Elk Products m1Cloud

[cyberk]

Does anyone have any experience with Elk M1Cloud providers? I'm looking for one that will allow me to continue to use ekeypad as an ios app.
 
Thanks!

 

[drvnbysound]

Does anyone have any experience with Elk M1Cloud providers? I'm looking for one that will allow me to continue to use ekeypad as an ios app.
 
Thanks!

 
Can you explain what you mean by this [bolded above]?
 
Why can't you use eKeypad an an iOS app without a M1Cloud provider?

 

[cyberk]

I can use the ekeypad iOS app without an M1Cloud provider, and nothing is preventing me from using it without an M1Cloud provider, that was not the intent of my question.
 
I'll try to be more descriptive.
 
I'm looking for an m1cloud provider, where I can use ekeypad through the m1cloud provider's server, to connect to my elk panel. I don't want to connect directly to my elk panel, I want to connect through the m1cloud provider.
 
With m1cloud, the m1xep, thus the elk panel, connects to the m1cloud system, it established a persistent outbound connection which gets rid of needing to configure port forwarding on your router.
 
So, no matter what happens to your network, as long as you provide an internet connection to the m1xep, the unit connects to the cloud and in manageable. 
 
So, I would need an m1cloud provider that has the correct pass-thru implementation, to allow ekeypad to connect to m1cloud as if it were actually connecting directly to my panel. I'm over simplifying the explanation to avoid getting technical.

 

[drvnbysound]

Sure. You understand that by the Elk XEP making that connection "automatically" to the cloud service, that you are effectively doing the same thing? The only difference is that the XEP is opening the port via an outbound connection, rather than you allowing it manually via port forwarding.
 
I guess I just don't foresee the benefit because your network isn't any MORE secure because you didn't port forward. You've just added another layer to the puzzle.
 
To answer your original question: No, I don't have any experience with an M1 Cloud provider. I connect directly to my panel. Elk endorses ConnectONE.

 

[cheezit73]

I set up a pfsense box running open VPN. If I want to use ekeypad outside of my lan I just turn on the VPN and access it that way.  Probably would cost you less over time than paying for the cloud service and would give you a great router/firewall.

 

[drvnbysound]

I set up a pfsense box running open VPN. If I want to use ekeypad outside of my lan I just turn on the VPN and access it that way.  Probably would cost you less over time than paying for the cloud service and would give you a great router/firewall.

 
Agreed. I'm running a Cisco ISR myself and have the VPN capability as well. I just found that making the VPN connection first, before being able to connect to Elk to be tedious - and had LOW WAF. So, while I can VPN... I just opened 2601 and called it a day.

 

[cyberk]

I'm running vpn now and I haven't bothered configuring ios vpn on demand, don't have much time for it. So I agree with drvnbysound that dialing the vpn first is an annoyance I don't want. I've considered trying out a reverse proxy via NginX to achieve the same level of security that I would from a portal system, but again...time.
 
drvnbysound: there are many security benefits to not opening inbound ports, inbound connections are not the same as outbound connections, nor is a persistent outbound connection effectively the same as an always-open inbound port. In a persistent outbound connection, I'm constantly connected to 1 service and only that 1 service. While having an open inbound port exposes the system to the entire world. We could get more technical and say that I can firewall that inbound port to only allow connections from 1 IP, but that's not what I'm trying to accomplish. Let's also avoid the topic of "what happens if your portal service gets hacked" and other extremes. 
 
One additional benefit of using a portal service is hiding your devices from shodan.io.

 

[drvnbysound]

understood, but I'm just as concerned, if not more, about using a 3rd party cloud service. The topics that you don't want to discuss are risks and so are the bored admins that work at said cloud services. No real need to discuss more.
 
In my case I do have ACLs in place so that the inbound connections are limited to specific range(s) of addresses. Sure, that can be defeated too, but at some point there has to be an acceptable level of risk - it's never 0. I prefer to keep the ball in my own court than allowing others to play. If I was as concerned, I'd remove my port forward entry and stick to the VPN method. In my case, I'm willing to forego a level of security (I value as small) for the sake of convenience; I know I wouldn't use it otherwise. YMMV.
 
I don't know of anyone and haven't seen anyone on the forum mention that they were using the M1Cloud service at all. I've only seen posts where user(s) found that the XEP was actively trying to reach an outbound address and they put things in place to keep that from going outside their network (i.e. DNS redirect).