What NOT to spend time/resource developing
-
I want to open a somewhat sensitive subject. I have fairly strong opinions on this; nonetheless, I have an open mind and would like to hear other perspectives.
I believe that Duet Firmware developers should not spend time on developing security any further (or not much further) than it exists today.
Why? The heart and soul of my belief emerges from the combination of these three statements:
-
Wave a magic wand, and assume for the moment that Duet firmware implements full and proper HTTPS support. I STILL would NEVER expose a Duet directly to the public internet. I would insist on a proxy between the Duet and the internet. Always.
-
If the "Local Network Segment" on which the Duet is present becomes compromised to the extent that "packets in the clear" to/from the Duet are at risk,
then improper operation of a 3D printer is the least of your worries. -
Like it or not, there is a limited amount of resource that can go into coding Duet firmware.
Security is all about controls. Encrypting the app to app connection with HTTPS, so that you don't have to depend on the security of the "pipe" is a form of control. So is physical security. So is WiFi security. Etc. In the case of the Duet, I'm proposing that control of the network segment on which it resides is sufficient, and I'm further proposing that spending time on other security controls will accomplish nothing. In particular, any amount of time invested will never make it prudent to put a Duet on the Public Internet… so we are always back at controlling the local segment (I'm being intentionally vague about "Physical Segment" vs. "IP Subnet".)
Given the three statements above, and focusing on the third one for a moment, I would like to campaign very strongly for spending Duet coding resources on features, not on security beyond the items already implemented today.
.
.
.
Now, your perspectives please. While I certainly do not control this topic just because I posted the opening comment, may I encourage discussion to be along the following lines?Do you find any of those three statement to be invalid?
Do you find the synthesis of the three leading to a different conclusion?
Is there a fourth (or fifth or…) statement that would change the conclusion?
What else?
.
.
.
P.S. I understand the concept of "Defense in Depth". In fact, my network and computer security background goes back to writing some of the first software for bank-bank communication ever certified by the Federal Reserve, and it comes forward to current (literally today) consulting with Fortune 50 companies on overall information security architecture and specific protection strategies. In fact, it is this background that often makes me think beyond the "checklist" items of info security, such as HTTPS, and approach it from a controls perspective. (Maybe all of this PS is bragging; however, I intend it to "level set" the discussion and encourage people to skip over some of the very basics). -
-
I find the security as it stands to be more than adequate. If I need to control a duet equipped printer from outside of my network I will connect to a computer on that network via teamviewer or similar and control it. Mainly to shut if off if I think the print has failed or I can see smoke coming out of it.
-
I agree with the OP, although I am a complete layman in this respect. Duet is a consumer product, just like a NAS or network attached inkjet or lase printer that anyone might hook up to their home network. If someone really wants to steal ones bank details, making the Duet more secure is probably not where one should be spending resources.
-
Totally agree… I don't think SSL nor auth is needed for this. I'm using a VPN when I want to access from outside my house, and from inside... if someone access my network, I've more things to be worried about than the printer.
Cheers
-
Thanks for starting this conversation Danal. It will be helpful to get peoples views.
My personal opinion is that the Duet is not an "IOT" device. There have been a large number of security scares around IOT devices because they are both in your home with some form of physical interaction or logging and connected to the internet. A 3d printer as a machine tool should not be connected to the internet, it should be kept on the local network.
Adding a cloud service or something like that would increase the security risks however no internet access is required to use the Duet which is important.
That said adding a network interface to anything means people will put it on the internet, even if it's against the advice of the manufacturer.
-
I also agree with the general statement OP made. No need for a custom TLS stack in the firmware.
Unless the ESP8266 offers this as a kinda built-in feature, which would mean the DuetEthernet cannot benefit from it.However, I would appreciate it to have a guide or page in the new wiki (or at least some ideas) on "how" one would be able to securely connect a Duet on the Internet. Reverse-Proxy, VPN, computer with TeamViewer/VNC/etc. I know that everyones environment is different, so at least a few common pointers or keywords would be nice.
-
That said adding a network interface to anything means people will put it on the internet, even if it's against the advice of the manufacturer.
I wish this forum supported a smiley about the size of a dinner plate.
-
However, I would appreciate it to have a guide or page in the new wiki (or at least some ideas) on "how" one would be able to securely connect a Duet on the Internet. Reverse-Proxy, VPN, computer with TeamViewer/VNC/etc. I know that everyones environment is different, so at least a few common pointers or keywords would be nice.
I believe the Wiki is now a true Wiki, meaning we can all edit it. I'll take a shot at this page; it will be a few days before I can start.
