In this informative webinar, GRIDSMART Director of Software & Engineering, John Isaac, will explain the new and enhanced security features of 19.3. Learn how to do basic device configuration via a web browser, such as configuring network settings, security settings, date, time, and location without requiring a connected camera. We’ll also cover our new client HTTPS support, user management, SSL certificate management, and more.
Brooke: (00:01) Good afternoon. Thank you for joining us for the introduction to 19.3 Security Features Webinar today. My name is Brooke McGee, and I am the Marketing and Communications Coordinator at GRIDSMART. I will be moderating today’s webinar so if you have any questions feel free to send them in the chat button at the bottom of your screen. We will answer your questions at the end of the presentation John Isaac GRIDSMART’s Director of Software and Engineering will be leading today’s webinar. So without further ado I’ll turn it over to John to explain and introduce the new exciting features of GRIDSMART Version 19.3.
John: (00:46) Good afternoon everybody, and thank you for attending. And hopefully, we’ll have a lot to get information for you this afternoon. We’re going to go ahead and jump right in. So today we’re going to talk about security and networking and the first thing that will kind of talk about general reasons why you might want to have a GS2 network and there’s a lot of good reasons for that. One is obviously to reduce trips to the cabinet. The other one is to do remote software updates and one of the things that we have now in 19.3 is the ability to do remote updates with a new thing called the device manager which I’m going to spend a lot of time talking about today. The other thing is we can do remote license updates so if you do get a license and you need update processors in the field the license will actually update automatically.
John: (01:44) The other reason is for remote diagnostics and we have a couple of features that we added in our software for uploading log files and doing advanced diagnostics as well. The other thing is the configuration backups. If your if your device is networked, and it’s connected into our Cloud System, your GS2 configurations will automatically be backed up which is a nice thing if you do have to recover device. The other thing we have available is some reporting and alerts which is very handy if cameras go off line or you have something to happen you get alerted. And then last but not least of course we have a feature that we introduced in 6.9 which is called the streams module so we’ll talk about a lot of the stuff today.
John: (02:35) So typical setup for networking there’s really kind of three modes and to give you a little history of kind of what we do this when we first started building our devices back in early 2008 really traffic cabinets weren’t really networks so everything was pretty much done in the cabinet. And that was just the way that things operated. So we still support that mode. You can run these things without being connected anything and you know run them standalone. And the downside of that of course is anything you do you have to be at the cabinet. When we introduce the GS2 to we started putting modems into the device a cellular modem and one of the things about that we do that’s kind of unique is that if you buy GS2 you get an antenna and you also get a modem and you also get to upload the data. We do not charge you for any of the other data plans and things like that.
John: (03:34) We felt like from a diagnostic and really support perspective it made a lot of sense for us to be able to to get diagnostics and information from those. So as long as you have a GS2 at least for I believe its first five years that the data you can look up and use that modem and you’re not going to be charged for it which I don’t know of any other companies that really do that. We just felt like that was a very important thing to be able to provide good support. And we’re trying to leverage that as much as we can that connectivity but we’re not requiring it. And I’ll explain that a little more later. So that’s one scenario you could have it basically set up just with a standalone modem. The other up the other way you can network is using our public network interface. And again with that you know that will allow you actually to remote into the machine run the client and things like that. The modem is really just for uploading.
John: (04:30) There is no inbound connectivity and again I’ll dig into that a little deeper. So on the actual GS2 as I just mentioned there’s actually three interfaces. We have a private network which is where our cameras are generally that’s not going to be accessible for anything. If you do plug in your laptop port to configure you will be on that network, and one of the things that we recommend is as we do set up a laptop it will give you an IP address automatically but we do recommend setting that address to a high number we recommend sending it to 192168 150.253. You don’t have to, but that’s kind of a best practice and it has to do with the way that our cameras get their IP addresses. But that’s that’s recommended. We also have a modem interface and the modem is actually we currently use AT&T.
John: (05:26) We do have some Legacy modems that are running on Sprint but most of our stuff is on AT&T and the modem is again just for just for connectivity to the Cloud. You can’t access the machine remotely with through the modem. You can’t access any kind of services. It’s just basically for uploading diagnostic data and alerts and things of that nature. We also have the public interface and again if you’re going to connect your GS2s into your networks, that’s where you would connect in. And we have lots of options there but that will give you full access to everything that we have as far as running the client. It can also be used to send data up to the Cloud. It can be used for remote access and for cameras.
John: (06:13) Now one of the major changes that we made in 19.3 is kind of how this interface works. In the past, you really didn’t have any flexibility on how to configure, and we felt like that was something we need to do for a lot of different reasons. So the bottom line is is that when you run 19.3 we have a new feature called the Device Manager which we’ll spend some time going through. But the idea is that we as much as we would love to have you connected to Cloud, it is no longer required and you have a way to disable that.
