would give a very high security level.)

Thanks,

Lars Lengberg
Radio Sydväst, Stockholm, Sweden

Glenn

  • Global Moderator
  • Default Avatar
  • Posts: 61
  • Reply #1
    October 28, 2014, 09:58:21 am

Hi Lars,

Thanks for your post.

Regarding your questions, if you are concerned about security, we would recommend you place the codecs behind a firewall if possible and port forward to the relevant ports you configure.

If you are behind a firewall you can block port 80 and use your preferred port. This can also block any pings from unwanted sources and allow you to create whitelist access for admin purposes.

I will mention your SSL server certificate idea to our engineers for consideration in future development.

Thank you for the suggestion and for your interest in securing your codecs.

Best regards,

Glenn





larslengberg

  • Default Avatar
  • Posts: 5
  • Reply #2
    October 29, 2014, 12:35:39 am

Thanks for your response! And yes, perhaps I should consider some firewalls. But each new box is a box that can freeze/crash... So if you are anyway sending that SSL suggestion to the developers, you may as well throw in "disable port 80", "disable ping" and "IP range whitelisting" as well. Those are probably even easier to implement than any SSL certificate handling.

(Anyone reading this have any suggestions on a cheap, simple and rock-solid firewall?)

iXgamesXi

  • Default Avatar
  • Posts: 3
  • Reply #3
    October 30, 2014, 07:06:15 pm


 

Join Tieline.com Forum - It's Free

Become a member of the Tieline forum today!

Member Login

Email AddressPassword
Forgot your password?