Why a secure cloud service is an important consideration...

Terence · Nov 6, 2017

...when choosing an aquarium monitoring and control system.

It has occurred to me lately that it may not be entirely obvious how important we think a cloud service is to the aquarium controller experience.

It has been about three years since we introduced Apex Fusion, our free cloud service to access the Apex system.

Before Apex Fusion, in order to access your aquarium from outside your home, you had to jump through some pretty complex hoops, and expose yourself to potential internet threats that are increasing every day in occurrence and potential for loss of personal data.

We feel that if the method to access to a controller from the outside requires that you reconfigure your router to allow port forwarding on port 80, or any other port, along with dynamic DNS, be EXTREMELY wary. Not only can is configuration complicated and cumbersome, but more worrisome is that you may not be the only one that is using that path to access your internal network.

On the other hand, when you use Apex fusion, your Apex goes from the inside - to the Apex Fusion server to give it the information it needs and also take commands you give it. When you access your Apex, you never access it directly, you access the Apex Fusion server only. This way, the client system does not need to go directly from the outside (internet) to your private inside network.

It is our opinion also that the customer should not be 100% dependent on the cloud-service. That is why the Apex has a built-in web server with a user interface that mirrors that of Apex Fusion. This way, even if your internet service is down, you can still access your Apex from your phone, tablet, computer, or any device with a web browser.

I just wanted to post this to help make things clearer the difference in operation between these two methods.

ca1ore · Nov 7, 2017

Never could muster up the energy to delve into the 'seedy' world of port forwarding. Been very happy with fusion.

Reef Monkie · Nov 7, 2017

Terence said:
We feel that if the method to access to a controller from the outside requires that you reconfigure your router to allow port forwarding on port 80, or any other port, along with dynamic DNS, be EXTREMELY wary. Not only can is configuration complicated and cumbersome, but more worrisome is that you may not be the only one that is using that path to access your internal network.

Now I am not a expert on network security by any means but I do take issue with some of the statements made here, although I am glad that you said 'we feel' as that seems a pretty accurate way to characterise the information presented.

Port forwarding is not hard, it is one simple setting in the home router that anyone of any level of 'expertise' can set up.

I think computer security can be described to be based upon trust. If one allows access to port 80 to our networks to a device (the controller) one has to trust that our router is secure and up to date (but we have to trust that anyway or none of this matters) and we have to trust that the device (the controller) is secure from being exploited. So for this setup we have to have one extra level of trust to believe our home network is secure. Not only that but a aquarium controller on someone's home network is a tiny target (unless you are some high ranking government official or something).

In contrast a corporation is quite a large and complex target of much more interest to your 'average' hacker and has many levels of trust involved, we have to trust that a controller manufacturer has perfect network security, that all of the many devices on its network are up to date and secure, we have to trust that all employees that have access to this network follow security protocols perfectly and use complex passwords. We then have to trust that this cloud service is actually secure (which leads to a whole new string of trust issues that I wont repeat) and that every employee of the controller manufacturer that has access to the cloud services follows security protocols perfectly. And then we have to trust that the software made by the controller manufacturer to enable all this is secure.

As anyone that reads the news will know the best security companies, the biggest corporations, and important individuals with good reasons to take computer security seriously find it very hard to actually keep their networks secure, 'all' of these types of targets are breached at a staggering rate by hackers.

Because of this I think it would be naive to think that a 'random' controller manufacturer in the aquarium industry is able to say that it has 'perfect' security on its network and can make the statement that it is safer to trust their security, with all those levels of trust issues, when compared to a simple home network with port forwarding for a single port to a single device.

I don't want to start a argument, I just felt it was warranted that some balance was provided to the statement made by a sales/marketing executive as I think it is fair to think that they are unlikely to also be experts on network security (although I could be wrong with that assumption).

Cangin · Nov 7, 2017

Reef Monkie said:
Now I am not a expert on network security by any means but I do take issue with some of the statements made here, although I am glad that you said 'we feel' as that seems a pretty accurate way to characterise the information presented.