John: (06:48) The same with the modem. If you don’t want to use the modem which if you have a security requirement that you can’t use a modem, you can actually disable that. So what we’re showing you here is basically you have an option that you can disable Cloud. You can disable the modem and you can also just use your network with Cloud or without it you have full flexibility in how you can figure it. We have that setup now in the device manager and it’s a few clicks and you set it up the way you need to and you’re pretty much off, you’re all set.
John: (07:24) Now the one thing I will mention is that most of the time when we do have problems with networking it really boils down to two different things. It usually comes down to the domain name service and network time protocol. So if you are networking internally on your own networks which puts a lot of folks do, it’s very important that your DNS is working properly. It’s very important that your NTP server is set up correctly.
John: (07:53)Basically, most networking stuff now is very reliant on clocks and clocks being accurate for lots of different reasons so these two services have to be pretty much running if you want to connect to the Cloud and if you want to have you have your thing operating properly. So I’m going to talk about that and the good news is is that in the Device Manager, which we’ll walk through, we have ways basically to very easily diagnose that. So if it isn’t working properly. So what we’ll talk about that more as well.
John: (08:25) And I’m going to take a couple of minutes and just talk a little bit more about these various interfaces that we talked about. The public interface which is basically the interface that you’re going to connect to your network. Again you can remote access you have remote access to the device. And that also means running the Client. That means using our API if you have your own custom application to pull data from the device and any access to it. We can set that up as DHCP or static address as we have always been able to do. But now with the new version you can actually configure all the stuff from the Device Manager. There’s actually a very subtle advantage of doing that in the past if you wanted to configure the network on the GS2, you had to have a camera connected. Now you can actually do this without having a camera connected which means that if you want to set these devices up on your bench in your shop and get them working on the network make sure things get with them, you can preconfigure them take them out to the field connect your cameras and everything will work fine.
John: (09:28) We do recommend if you’re going to connect to the Cloud using your own I mean using the public interface it is going to be probably the best method to do it ,but you can also use the modem. You have an option. So and we’ll talk about more of that in the device manager when we go through it. And then one thing that is is fairly obvious but I want to mention this because I’ve seen this in the past is when you do connect the public interface that that IP address you put on there should not be on the Internet. I mean it should be inside your network behind firewalls. But I have seen people just plug it up on a on a modem and their own external modem or some device and you know got an IP address it. It’s just sitting out there.
John: (10:11) We do have a firewall on the device which we use and stuff, and I’ll talk about but not the best way to do it. We recommend using VLAN or VPN as a best practice. But also again if you want to run the streaming module which uses H.R. 264, that does run on this public interface. So that’s going to be something we’ll talk about more.
John: (10:35) Now on the modem I want to spend a couple of minutes and just mention it. So there’s been a lot of people have come to me and say hey there’s a modem it’s a backdoor you know is this a security problem? And we’re very cognizant about security, and I, personally, one of the things that I’ve spent a lot of time as part of being software is making sure that we are continuing to evolve and keep up with security standards. Unfortunately, in today’s world that’s just a requirement of software development and we don’t have the luxury of not paying attention to that anymore. With that being said the modem itself is on a private APM which means that that modem is not publicly accessible on the Internet. So if the AT&T cellular network was breached then yes there’s an opportunity, but you know most people have a phone in their pocket that’s on a cellular network and on the Wi-Fi there some on this device. And for the most part we have to assume the cellular network is going to be secure. If we’re not we’ve got much bigger problems.
John: (11:43) But the bottom line is we don’t allow any inbound connections on the modem. It’s not, there’s no public IP address. It’s outbound only. And really the services we’re we’re using that for is we have port 443 outbound to an endpoint that basically is API that grid smart dot com which is where that’s basically our Cloud. And then we also need network time protocol by default. We use time.nist.gov, but you can set it to your own settings if you need to and the modem can also be disabled. So you’ve got several options here. If you’re not comfortable with it, you can turn it off.
John: (12:25) So digging deep into 19.3 and looking at all the security issues and again this is kind of a start of an ongoing thing that we’ll continue to do. But we feel like again we want to really prioritize and 19.3 some of the security things that we’re doing and continue to harden the device as much as is reasonable without making it too difficult to use. So the first thing that we did is we now have an ability to enable and disable VNC. So if if you’re not comfortable with VNC, there is a way to disable it. And if you look in our Changelog for 19.3, I believe there’s a note in there it says eventually VNC will not be, not even be available and we’ll limit access to that for specific things. The other thing we did was we put in a feature to enable and disable the USB drives. So you have the ability to turn those off and they basically won’t work till you turn them back on, and I’ll show you how that works because obviously a lot of you use that for updates and you can still use it for updates. But when you’re not updating you can turn off the USB drive for standard purposes.
