Once in a while we can read how KNX get password protected because network was open. Can someone explain how this happens - I thought KNX elements can only get programmed if someone presses "prog" button.Am I wrong?
-
-
Yes, you are wrong. You need the Prog Button only one time, when you will set the physical address of the device. -
So partial programming doesn't require physical press? That sounds like a security problem. What's the best approach to secure an installation? Set BCU key?Kommentar
-
Most important: don't expose your IP interface on the public internet. Never..
If you want remote access, set up a VPN or use one of the availabe secure access modules (like Gira S1).Kommentar
-
Zitat von Klaus Gütter Beitrag anzeigen
second: protect your wlan
third: make a separate sub-line for the outdoor area and block the access to the main line in the line coupler
and in general: read about knx secure
gemäss forenregeln soll man bitte und danke sagen! also: bitte und danke!Kommentar
-
Thats not a security problem but a very important feature. You don't want to get on the roof everytime you want to change some parameters of your weather station or take a ladder to reach your presence detector.Zitat von ergo14 Beitrag anzeigenKommentar
-
Ok, so setting a BCU key in the project would solve the issue of reprogramming? I've also seen security module from MDT. Not opening KNX network is obvious one.Kommentar
-
MDT Security Module will prohibit programming, even if you have direct access to the TP line. It is password protected, but if you can physically remove it, you are out of luck.
Regards Florian
Kommentar
-
Its just my own house, there is only one device outside that is on the balcony - I'm not worried about physical third party doing any malicious manipulation. I just want to protect myself in case of network misconfiguration in my home just in case. I just wonder if i should spend the money for the module or setting BCU passwords will be enough. After all the installation is expensive.Zitat von Beleuchtfix Beitrag anzeigenKommentar
-
Password is cheaper
ig you loose it, it is just like a system hack! So write it on some of the devices in the control board.
Kommentar
-
Yup, I will place it on the electrical board door so it never gets lostZitat von Beleuchtfix Beitrag anzeigenPassword is cheaper ig you loose it, it is just like a system hack! So write it on some of the devices in the control board. So this will secure the installation well enough so its not getting reprogrammed (I'm aware about listening and sending telegrams is still possible if configure network incorrectly).
Kommentar
-
Not really, it depends on the products.Zitat von ergo14 Beitrag anzeigen
Full support of BCU passwords is optional.
A lot of products do not care about the set password and are still re-programmable even without password.Kommentar
-
Ok, and whats the principle of work for the MDT Secure module - I mean if the telegram is broadcasted, how does it prevent reprogramming, does it send some "scrambling" bits? There is no guarantee then that it wont reach the destination, right?Kommentar
-
If the BCU password is not supported, then nobody can set it and make the part unchangeable / unusable.
Kommentar
-
Btw. I got answer from MDT - that `The SCN-SAFE.01 does not prevent manipulation the BCU Password.`.
The security module prevents all connection-oriented accesses of the ETS, such as the programming and also the unloading of the bus devices, in the KNX line.Kommentar
Kommentar