Port forwarding is not hard, it is one simple setting in the home router that anyone of any level of 'expertise' can set up.

I think computer security can be described to be based upon trust. If one allows access to port 80 to our networks to a device (the controller) one has to trust that our router is secure and up to date (but we have to trust that anyway or none of this matters) and we have to trust that the device (the controller) is secure from being exploited. So for this setup we have to have one extra level of trust to believe our home network is secure. Not only that but a aquarium controller on someone's home network is a tiny target (unless you are some high ranking government official or something).

In contrast a corporation is quite a large and complex target of much more interest to your 'average' hacker and has many levels of trust involved, we have to trust that a controller manufacturer has perfect network security, that all of the many devices on its network are up to date and secure, we have to trust that all employees that have access to this network follow security protocols perfectly and use complex passwords. We then have to trust that this cloud service is actually secure (which leads to a whole new string of trust issues that I wont repeat) and that every employee of the controller manufacturer that has access to the cloud services follows security protocols perfectly. And then we have to trust that the software made by the controller manufacturer to enable all this is secure.

As anyone that reads the news will know the best security companies, the biggest corporations, and important individuals with good reasons to take computer security seriously find it very hard to actually keep their networks secure, 'all' of these types of targets are breached at a staggering rate by hackers.

Because of this I think it would be naive to think that a 'random' controller manufacturer in the aquarium industry is able to say that it has 'perfect' security on its network and can make the statement that it is safer to trust their security, with all those levels of trust issues, when compared to a simple home network with port forwarding for a single port to a single device.

I don't want to start a argument, I just felt it was warranted that some balance was provided to the statement made by a sales/marketing executive as I think it is fair to think that they are unlikely to also be experts on network security (although I could be wrong with that assumption).

Reef Monkey,

First off, great post. I was reading your post this morning and was compelled to respond. I've been a software developer on the server side of things since before it was done on the Internet and have seen security go through it's up's and downs.

As you stated, 'Port Forwarding' is maybe not that hard to do. That being said, try talking my Dad through it sometime lol. The real issue here is opening up a hole in your firewall which allows TCP (HTTP) traffic from the outside of your firewall directly to a device on the inside of your firewall. Apex Fusion solves this problem by not directly connecting to your Apex from the outside. Rather, your Apex reaches out to ApexFusion therefore there is no 'Port Forward' needed and no holes being poked in your firewall. As far as I know, Apex Fusion cannot 'reach out' and connect to your controller since it has no access to your local network. The Apex on your side must initiate that connection.

As far as the security footprint you talk about. The comparison between one node on the vast Internet vs a large company is fair. However, IMHO security is only as good as the weakest link. The argument you make is 'security through obscurity' and does have some merit. However, I've seen this fail time and time again. The fact is, the built in web servers that these devices have were never intended to be ultra secure Internet hosted devices. As such, the security of them can be less than what an Enterprise network can provide.

To your point about hackers and how all the big guys seem to get hacked, I don't belive that there is any current system which is 100% secure if it's visible on (or perhaps just connected to) the Internet. New exploits get found every day it seems. It's all a cat and mouse game. I 100% agree that the marketing fluff makes things seem like utopia, which of course may not be totally accurate.

I have a first gen Apex that I got right after it came out. Still runs strong (albiet not without some issues). Given my software development background, I've followed the development of the Apex and Apex Fusion since day one. The development team they have working on the Apex platform have really gone the right direction with their development over the years. In my opinion, ApexFusion is far more secure that self hosting your Apex directly on the Internet. I won't say it's 100% hacker proof, I don't belive that's possible right now. I will say however, that given the fact they are most likely running on one of the large cloud providers that they are very likely running best-of-breed network security products that your local network simply cannot provide.

My advice, stick to Apex Fusion if you wish to have outside access to your controller. It's far more secure.

Just my 2 CU

Reef Monkie · Nov 7, 2017

Cangin said:
Reef Monkey,

First off, great post. I was reading your post this morning and was compelled to respond. I've been a software developer on the server side of things since before it was done on the Internet and have seen security go through it's up's and downs.

