Control Network Newsletter

Newsletter Archives

With Great Power Comes Great Responsibility

The BASrouter/BASrouterLX can provide a simple and easy way to get your BACnet MS/TP devices onto the Internet. However, you should give some consideration to how this is used. Remember, with great power comes great responsibility.

The BBMD and FDR features can allow devices/PCs on the Internet to communicate with your MS/TP devices. However, once these are in place this can also allow anyone else to also communicate with your MS/TP devices. Here are some suggestions on how to best protect yourself.

  1. Change the BACnet port number you use on the Internet to something other than 47808. This is a well-known port number for BACnet. There are tools that can discover your BACnet devices using this port. Simply changing this to another value that is not associated with BACnet is a very good idea.
  2. The BASrouter has two communication port numbers. Typically, these are 80 for the webpage and 47808 for BACnet communications. When you port forward Internet communications from your Internet connected IP router to the BASrouter you can decide if you want the BASrouter’s webpages exposed as well as your BACnet communications. If you feel you need to expose your webpages, change the external port to something other than 80. This is the well-known port number for webpages. There are programs which are searching the Internet for interesting devices to talk to. They will try port 80. Change this to something not normally associated with webpages and they won’t find you. Better yet don’t expose the BASrouter webpages. This is not required during the normal operation once the device has been configured.
  3. If you do expose the webpage to the Internet, make sure you change the user name and password from the defaults. This is good advice for any IP device on the Internet and should be done even if the BASrouter is not directly on the Internet.
  4. The BASrouterLX has a "Whitelist" feature. This indicates which IP devices can communicate with your MS/TP devices. If your BASrouterLX is on the Internet, this can control who can communicate through it and only allow your devices or PCs to communicate to your connected MS/TP network.
  5. To provide the best security, use a VPN to communicate with the BASrouter or BASrouterLX. You can connect the BASrouter or BASrouterLX to our EIPR-V with the BAScloudVPN option. This will provide a secure VPN connection for the BACnet communications with your MS/TP devices over the Internet. Your PC, after loading the OpenVPN client, can communicate, in a secure manner over the Internet, through the EIPR-V to your BASrouter or BASrouterLX and then read/write your MS/TP devices. In the previous examples, you needed to perform a port forward from your Internet connected IP router to the BASrouter/BASrouterLX. With the EIPR-V and BAScloudVPN option, this is not needed. The Internet connected IP router can remain unchanged and you will still be able to communicate with your MS/TP devices over the Internet, however, with much more security.

 

Previous Story Next Story