John: (13:44) The other thing we did was we set up a patching system that we put a lot more patching. We have patches that are rolled into each software release, and we will continue on every update to have a series of patches that will go in there. And so if you’re if you have an older machine when you do update, you’ll be getting the latest patches. And one of the things that we actually do is we actually go through and look at all the patches that we’re applying and make sure they’re specific to the operating system that we have and that they’re appropriate. And then we test them very thoroughly with our software to make sure that they actually do work.
John: (14:25) We have also, the other thing I was going to mention is on the device we have we have an application firewall that’s on the device and it’s dynamically configured. What I mean by that is we only turn ports on and off when we actually are using them. If we’re not using a port it’s not going to be enabled. So even though you know if somebody wanted to get in there do something the firewall is very, it basically adapts itself to the applications. All the count data we have and passwords user names all encrypted at rest. And then, of course, we’ve got a bunch of extensive logging which we’ll continue to enhance that in future releases.
John: (15:08) The other thing we did in 19.3 is we’ve added what’s called the Device Manager and I’ll spend a bunch of time kind of walking you through that. It’s pretty easy to use point and click, but the idea is to have a central way to go in and manage the device, security settings, network settings, diagnostics, user management, et cetera. And then a couple of other things we did. One thing we did is on the from the Client to the processor we now have the ability to do HTTPS, and for those of you are not familiar with that, that’s basically going to mean that the what that means is that the connection between the Client and the actual processor will be done and it’ll be encrypted. And there’s a couple of different modes that can be done in. And if you have SSL certificates you can install that on the processor and basically use that to enhance the security as well.
John: (16:09) We also added a role-based user management system. And I’ll talk about that in a minute as well but we’ll dig into that. But basically ideas you can have different usernames with different permissions. The other thing we did is we have a security kind of a self-auditing tool that you can go in and just check and just verify that the security of the device, and it’s not all inclusive but it’s a kind of gives you a really good idea of kind of where things stand. And also just, in general, we continue to update our algorithms for signatures and things like that, and we’ll continue to do that to make sure that we’re up to date on standard protocols. If something’s over time these will find different ways to break some of these different encryption algorithms and signing algorithms. We’ll stay on top of those and make sure we’re running the latest stuff.
John: (17:03) So this is basically the Device Manager, and what I’m basically doing here on the screen is I’m logging in for the GS2. And this is a basically an embedded web application that we’ve built as on the GS2. If you notice here on this login screen I’ve got a lock up in the left-hand corner which means that this is a secure connection, and I’ve got a login screen here so that that’s kind of what you’re going to see when you so to the Device Manager.
John: (17:29) And by the way the Device Manager, you can actually run it from the desktop on the processor itself. There’s, uh, you can run it there, or you can actually run it directly by with a web browser. And we support basically Chrome is the primary one, Firefox, and I believe Edge and it will work on IE, but of course, Microsoft doesn’t support IE anymore. So now when you come into the Device Manager, there’s a couple things. We actually do have a view of the cameras. We’ll be adding some other stuff to the screen. But the idea is that you can go in and just do a quick troubleshoot, just quickly troubleshoot cameras. This isn’t really intended to view the cameras like long term like you might do in the Client, but it is a way to go check and say hey is my cameras online? If they’re not online the green dot will be red. You won’t see the camera, but it’s a good way to check it very quickly to make sure that the camera’s working. We have a diagnostic tab, and there’s a whole bunch of stuff in here. I’m not going to go through all of it today, but we do have a user’s guide that is published on support.gridsmart.com. We’ll refer to that again. It will go through a lot more of this stuff in detail. But the idea is that diagnostic things you can check basically whether DNS is working. You can verify the time is correct. There are temperature logging, some other things like that. So I’d encourage you if you’ve got a GS2, go in there and take a look at some of the stuff. Some of it may not mean a whole lot, but you can check and see DNS is working you can do a bunch of other stuff as well. And we’ll walk through some of it, but I don’t have time today to go through all of it. But again it’s all in the user’s guide.
John: (19:21) The other thing you can do in here is you can actually update your licenses. And again you can upload a license or you can also sync it off the Cloud. So you’ve got two different options there.
John: (19:32) So we have also a bunch of network settings, and we’ll kind of walk through some of these. So obviously we have this in the Client before it’s no longer in the Client. This is where you go and setup network settings. And there’s different tabs, and we’ll walk through some of these. But again obviously go in here the check DHCP, it’ll do DHCP. Otherwise, you can enter in network addresses, your NTP server. You’ll also notice there is a button there you can click and it will sink the time up. So that’s a good way to check and make sure your DNS servers are working properly. I mean the NTP server is working properly.
