HA Security. Consensus?

@nathan32187

No apology needed…

I expect my responses are not then best… People skills are something i struggle with :slight_smile:

@klogg since you asked for a poll, here’s the opinion of a network engineer:

Basically what @bachya said: Use a reverse proxy that has nothing to do with the HASS project. Configure that proxy to require the use of a password and the use of HTTPS. I do this with NGINX that runs on a separate machine - it’s light and simple.

I consider VPN less secure because if that is compromised you potentially expose all traffic to your LAN, instead of, in all probability, just HTTP if there is an NGINX exploit.

Proxy solution is also more convenient because it doesn’t force you have your VPN software on whatever device you feel like using to connect to HASS.

@bachya also lists some excellent additional security steps that are way out of range of a typical user (though I wish some sysadmins I work with would adopt) and are not necessary to secure your HASS setup.

For your NGINX HTTPS setup, just go simple and use a self-signed cert. The job of HTTPS in this case is just to not send your proxy login details in clear text. You don’t need the cert to authenticate the identity of your URL (you aren’t a target for DNS poisoning and such).

Additional notes:

Absolutely do not consider exposing SMB to Internet in any way.

Optional: If you have the ability with your network gear do create an isolated VLAN/DMZ for all your IoT junk. Give it outbound access to Internet, but no access to your trusted LAN. This is mainly to protect, in t he event some IoT device is compromised, you LAN file shares from getting crypto-lockered for example. This point is somewhat off topic from you question, but I want people to read it.

If you have any question feel free to PM or ask openly for more details. HASS is a cool project I benefit from, so I don’t mind sharing expertise in return.

-EE

4 Likes

How are people getting your private VPN keys???

They may not be needed if an exploit is found. Which is rather unlikely. But if there were such an exploit, it would (probably) grant access to everything on your network. In case of the reverse proxy setup it would only be the host for which authentication has been bypassed.

@flamingm0e no one bothers to steal keys. Despite @danielperna84’s assertion of low probability, my team scramble to patch VPN vulnerabilities on big name network gear at least a couple of times a year. You can bet whatever consumers are using at home is equally full of holes.

Stuff like this happens all the time: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1