As you stated, 'Port Forwarding' is maybe not that hard to do. That being said, try talking my Dad through it sometime lol. The real issue here is opening up a hole in your firewall which allows TCP (HTTP) traffic from the outside of your firewall directly to a device on the inside of your firewall. Apex Fusion solves this problem by not directly connecting to your Apex from the outside. Rather, your Apex reaches out to ApexFusion therefore there is no 'Port Forward' needed and no holes being poked in your firewall. As far as I know, Apex Fusion cannot 'reach out' and connect to your controller since it has no access to your local network. The Apex on your side must initiate that connection.

I think the way to compare it to make it understandable to everyone is that if someone came and said that street names were dangerous, and that house numbers were dangerous, or that putting a name label on your door or at your apartment buzzer is dangerous because some random person from around the world could use that information to turn up at your door and 'do bad things'. That 'bad person' would first have to find your address/number/name and think that warrants choosing you over all the billions of other streets/houses. If that is security through obscurity then it works.

Forwarding a port on a router doesn't advertise to the world that you are hackable, someone still has to find you among all the billions of routers on the internet and decide you are a better target, and then to do what? To mess with the settings on your aquarium controller? If given the choice of targets between a controller manufacturer, a cloud service, or some random persons home network then what is a attractive target? If one wants to mess with peoples controllers then surely the 'fun' is in messing with all of them not one.

Also, gaining access to a device on the network on a single port via a single protocol doesn't give hackers access to every single file on every device on your network and for a sales executive from a manufacturer to imply that to people who might not realise this is highly misleading in my eyes. TCP traffic isn't dangerous unless there is a service available on that port that has the capacity to do dangerous things. A web interface on a aquarium controller would seem to be very low on the list of dangerous things one could have on a network, it is not some magical 'hacker device'.

I have had ports forwarded on my home networks since the last century (that sounds impressive lol) and have never been breached by a hacker, and I have run some targets that are much more attractive to malicious people that a aquarium controller, like computer game servers. And that without being a computer expert, I just keep my systems up to date and run the appropriate security software ( a virus scanner/firewall).

I hope you understand why I felt compelled to reply to the original comment, and yours, and that I take issue with the statement that 'controller X is far more secure'. The only way to know a controller is secure is if the manufacturer publishes a security audit by a respectable security company that states that their software, network, and cloud service is secure, and how this was tested.

Terence · Nov 7, 2017

Reef Monkie said:
Port forwarding is not hard, it is one simple setting in the home router that anyone of any level of 'expertise' can set up.

I think computer security can be described to be based upon trust. If one allows access to port 80 to our networks to a device (the controller) one has to trust that our router is secure and up to date (but we have to trust that anyway or none of this matters) and we have to trust that the device (the controller) is secure from being exploited. So for this setup we have to have one extra level of trust to believe our home network is secure. Not only that but a aquarium controller on someone's home network is a tiny target (unless you are some high ranking government official or something).

While you make many fair points, these are not some of them. I say that not based on my opinion, but based on our experience as a company working with thousands of customers in support prior to Apex Fusion. In fact it is the very reason that it was created —because this is extremely difficult for customers to do (or to guide them through).

Furthermore, when (not if) some customers will do it incorrectly, they may open up a huge security hole (to other resources on their network besides the controller) by selecting other things in their router setup. Also, proper step by step guidance can never be given because there is such a range of different routers and configurations. Add to all of this that a very large percentage of home routers have big security holes in them and are not usually up to date on their firmware and customers have no clue to that fact nor do they know how to do it - or even if their router company is still around.

In a perfect world where everyone ran the exact same home configuration or had an IT person in the household or as a close family member, port forwarding may be a good idea.

If the methods we employed pre Apex Fusion were sound and easy, I can assure you we would have never gone through all the trouble and expense to create this free service.

Cangin · Nov 7, 2017

Your home address argument does not make sense to me. Every house has an address just as every TCP device has an address. The big difference is that with a house, you have to physically go to each house and pull on a door. With computers, you can scan millions of IP addresses in an hour. The chance of getting 'hit' is much higher than you think. If not, no one would lock their doors.