John: (20:15) The other thing that we have is if you are running a modem or not running it. If you go to this modem tab under diagnostics it will show you the status of the modem whether it’s enabled or not. If it’s disabled you won’t see that it’s been disabled, but it also gives you the signal strength. So if you do have an issue with the signal strength or an antenna problem this is a good place you can stop and just take a look and make sure that your modem is actually working properly.
John: (20:42) This is actually in my office and a good signal strength that was in a kind of a concrete building and modem seems to be working fine. But, uh, also some good information here for us if we have an issue with it we can use that for troubleshooting. Now here’s kind of the interesting thing and this replace what we had in the client before this tab in here basically is where we can really turn on the Cloud. There’s a checkbox there. If I disable to uncheck that box, I’m no longer going to use the Cloud. And quite frankly if you’re not hooking up your antenna and you don’t want to use the cloud I highly recommend unchecking that you’re going to save a few CPU cycles on the processor and a lot spend a little more time looking at traffic which is what these things are supposed to do. And it just will run better. But if you do have it on the Cloud, it works fine. But the idea here is if you’re not going to use it, just turn it off so it doesn’t even try to try to make any connections, and it’ll just be a much smoother, much smoother to run. The other option you have here is when you go in here you can actually enable the modem or you can disable the modem. So if you don’t want to use the modem you check “Allow GRIDSMART to Use My Network” and you can, uh, modem has gone. And over on the right here, there’s a connectivity check where you can connect on that and click on that it will tell you the status if you’re connected to the Cloud. That’s all that basically does. But again if you turn off, you’re obviously not going to see that.
John: (22:14) So we made that pretty simple to do.
John: (22:19) Now I’m going to talk about a couple of things that we had to do in 19.3. So this is kind of one of the major changes. One of the things we did when we turned on the security features, what we didn’t want to do was we didn’t want to just go break a bunch of stuff, and we want to keep things running exactly like they did but allow you kind of to opt into things. And we’re able to do that with one exception and that was kind of when we started doing our user management. In the past, you really didn’t have to have a user name. You go in and put a password in and publish and do some other things like that. Now basically by default, you have to basically use the, uh, you have to use a username and password to do a publish. The default user name is published in the default password is listed here. But if you had a password in there before, it will not carry over to that to the 19.3 version. So keep that in mind when you’re updating that you will have new default passwords. But we should never have to do that again. It was just necessary in order to actually add user names which we really didn’t have in there before. We’re only using a password.
John: (23:35) And basically we have, if you’re turning, if you turn on HTTPS, which means you’re going to use encrypted traffic between the Client and the processor, there’s a cut, there’s kind of a side effect of that as well. When you do that what ends up happening is that there’s a lot more places in the software where you have to put in a username and password. And because of that, and we limit that we explain exactly what that is here. There are some subtle differences to how it behaves whether you have that turned on or not. So just kind of keep that in mind. And if you have any questions specifically on how that works you can go to the user guide. But also if you get stuck and have some questions before you deploy. Please reach out to our support team and we can answer any questions that you have. So we do as I mentioned we do have a rule-based user management so you can come into the Device Manager. You can go to the User tab. We do have three default accounts that are set up here, and you can delete any of these except for the admin account. And of course, to access the Device Manager, you have to use the admin account so that that’s something you want to do. And something else I was going to mention. Well first of all change default passwords, please. I highly recommend that. But even more importantly, there is actually a law going into effect in 2/2020 in the state of California that requires all devices that are going to be networked to basically force you to change your default password before you bring them online. And of course, we do sell product in California so we will be deploying that before the end of the year. And just something to keep in mind. So but it is always a good idea you know change the default passwords.
John: (25:29) So if I do want to turn on HTTPS again which will allow the traffic from the Client to the processor to be encrypted, I simply go in under the network tab. I click Client API. I check HTTPS, and that’s all I have to do. If I want to change the default port numbers for either the API which is the Client or the or the Device Manager, I can actually update those here. So you have an option to change those. You can apply those settings, and you’ll be good to go. And that that’s really all you have to do there.
John: (26:06) Now the other thing we do also is we allow you to add an SSL certificate, and we do have a self-signed certificate that we generate and install the machine by default and the Device Manager does use that. But you can go in and actually update the certificate and put in your own. As a best practice, if you’re going to do that, I don’t recommend you use wildcards unless you’re going to use them just for your GS2s. I would not use a wildcard certificate that you’re using on servers and other things like that. And the main reason being is that when you import a certificate in here you need two pieces of information, the certificate and the key. If you had a wildcard you did that somebody got a hold of it, you know some chance at any of your edge devices would get compromised then they have your certificate information.
