James Bayliss

Technology Brain Dump

Using BACnet across VLAN’s / Subnets.

BACnet is an commonly used technology through building management services and allows cross platform communication between devices, and is both an American and European standard.

In today’s modern converged networks, it’s important that we segregate control devices such as AMX or Crestron Processors (which generally tend be on the same network as their end devices such as Touch Panels and Keypads) to BMS Networks (subnets) to prevent the unauthorised and misuse of BACnet end devices.

Separating these devices via VLAN’s / Subnet’s will mean that BACnet Who-Is broadcasts will need to directly broadcast from it’s original broadcast domain to the remote. When a Who-Is is initialised, a UDP packet on port 47808 is sent on the networks broadcast address.

In this scenario we’re using Cisco 3850’s, with IP Routing and we’ll be using two VLAN’s – 10 and 20.

VLAN 10 will be our originating subnet, with our “client” device. This could be a processor, which is sending temperature alteration for a meeting room.

End Device communicating to BACnet:

VLAN 20 will be our building management network which will contain our BMS equipment (which contains only the setpoints that we defined)

BACnet device communicating to End Device:

A few things are assumed in this scenario:

  • Layer 3 Routing is enable in the Cisco Core Switch (with according ACL’s)
  • BACnet devices have been configured with the according network settings
  • When testing (and in operation), this was used for Trend IQ Vision as the headend BMS Server and AMX Processors.

Before we begin, it’s important to note that are we routing between subnets, a default gateway is critical in ensuring that the traffic reaches it’s originating source.

To start, we’re going to need to UDP Port 47808 to be forwarded In privileged exec mode:

Switch# ip forward-protocol udp 47808

Now, we’re going to need to add an IP Helper to forward the broadcasts from our VLAN 10 to VLAN 20 – you can do this in the configuration of the vlan interface, you could do this once you are in global configuration mode, and select the VLAN 10.

switch(config)# int vlan 10
Switch (config-if)# ip helper-address

Now, this will enable to the switch to forward the broadcast, to the subnet of the BACnet devices. We now need to enable the broadcasts to sent back, including the use of an ACL to prevent unauthorised access.

Switch(config)# int vlan 20
Switch (config-if)# ip directed-broadcast 20

The 20 at the end of the of the command indicates our ACL number (it’s good to use an ACL per network/subnet, we’re using 20 as it’s the ID of the VLAN).

ACL’s are configured at the global configuration level, and generally – directed broadcasts only use standard numbered ACL’s.

Switch(config)# access-list 20 permit

Note, that we are allowing the device here, rather than the bacnet device. Additional enhanced ACL’s should be in place to prevent further access (such as web access to the device).

Now, the all-important, don’t forget to write that configuration the start-up config!

Switch# copy running-config startup-config

Cybersecurity with AV.

I was recently asked to provide asked to comment on this interview with AV Technology Europe. After doing this, I thought I would look into how secure the world is for the Audio Visual industry.

It’s 2020. Things for the world of AV isn’t in a great place still. After a simple Shodan search for some of the key manufacturers (such as AMX or Crestron), it’s clear to see that integrators and system installers are lacking the understanding critical security of these systems.

Just from searching Crestron on Shodan, there 23644 devices accessible from the internet. 23 thousand?! And we’re not just talking HTTP/HTTPS, we’re talking SSH, FTP and other various communication ports.

Some of this devices are protected by a mere simple username and password, or even worse – default configuration.

What is concerning for me is that some of the devices could be located in corporate and sensitive environments such as boardrooms or even education spaces.

Should more to be done to protect these devices? Absolutely, yes. Secure access can be given in so many ways, and even with some good opensource options! (openvpn/pritunl).

I default think there is more can be done by Manufacturers to randomise default passwords, such as by using the serial number as the password. It’s not the best solution, but it would certainly disable those password library bots from taking over your video wall processor.

Powered by WordPress & Theme by Anders Norén