Port Forwarding does not 'advertise' you to the world...it just unlocks the door and places an insecure device on the inside (unless you have a HTTPS cert).

Apex Fusion also cannot access your local network. Not sure what argument your'e making here.

I've never been hacked either...but that's not the issue here. The issue is security and the potential for some sort of breach.

I'm not suggesting one controller is more secure than another. What I'm saying is that it's safer not to have ports forwarded to the inside of your firewall. This way the controller itself does not need to be 'secure', the security is out there on far more secure systems than the typical home owner is going to have.

I've been working with network security professionally for 20+ years. I won't claim to know everything, but I will say without a doubt that having ports 'forwarded' with these cheap routers/firewalls that 99% of us use with no encryption certs is not a good idea when compared to the kind of infrastructure that can be expected from any reliable cloud provider.

chipmunkofdoom2 · Nov 7, 2017

Terence said:
Furthermore, when (not if) some customers will do it incorrectly, they may open up a huge security hole (to other resources on their network besides the controller) by selecting other things in their router setup.

Yes, but an IoT device is not necessarily more secure simply because you don't have to open a port. If the device becomes compromised, the entire network is still compromised. Port forwarding only compromises your network if you make a mistake. I categorically disagree with the notion of handing over Internet security to "someone else" simply because they should know better. Most IoT companies have demonstrated that they don't know better. I don't mean to say that Apex devices are insecure: it's just that companies whose main income comes from Internet-connected devices get it wrong. A lot.

I don't argue with your point that port forwarding is more difficult than just plugging in a device. I worked help desk support for external customers for a large financial firm back in the day. I know how difficult it can be to even walk someone through logging into their account. But you're approaching this from a marketing perspective: you have a product to sell, and as a result, are claiming that your company's way to do things is best. There's nothing wrong with that, and I'm not here to talk you out of your position. However, I have a computer science degree. I have been working professionally in IT for more than half of my life. As someone who does not have anything to sell, I can say with honesty that I have grave concerns about any Internet-connected device, whether it's port-forwarded or a phone-home type (like the Apex).

If your point is that the Apex is easier to set up than a device that requires port forwarding, then you are correct. Even for professionals, it's much easier to plug in a device and go rather than plug in a device, set up a static IP for it and set up port forwarding, etc. However, it's disingenuous to claim that your device is more secure because it doesn't require port forwarding. You can't make that claim in good faith unless you open-source your code and firmware for independent review.

Newb73 · Nov 7, 2017

Just as a point to throw in.

The newest generation of Routers automatically update their firmware and security protocols.....without either the need for the owners to intervene or even know it happened.

Most home devices now have rhe ability to be set to auto push critical updates without any user involvement.

Reef Monkie · Nov 7, 2017

Terence said:
While you make many fair points, these are not some of them. I say that not based on my opinion, but based on our experience as a company working with thousands of customers in support prior to Apex Fusion. In fact it is the very reason that it was created —because this is extremely difficult for customers to do (or to guide them through).

Furthermore, when (not if) some customers will do it incorrectly, they may open up a huge security hole (to other resources on their network besides the controller) by selecting other things in their router setup. Also, proper step by step guidance can never be given because there is such a range of different routers and configurations. Add to all of this that a very large percentage of home routers have big security holes in them and are not usually up to date on their firmware and customers have no clue to that fact nor do they know how to do it - or even if their router company is still around.

In a perfect world where everyone ran the exact same home configuration or had an IT person in the household or as a close family member, port forwarding may be a good idea.

If the methods we employed pre Apex Fusion were sound and easy, I can assure you we would have never gone through all the trouble and expense to create this free service.

But Apex fusion connects to a device through the router on a persons network, what guarantee is there that your controller is secure, just because it doesn't use port forwarding doesn't magically make this way of handling things secure. We have to trust that your device is secure as we would have to trust that your competitors device is secure.