John: (26:54) What we do what I would recommend if you have the technical staff or know how to do it is we set up our own certificate authority and we generate our own certificates for our own internal devices. And you know that that works out very well. But you can’t use you know you can purchase certificates from a certificate authority and use those as well. And so that’s something that you don’t have to do, by the way. Now if you don’t put a certificate on here what will happen is you’ll get a warning message when you connect to the device manager or if you’re using the Client, you’ll get a warning message. You can certainly click through those. It’s not a problem, and all that means is that basically, your traffic is still encrypted. It just means that your certificate it cannot validate who you’re actually connecting to. But the traffic is still it’s still encrypted. And again if you have any questions about that you can look at the user’s manual user guide for that, and also talk to your network administrators if you have more questions and certainly can reach out to us as well.
John: (28:04) Of course we support. You can also set the time in here so again, you can pre, the ideas you can preconfigure on your bench. Set everything up. If you don’t have NTP, you can still manually set up time zones, and set the device times.
John: (28:19) Now one of the other things we did was, I had mentioned we have like a security dashboard to go in and just quickly take a look at your security settings. And what we do bascially is we look through a bunch of different settings here. We analyze the machine. We determine whether or not there have been set. And then we kind of do a little scoring here and show you exactly what you know what remediate, what actions you need to do to remediate that. If you notice on the bottom, there’s two buttons. One is “Enable USB Drive” the other one is “Disable DNC Server” so you can actually go in here and disable, enable or disable your USB drives. You can disable/enable the DNC server, and of course what you do if it’s enabled whatever you will be you’ll see the check mark go from green to red. If you look here, I have the VNC is actually enabled right now so that’s why it’s given me an option to turn off. But some of the things that we’re looking for again is you know the default passwords been changed? Again probably something that should be done. Are you using HTTPS for your Client connection? You can see whether or not it’s enabled or disabled. Have you uploaded a certificate? Are using the Cloud? And some people go, “Well why would Cloud be a security thing?” And what we feel like is that if you have your device connected the Cloud and you can get alerts or you can find out when there’s an incident, it’s a lot better than just having something out there that’s not connected to anything where something could happen and you have no way of monitor it. So that’s kind of what we put that in there. But again these are optional settings. It’s just kind of a quick way to check and say hey you know what stuff has been done on this machine without having to go digging around, anyway.
John: (30:13) And of course again if things turned on it will go green and you can check it. But you know I recommend that you review your own internal security policies, and apply whatever is appropriate for your organization. And you know what risk level you’re willing to tolerate.
John: (30:33) And then also another feature we have is we haven’t had a way to do remote updates in the past and it’s been quite frankly a little clunky in my opinion. And we really felt like that was something we wanted to get built into this Device Manager so now we actually have the capability to upload an update here and actually run it and you can also use this to reboot the system. But you know the remote update stuff you can drop them in here and update them pretty easily.
John: (31:04) So again if you again, when you update stuff you can get on the Cloud. You can actually see you know basically when the last time the data was uploaded, last heartbeat. And none of this has really changed but just want to show you that screen.
John: (31:24) Now there’s a couple other things too is that we had a lot of people ask us about you know why we don’t support ping on the device. A lot of it has to do with our firewall. A lot of it has to do with some other algorithms that we have that we use certain things we use ping for, for camera discovering some other stuff. So we basically from the public interface we don’t basically support ping. But also we realize that you know you need to have a way to monitor. So what we do as we do support an endpoint that you can pull up and we’ll actually tell you that the device is work, if it’s working properly. And a couple of things about that that I need to mention this is actually better than ping because ping will just tell you the device is up. It doesn’t tell you that that the GS2 software is running. If this actually is monitoring correctly using this end point, this actually tells you that software is working, and that’s much more valuable than just knowing whether or not a ping is working. And for what it’s worth, we’ve had a lot of requests for additional monitoring, and I will tell you that that’s something we’re spending a lot of time talking about and looking at. So this is a kind of a way to do endpoint monitoring. But you know I wouldn’t be surprised if there were some other mechanisms that we had in that you know in the future as well. Of course, when you run this base you’re going to get back a string it’ll give you the version number. This happened to be done on a 6.9 system, but it works exactly the same way on 19.3. You’ll get back the version number and again you can put this into any kind of monitoring system and it’ll support endpoint monitoring.
John: (33:09) Also, we have another endpoint that if you’re running some of you folks that are doing streams are running Genentech. If you’re running the Genetech stuff we actually have an endpoint for that as well. And you can use this for monitoring as well. But it’s on port 9009 as well.
