Need tips for perspective security

Hi!
I want everyone in my household to be able to access the perspective app without having to authenticate with a password.

At the same time I will setup my gateway with SSL for accessing the system externally. Here i will of course use a password.

All trusted devices (on my wifi), has manually setup of IP adresses, based on MAC addresses.

My initial though here was to map all local/fixed IP adresses into a public security level. And give this security level client access to the perspective project.

The rest of the clients (external, or guest wifi) will have to authenticate.

Is this possible, and safe? Any comments?

Just some sidenotes:

  • I am running the whole system on a RPI4
  • I am running all systems in a dockerized environment
  • Using Home Assistant & Nodered as backend apps, which I will also setup with SSL to enable Google voice commands.

Really appreciate your input!

1 Like

I would suggest installing a VPN server (could be installed on your RPi). Then remote users can connect over VPN to the local network.

This will have more guarantees to be secure.

If you don’t want that, you’ll probably have to figure something out with security zones (https://docs.inductiveautomation.com/display/DOC80/Security+Zones)

1 Like

I also think that a VPN connection is the easiest way to secure the system. But then the household must first access the VPN app in order to use the perspective app, which is kind of the same hassle as a password.

As per your link, I am my wonder if using only security zones is secure enough.

If someone verify/comment if using security zones to allow local users to not use password, is secure with regard to external (SSL) connections?

Is the security zones there to just block access within Ignition, or does it actually have the “stopping” power of a firewall (is security zones just a top layer software block?). Not a good question, but I am not sure how to explain my concern any better.
Edit: Can an external user that has been allowed through the modem/router firewall somehow hack their Ignition authentication level?

Check out wireguard. Super easy to configure, roams in and out of the house when configured properly, and not chatty. I use it to secure home and business systems.

3 Likes

Thank you Kyle, I will give it a go with Wireguard for both iOS and android devices.