Also, you claim that home routers have big security holes and are not usually up to date, if that is the case then their network isn't secure in the first place and the whole discussion of which controller is more secure is immaterial.

Of course it is possible that someone makes a mistake with port forwarding, but that in itself doesn't magically create some great risk to ones security or give hackers magical access to the files on people's computer. Millions upon millions of ordinary people use port forwarding on their network every day without any issue and I think it is wrong to imply that this is something of significant danger.

Reef Monkie · Nov 7, 2017

Cangin said:
Your home address argument does not make sense to me. Every house has an address just as every TCP device has an address. The big difference is that with a house, you have to physically go to each house and pull on a door. With computers, you can scan millions of IP addresses in an hour. The chance of getting 'hit' is much higher than you think. If not, no one would lock their doors.

Port Forwarding does not 'advertise' you to the world...it just unlocks the door and places an insecure device on the inside (unless you have a HTTPS cert).

Apex Fusion also cannot access your local network. Not sure what argument your'e making here.

I've never been hacked either...but that's not the issue here. The issue is security and the potential for some sort of breach.

I'm not suggesting one controller is more secure than another. What I'm saying is that it's safer not to have ports forwarded to the inside of your firewall. This way the controller itself does not need to be 'secure', the security is out there on far more secure systems than the typical home owner is going to have.

I've been working with network security professionally for 20+ years. I won't claim to know everything, but I will say without a doubt that having ports 'forwarded' with these cheap routers/firewalls that 99% of us use with no encryption certs is not a good idea when compared to the kind of infrastructure that can be expected from any reliable cloud provider.

But Apex fusion does access ones network, if you can change settings in Apex fusion it then has to access the network to send commands to the Apex device that is behind the router.

And I do think that my home address argument makes sense, so what if a hacker can scan computers, he then has a list of millions of IP address with available ports and all he sees is that he can access port 80 on my network, but then what? He connects to that port and finds a web interface to a device, so what? He then has to spend hours/days figuring out what the device is, how it operates, and if it has any known security holes. If it does have known security holes he can then use a known attack against the controller, but then what? He has access to the controller and that is it.

If it doesn't have known issues or this hacker wants to use the controller to gain access to the rest of the network then this requires highly specialised skills. And then the question to ask is why would anyone bother? If I am a hacker that can gain access to devices with no published security holes, find novel security holes, and then exploit that device to gain access to the wider network then what am I doing using these highly marketable skills to bother some random person with a aquarium controller? It doesn't make any logical sense. I could be earning $100's a hour with those skills, or attacking high value targets instead.

Elder1945 · Nov 7, 2017

https://www.washingtonpost.com/news...-helped-hack-a-casino/?utm_term=.4c1b3d5c6f0e

Was this tank running a Apex?... . ..

Cangin · Nov 7, 2017

Reef Monkie said:
But Apex fusion does access ones network, if you can change settings in Apex fusion it then has to access the network to send commands to the Apex device that is behind the router.

This is where I believe your thinking is flawed. If Apex Fusion works the way I belive it does, Apex Fusion cannot just make a call out to your controller.

I can't speak for their source code specifically, but the way this typically works is that the client (your controller) hits the Apex Fusion web service and does an HTTP Post of it's config/status. Then, every few seconds (or some amount of scheduled time) your controller hits the web service again and pushes the configs/status again. This is sometimes referred to has a 'heartbeat'. Once it sends that heartbeat, it queries the Apex Fusion service for any new changes to it's config. If there are changes, it downloads them and applies them. So the 'cloud service' likely does not call into the client, the client polls the service for changes. Thus the improved security over port forwards.

HTTP is a stateless protocol and does not maintain a connection to the web server (or web service) beyond the scope of it's request/response. At least not without some trickery.

Again, just my opinion here.

Cangin · Nov 7, 2017

Elder1945 said:
https://www.washingtonpost.com/news...-helped-hack-a-casino/?utm_term=.4c1b3d5c6f0e

Was this tank running a Apex?... . ..

Almost certain if it was it was not using Apex Fusion. If it were, this would have been prevented.