John: (33:26) And then it’s going to spend a couple of minutes, this is actually something we released in 6.9. But just to walk back through it for maybe somebody who’s not interested. I’m somebody who hasn’t looked into this in the past. But anyway we have a streams module, and we basically still support this. We have RSTP using H.264 encoding, and we’re streaming cameras in about 10 frames a second. 720p for our Fish Eyes and for our traditional cameras we’re running VGA quality video, and basically, we will interface with any RSTP compliant third party system. A lot of the systems out there may not be 100 percent compliant so, but we do have a way to check and make sure that you can actually run it. And what’s nice about that is if you run that with something that will de-warp your Fish Eye at your video recorder, it gives you a very efficient way to kind of look at multiple streams at once. The one thing I want to recommend, mentioned also had some questions about this, is that all of our videos are uncompressed and that that basically has to do with the way our video tracking algorithms and things work. And we deal with uncompressed video at some point we may be able to compress it but at least for right now it’s going to be uncompressed so it’s going to be a little more bandwidth than maybe some other cameras are going to have. But there is a way to get it and pull it out. The 10 megabits is extremely conservative. It’s probably less than that but that’s what we kind of recommend at this point. And again if you’re going to run streams you need to have adequate bandwidth. And usually what you would do is have one connection from your network video recorder end. It does require static IP address and then also the test that you can use VLC.
John: (35:33) So if you pull up the Client you can actually go in there and get the URL that the stream is actually connected to. It’ll be, if you look at the bottom the RSTP URL, you’ll plug that in your NVR, and you should be good to go. And what you can do is there’s a software program a lot of you are probably familiar with it called VLC but it’s basically a video monitor video player. You can go in there and open up the network stream and test it. And I highly recommend you this before you plug it into your NVR. And basically, if it comes up you know you’ll get video. And what’s interesting here and this is just a picture we took with a camera. But what this is actually there’s two cameras that we have here. We’re bringing these over on two different streams, but we’re able to basically flatten these out on our NVR and look at that intersection, you know a couple of different ways. There’s only two streams right there representing all six of those views. So it’s pretty nice for that.
John: (36:37) And it seems to work very well.
John: (36:43) So also on the networking side just as far as firewall setup, just want to iterate a couple of things. Ports you need to have open, and not all these are required. But 8900 is for the Device Manager by default which you can change. 8902 is for the Client which again you can change. 5900 for VNC. But again if you don’t want to use VNC, you certainly can disable it and then the only other thing we need if you do want to use Cloud you need to have 443 opened up. It will be open on the modem. We will open it on the modem as we send things out. On the on your public interface, you have to have that setup somewhere in your firewalls to allow that to go to outbound on 443, if you’re running streams you need ports 9000-9009.
John: (37:37) But we will only open up whatever ports we need based on the number of cameras that you have. We will open up 9009 automatically, but if you have one camera it’ll open up 9000, you have two, it will open up 9000, 9001. We basically only open up what we need.
John: (37:57) And again just a couple of things as far as security goes and there’s a lot of different ways you can figure out but we really do recommend that if you’re running, if you’re networking a lot of GS2s that basically as a best practice, you separate those and at least put them on their own VLANs. One thing I don’t have on here which you know you could do is actually have firewalls out with the edge as well, but at a minimum inside your network you know demarcation point to your network, I would certainly recommend you have that firewall off. And then kind of as a best practice, I would recommend using a jump post for Client access. So you install Clients on citrix farm or some kind of application server that you would use to access the actual GS2s. If you do that you’re going to have a pretty good setup. And you know it’s kind of a best practice that we’d recommend. And again the biggest thing I would say is they’re not you know do not set these things up. The GS2s up with public IP addresses. You’re just asking to be, asking for trouble with that.
John: (39:08) And again you know the idea of using a jump post is just to separate traffic, and you have one interface that goes to your customer network and one into your cabinet VLAN. So basically on the, if you’re going to run standalone device I mean here’s just a couple of things would recommend. You know we really recommend using HTTPS realize you’re gonna have to change some passwords and do a few things. But again probably some people recommend again you should be changing all default passwords on all network equipment not just our stuff. That’s just best practice of course. We also recommend that you periodically use there’s a lot of tools out there and maps one of them but there’s there’s other stuff that you can use and scan your network and look for open ports. Now do that periodically and keep an eye on things. And then last but not least I mean the best security is physical security. I mean make sure your cabinets are not accessible you’ve changed the locks. You know somebody can’t just go in and get access to your devices. So you know what I recommend that as well.
