Safely accessing Node-RED over the Internet

NOTES:

  • This is a large and complex subject. So this FAQ is likely to be a work-in-progress for some time.
  • This FAQ MUST NOT be taken as gospel or as professional advice. The information is shared in good faith but with no guarantees. Get the input of professionals and get your system regularly security tested, at least penetration tested.

Apologies, the forum won't let me have 2 new topics open at the same time, I will come back to this when time permits. In the meantime, please feel free to add suggestions for content and links to existing resources.

Overview of options

There are two main options for making Node-RED endpoints available over the Internet.

  1. A Virtual Private Network (VPN)

    There are a number of different types of VPN so I'll summarise them separately. Broadly, there are 3 types but only 2 help in this case.

    What most people think of as a VPN provides an encrypted "tunnel" over a more open network. Whatever is connected at the remote end of the tunnel appears as though they are on the local end. In other words, a VPN of this type extends your local network to a remote device or site. This has its own dangers in that you may be opening your network to a less well-managed device or site, one that may be vulnerable or be compromised which may then compromise your local network. So doing this kind of VPN right is a serious excercies and not to be undertaken lightly.

    The 2nd type of useful VPN uses a 3rd-party intermediate and a utility on a local server to facilitate limited connections between a remote device and a local device or network. These are sometimes referred to as HTTP VPN's. They create a tunnel over HTTP rather than at the lower level of the other VPN types. This makes them much easier to set up typically. However, you have to trust the 3rd-party. And, many of these services are not secure by default - they allow unencrypted traffic, something that you must NEVER allow over the Internet - no excuses.

    The 3rd type of VPN is the type that you use to obfuscate your origin on the Internet, generally to access services that are limited to a specific locality. These are not suitable for this use-case.

  2. TCP/IP direct access

    This is probably what most people think of when they think about sharing web-based services over the Internet. HTTP that underpins the web is a TCP/IP based service. If you have ever just enabled access to Node-RED over the Internet, you are in this space.

    In this case, you are allowing access from potentially billions of external devices to your local network and do a device on that network that may not be (almost certainly isn't) secure. Within 30 seconds of connecting a new network device to the Internet, it will be scanned by bots and occasionally real people who are all looking for entry to free resources. Either for the purpose of stealing information of value (like identities), stealing computing power (to allow them to go hack other people or hide their illegal activities), or simply to cause havoc for the sake of it. If bots can be bothered to access IP cameras (that have tiny amounts of processing power), they will be bothered to use your poorly secured devices. We HAVE seen instances of specific hacks on Node-RED in addition to the "normal" vulnerabilities of any device running services accessible to the Internet.

    So, you need to take some steps to at least secure what access is allowed from the Internet and you will need various tools to help with that. It is hard to get right and easy to mess up. If you are not an expert, you will need lots of time to make sure you get things reasonably secure. And even then, you should have your setup professionally tested if you are running anything of value. You will also need some ongoing processes because vulnerabilities are constantly changing. Once you have started, the only way to stop is to turn off access completely. So make sure you are prepared to keep going and have the time and resources to commit to your service (even if it is only for you and a few friends).

    Also note that this option is what you are using if you make use of a cloud-based server whether that is from a cloud service provider (Azure, AWS, etc) or from a VPS or shared server service provider. So I won't be covering that separately. Just note that you have fewer security options when working with a VPS or shared server. In the case of a VPS, you are reliant on the service provider for a main firwall (it will be a fixed, shared configuration) and on an OS-level local firewall for your specific controls - not as secure but probably good enough for most things. For a shared server, you will be dependent on what the service provider lets you do. In most cases shared servers are not suitable for running Node-RED anyway.

I will break down the three broad approaches in separate posts to this thread. Please do chip in with other comments though.

2 Likes

This topic was automatically opened after 13 hours.