Reef Monkie · Nov 7, 2017

Cangin said:
This is where I believe your thinking is flawed. If Apex Fusion works the way I belive it does, Apex Fusion cannot just make a call out to your controller.

I can't speak for their source code specifically, but the way this typically works is that the client (your controller) hits the Apex Fusion web service and does an HTTP Post of it's config/status. Then, every few seconds (or some amount of scheduled time) your controller hits the web service again and pushes the configs/status again. This is sometimes referred to has a 'heartbeat'. Once it sends that heartbeat, it queries the Apex Fusion service for any new changes to it's config. If there are changes, it downloads them and applies them. So the 'cloud service' likely does not call into the client, the client polls the service for changes. Thus the improved security over port forwards.

Again, just my opinion here.

If that is the case then I am sorry for assuming that the web service pushed changes to the device. That said that service is still a juicer target in my eyes as there is no economic gain in hacking a single aquarium controller so if one has the skills and is looking for 'fun' does one try to mess with one single controller or try to hack the whole web service and mess with all the controllers on the whole planet at once?

Pmj · Nov 7, 2017

@Reef Monkie you are discounting that many hacking tools are developed by people with "highly specialized skills" but then used by less specialized people with nothing better to do, or simply automated tools. It's always better to not have a port opening to an IoT device if you don't need it. There are some parallels in large business with Microsoft and others doing services that proxy your business applications instead of you opening a hole in your firewall, to use your example.

Cangin · Nov 7, 2017

Reef Monkie said:
If that is the case then I am sorry for assuming that the web service pushed changes to the device. That said that service is still a juicer target in my eyes as there is no economic gain in hacking a single aquarium controller so if one has the skills and is looking for 'fun' does one try to mess with one single controller or try to hack the whole web service and mess with all the controllers on the whole planet at once?

Not sure I agree with that totally. But I can accept the point you are making.

https://www.washingtonpost.com/news...-helped-hack-a-casino/?utm_term=.42c04b553cb7

Terence · Nov 7, 2017

chipmunkofdoom2 said:
I don't argue with your point that port forwarding is more difficult than just plugging in a device. I worked help desk support for external customers for a large financial firm back in the day. I know how difficult it can be to even walk someone through logging into their account. But you're approaching this from a marketing perspective: you have a product to sell, and as a result, are claiming that your company's way to do things is best. There's nothing wrong with that, and I'm not here to talk you out of your position. However, I have a computer science degree. I have been working professionally in IT for more than half of my life. As someone who does not have anything to sell, I can say with honesty that I have grave concerns about any Internet-connected device, whether it's port-forwarded or a phone-home type (like the Apex).

If your point is that the Apex is easier to set up than a device that requires port forwarding, then you are correct. Even for professionals, it's much easier to plug in a device and go rather than plug in a device, set up a static IP for it and set up port forwarding, etc. However, it's disingenuous to claim that your device is more secure because it doesn't require port forwarding. You can't make that claim in good faith unless you open-source your code and firmware for independent review.

It is harder to do. There are more places for a customer to get it wrong such as selecting inadvertently - "allow my router to be configured remotely"

You are right that IoT on its own is no guarantee of security. However I WILL make the claim that in addition to being easier to configure, our Apex Fusion cloud method IS more secure than having the average user attempt to do port forwarding on an unknown router and then leave one or more ports open for access to resource(s) inside their home firewall or select options that may make them vulnerable.

And, FWIW, I too have a Computer Science degree - and have worked in IT since 1984. [emoji6]

SharkbaitMuhaha · Nov 7, 2017

Isn't there a way to separate these devices off your main network via virtual network or guest network which has built in restrictions for a better feeling of safety?

Terence · Nov 7, 2017

SharkbaitMuhaha said:
Isn't there a way to separate these devices off your main network via virtual network or guest network which has built in restrictions for a better feeling of safety?

There are many things that can be done to increase the security in order to make a direct path into your home to a device in your internal network. The issue is that it is extremely difficult to do, many times requires more advanced hardware than the average home router, and to do it correctly and permanently, is near impossible for the average home user.