John: (40:18) And then also so a couple of things I highly recommend that you take a look at our user guide that has all this stuff in detail and then, of course, you can also reach out to our support team. If you have any other questions and I’m gonna open it up for any questions that anybody might have.
Brooke: (40:53) All right. We’ll open the floor up to start answering your questions. So please take a moment to send those in. We’ll wait a few seconds, and start getting to those
Brooke: (41:15) Okay. Michael would like to know: What is the new default password for 19.3?
John: (41:22) Hi Michael. Thank you for your question. If you look in the, uh, if you look at the user guide, there’s actually there’s three different user accounts. One’s a read-only account. One’s a published account, and then there’s an admin account that you would use to access the Device Manager. All the default passwords are listed in there and you can just check the user’s guide. You can see exactly what they are.
Brooke: (42:11) All right. Doug would like to know: Is there any way to utilize the SDLC BUS to get time information instead of NTP server?
John: (42:22) That’s actually a very good question. So if we actually get the message for that which I’d have to go back and look we don’t receive all the messages. If it’s coming from the controller, I believe that we probably could do that. And what I could do is I can do some research on that and get back to you and that would be something we could do as a feature request. But you know I don’t see a reason why we couldn’t have that as an option. So and you’re not the first person to ask about that as well so.
Brooke: (43:02) All right. Keep sending those questions in. We still have time for more.
Brooke: (43:19) All right. Craig would like to know: Does it support authenticated NTP or just regular unauthenticated NTP?
John: (43:30) So right now we have just regular unauthenticated NTP, but we do have a SMTP on the roadmap so it will be coming in a future release.
Brooke: (43:51) Will there be a way to copy users and passwords from one GS2 to another?
John: (43:55) That’s another great question and that one’s come up as well already. So we are looking at a couple of different things. And one of the things that we’re looking at doing is basically deploying an LDAP Client on the device. And we’re really kind of talked about two different things and we’d love to get some feedback on it. One was basically kind of two different things we’re looking at. One would be to run an LDAP Client which we’re actually again we normally don’t talk about things we’re working on, but I will mention this one thing we are looking at deploying an LDAP Client on the thing. So you can actually use an LDAP server for your username and password cause we realize if you’ve got one hundred devices and you want to set up usernames, that’s probably going to be kind of a lot of trouble. The other option that we’ve kind of kicked around is actually syncing stuff from the Cloud, but we haven’t you know. We’re definitely going to do the LDAP if there’s interest in you know syncing it from the Cloud. We would be interested to hear what people think about those two options. So but we definitely, there will be some ways to simplify that because we do realize that it’s going to be cumbersome for a larger organization.
Brooke: (45:31) All right. Chris would like to know: For clarification on the checkbox to allow GRIDSMART to use my network enabling and/or disabling modem. Can you both use a local network and modem to the Cloud, or is it one or the other?
John: (45:48) So Chris what we did just a couple of things in our old software it actually kind of tried to figure out which one to use. And we had to play a lot of games with binding and some other stuff, low-level stuff and it really never really worked where we anticipated it to. The way it works now is basically it’s one or the other. And the idea is basically you pick one or the other and use it. And we did that really the simplify and kind of stabilize some of the network stuff. You know at some point we possibly could do a fallback. But you know at this time it’s basically pick one or the other.
Brooke: (46:42) All right. Eric’s asked we noticed following beta testing there was more than one iteration of 19.3 released, but they all had the same version number 19.3. This makes it difficult to be sure we are always running the most recent version. Will all future releases be differentiated better?
John: (47:03) That’s really a great question. And quite frankly as software developers that’s something that we’ve obviously is a big issue for us we want to make sure we know what code we have and what we’re testing and et cetera et cetera. But actually, if you go into the advanced diagnostics in 19.3, there’s something called the manifest. And if you pull that down, basically what it will have is it will have a build date and it’ll also have something called a manifest. And I would go off the build date in there that’s actually going to be the actual date that the product is built. That’s going to be actually the real version number. To keep things simple and for better or worse you know we have kind of what we call our customer version number and that’s 19.3, but that’s just kind of just a generic version number that we use so everybody kind of knows what we’re talking about. But if you actually want to see the build version you have, you go into the manifest and click on there, and we’ll actually give you the actual date that the software is built. And that’s probably going to be the best way to tell that you have the most current version. And so that that’s something that we did and I think that will keep you keep you square as far as what you’re running.
Brooke: (48:23) OK. Curt would like to know, he said: I changed the setting to HTTPS. When I sign in through the web browser it shows a red line through the HTTPS. Am I still considered secure?