-
I'll be taking my duet equipped printer to MRRF, a printer fest. I plan to shut off the wifi so no one messes with it. It's the one time I wish the wifi was more secure (or that I had a duet ethernet).
That said, the other 363 days a year I couldn't care less about security on my duets.
-
Why not take a mini router, connect it to it and then connect to a PC. If its password protected it shouldn't be accessible to anyone else there.
-
Statement #2 is the one I don't fully agree with. Some printers will run on networks that aren't totally private. This isn't ideal, but it's reality. Just because someone accesses my network shouldn't mean everything on it is wide open to abuse.
Any device on a network should implement basic authentication. Even if we can't have TLS any time soon, standard session-based auth (the kind used by normal websites) would is enormously better than nothing (or rather, the flawed authentication that already exists).
-
Why not take a mini router, connect it to it and then connect to a PC. If its password protected it shouldn't be accessible to anyone else there.
I did that last year. The WIFI was extremely crowded with SSIDs from people doing that same thing, and connectivity was horrible. Honestly I think ethernet is the only way to go there.
-
It's a shame that Duet3D didn't make the network system modular from the off, with swappable wifi/ethernet modules, but the the retrospectoscope is rather an accurate instrument.
-
Why not take a mini router, connect it to it and then connect to a PC. If its password protected it shouldn't be accessible to anyone else there.
I did that last year. The WIFI was extremely crowded with SSIDs from people doing that same thing, and connectivity was horrible. Honestly I think ethernet is the only way to go there.
Maybe run the Duet in AP mode?
-
Why not take a mini router, connect it to it and then connect to a PC. If its password protected it shouldn't be accessible to anyone else there.
I did that last year. The WIFI was extremely crowded with SSIDs from people doing that same thing, and connectivity was horrible. Honestly I think ethernet is the only way to go there.
Maybe run the Duet in AP mode?
Not a bad plan. May try it. Just enough web connectivity to upload STLs if needed is all I really need, though. For the most part I just run demo prints at MRRF.
-
I want to open a somewhat sensitive subject. I have fairly strong opinions on this; nonetheless, I have an open mind and would like to hear other perspectives.
I believe that Duet Firmware developers should not spend time on developing security any further (or not much further) than it exists today.
I'm in conceptual agreement.
My only concern is it seems browser vendors are moving away from support of HTTP. I'd want to ensure the firmware keeps up enough with industry to avoid situations where people have to jump through hoops to use it.
Examples of industry discussion:
http://www.zdnet.com/article/google-tightens-noose-on-http-chrome-to-stick-not-secure-on-pages-with-search-fields/
https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/John
-
Why not take a mini router, connect it to it and then connect to a PC. If its password protected it shouldn't be accessible to anyone else there.
I did that last year. The WIFI was extremely crowded with SSIDs from people doing that same thing, and connectivity was horrible. Honestly I think ethernet is the only way to go there.
Maybe run the Duet in AP mode?
Not a bad plan. May try it. Just enough web connectivity to upload STLs if needed is all I really need, though. For the most part I just run demo prints at MRRF.
Can you upload a file to a duet over usb to be started from panel due? And leave wifi off.
-
If you take your printer to a show, and you do NOT need WiFi, you need change nothing, assuming WiFi at your home has WPA2 and a password. The SSID/Password will not be present at the show, and the printer will connect to nothing. Absolutely secure.
If you DO need WiFi, put the Duet in "Access Point" mode with an SSID and Password that you use only for that show. That way, you can connect, but no one else can. Absolutely Secure.
No router needed, in either case. The security is at the WPA2 level, not the Duet.
-
Another thing to bear in mind is that, although you can use a self signed certificate, it would only stop casual snooping and is easily spoofed. To implement SSL properly (and stop browsers and web security packages bleating) would require an official SSL certificate per printer at a cost of about £40 per year.
And for what? To stop someone who already has full access to your network sniffing the username and password that most people probably haven't set in the first place.
A simpler solution would be to implement a white-list of MAC addresses that the printer will allow to connect to it. Still not exactly rocket science to defeat, I accept, but it would stop accidental connections and block the casual experimenter at public events.
Better still, get a cheap (£15) wireless AP and put it right next to your Duet WiFi then use an Ethernet connection from your PC/Laptop to it. Effectively turns the Duet into an Ethernet model with a private network. (Surround it with a Faraday cage if you want to get even more isolation)
-
Better still, get a cheap (£15) wireless AP and put it right next to your Duet WiFi then use an Ethernet connection from your PC/Laptop to it. Effectively turns the Duet into an Ethernet model with a private network. (Surround it with a Faraday cage if you want to get even more isolation)
Duet itself has AP mode. With WPA2. No extra router needed.
