Some test results on why I built this BMS VPN solution the way I did along with some speculation on download time impacts.
I’ve been following Thinkst for a while and I love to hear Haroon Meer get interviewed as he has some amazing viewpoints. You can catch him quite a bit on Risky.biz which is worth a listen.
I think I would like to deploy one of their canary devices but can’t swing the price at the moment for a home lab but I’m trying to convince work, unfortunately to be truly effective we would need a dozen or two. Been thinking about the OpenCanary product and seems like now would be the time to get started on that as they just pushed some updates.
I’ve also deployed quite a few of their free tokens in sensitive places. Luckily so far I’ve only caught myself blundering around which is good! They also have a blurb explaining what that’s all about.
Basically if you are reading this blog these are some basic things that you might want to deploy to make sure you are the only one inside your network.
These articles make some assumptions and hopefully these are familiar to you;
- You are a BMS vendor or service BMS systems for your customers.
- You have BMS equipment on customer networks that you do not control.
Point 2 is the especially difficult part that you are likely already very familiar with. Generally many BMS vendors stick the network architecture and management of these IT issues on the customer. We can help them with requirements but dealing with BMS is never going to be a priority for IT, or maybe your customer doesn’t have an IT person. You are likely also aware of the classic conflict between facilities management and IT, facilities wants to put a bunch of esoteric device on the network and IT wants to do everything they can to keep these suspicious devices with open protocols off of the network. Frankly BMS vendors have a justifiably bad reputation for IT security issues which is going to be an attitude you will have to turn around. The only way I know to do that is show that you have a thorough understanding of the vulnerabilities your devices have and demonstrate how you are mitigating that risk.
I don’t claim ownership of any of this information, these are things that are freely available in many places. The goal here is to put together a system that works with all the necessary information in one place.
A note and an apology:
I have done a lot of browsing and reading on OpenVPN and I see so many support question posts saying “x stopped working but OpenVPN says it is connected”. Most OpenVPN articles don’t really cover the infrastructure around the tunnel. Without understanding what’s going on in the network you won’t ever be completely successful, and that’s why this collection of articles are a little long.
My name is Scott Jalbert and I’m creating a little blog to discuss some things I am working on now and again.