John: (48:35) Curt, that that’s a really good question, and let me explain what’s happening there. So when you turn on HTTPS, there’s actually the way that works is there’s two things that happen. There is there’s kind of two parts to it. The first part is is that all the traffic that’s being sent is actually being encrypted and decrypted when it’s sent. And that’s being done using a symmetric key which means that there is a key that both sides know about that’s negotiated during the connection set up so that all the traffic being sent, if you were able to sniff the traffic on the wire with Wire Shark or your favorite monitoring tool, you would not be able to actually see the payload of that particular traffic which means you couldn’t see what was being sent. And that’s the, that’s part of HTTPS. There’s another piece of that that says when I actually make a connection to another machine, am I really talking to who I think I am? And what that involves is somebody pretending to act like they are a machine on the network and it’s called a man the middle attack or impersonation or whatever. What the certificate actually does, and I’m assuming you are using the self-signed certificate, what the certificate actually does is that certificate get signed by a certificate authority, and when it actually is installed on the machine, it’s installed in there. When you make that connection the first thing it does it says are you really who you say you are? And it answers that question. Now the fact that you’re getting that that warning message, it doesn’t mean that your traffic’s not secure. It just means that since you don’t have a certificate installed that has been authenticated or signed as we as we say, you’re going to get the warning message saying, “Hey you’re connecting your traffic is going to be secure, but I’m not 100 percent sure this is who I think it is. Somebody could be impersonating you.” And it’s the same thing when you connect to on a website with the little lock on the browser. It’s the exact same thing. So you can click through those warning messages as long as you know you haven’t installed a certificate. But again what I would recommend doing is basically to install a certificate. Now also in the Client you can turn those warning messages off, and I believe that will come back up every, there’s a certain period of time. It’s several days. They’ll show up from time to time just to kind of remind you that you don’t have a certificate, but it’s not required. But that was a great question.
Brooke: (51:09) Hi, Cody. You’ve asked: Can you elaborate on the RTSP a little more? How to view the live stream through security desk? And can we get a copy of this recording?
I can answer the latter part of your question. This webinar was recorded today, and we will be sharing it through our YouTube channel and sending a link out to the registrants.
John: (51:46) Hi Cody. Yeah. Just to talk about RTSP just a little bit. So RTSP is a obviously it’s an Internet standard that basically deals with, it’s real time streaming protocol, and most of your IP cameras that are on the market today will support that. So we actually did was the GS2, if you had the Performance Plus license, you can actually it will actually enable RSTP streams for the cameras that you have on the GS2. And when you do that what it does basically is it will make that it’ll make the GS2 cameras look like just another IP camera that you would go buy from any camera manufacturer on the market. And typically what you would do is if you have a piece of recording software like a Genentech or Century, there’s dozens of manufacturers that make software to record cameras then you have the ability to actually set our GS2 up. Make it look like an IP camera, and then stream the data and actually record it. And so that’s basically it. Now the tool that I was showing you VLC is just a player that you can use. It will just basically you can go and view a camera with that or any IP camera, but that that’s that’s really all that’s about. And again if I didn’t completely answer your question or whatever you know feel free to reach out, but that’s kind of the gist of it. Hopefully, that was helpful.
Brooke: (53:31) Curt would like to know: How do we go about getting a certificate for the HTTPS?
John: (53:37) Kurt, that’s a great question as well. So there’s a couple different ways you can do it. The easiest way as you can go to really there’s people that there’s actually providers out on the, uh, certificate authorities that actually will sell SSL certificates. GoDaddy is one of them, and there’s several others out there. You can google SSL certificate, and I’m sure you’ll get tons of people wanting to provide those to you. So that’s one way to do it. The other way that you can do it, if you don’t want to purchase them, you can actually generate a certificate authority on your network and actually generate your own certificates. There’s a little bit of work involved with doing that, but you know it’s something that definitely can be done, and I would recommend if it’s something you are interested in do you know reach out to your network administrators, and you know and they probably can help you. But worst case, you can go to GoDaddy and grab certificates from there.
Brooke: (54:37) All right. We have time for one more question. So if you’ve been holding out on asking a question go ahead and send it in, and we’ll give you a few moments to do that.
Brooke: (55:03) All right. That concludes our webinar today. We appreciate you so much for taking time out of your day to join us and for asking you really thoughtful questions. If your question did not get answered, or if you didn’t want to ask today, feel free to reach out to us at firstname.lastname@example.org, and we will be sure to get you a very timely response. A recording of this webinar will be uploaded to our YouTube channel, and we will send a link out to all the registrants.
Brooke: (55:33) All right. We have one question coming in. Will this webinar be available to download to share with our staff? Absolutely. Now we’ll get that link sent out to you this week. Thank you all for joining us.
John: (55:47) Thank you very much.