Reply
Highlighted
Emerging Member
Posts: 99
Registered: ‎11-12-2017
Kudos: 20
Solutions: 6
Accepted Solution

Concerns about Unifi Cloud Key Security

Hello,

 

I do understand the cloud key - hosts just the controller and access into the controller is thru the cloud hosted by Unifi cloud services platform.

 

At this same time, I am a little squirmy when I see that this cloud key is attached to my USG 8 switch and registering itself in the client list with (say) IP = 192.168.1.33. This means - there's always a possibility of someone from outside (WAN) compromising the default network and then finding this device - somehow gets in. Parallelly, internal users can to, if having malicious intent. 

 

I understand if compromised, the file system layout is a standard layout and perhaps not much can be gleemed but not sure if that's the case. 

 

Are there currently any best practices in place by others to secure cloud key or my concern, by itself: is moot.

 

 


Accepted Solutions
Ubiquiti Employee
Posts: 573
Registered: ‎10-04-2015
Kudos: 615
Solutions: 38
Contributions: 1

Re: Concerns about Unifi Cloud Key Security

@BengalTiger If you are overly concerned with enabling Cloud Access on the Cloud Key it is not required and can be disabled. You can then manage it locally. 

That said, the UniFi cloud service is very secure and encrypts traffic/doesn't permit anyone to access your Cloud Key unless you've given them the ability to do so or you compromise your credentials. Your Ubiquiti SSO account is secured, and there are added precautions you can use, for instance, enabling Two-factor Authentication on your Ubiquiti Account. I recommend taking this precaution if you are concerned. Do so at https://account.ubnt.com

You can always isolate your UniFi Controller in its own VLAN, however, it will need to communicate with the UniFi devices on the management VLAN. 

I would not consider any additional hardening to be needed on your Firewall for the Cloud Key specifically- if you want to disable Cloud Access by all means do so.

UBNT_Alternate_Logo.png
Ubiquiti Networks Enterprise Support Team

Check out our ever-evolving Help Center for answers to many common questions!

View solution in original post

SuperUser
Posts: 20,367
Registered: ‎09-17-2013
Kudos: 5104
Solutions: 1455

Re: Concerns about Unifi Cloud Key Security

If they have already compromised your network, them knowing the subnet (or whatever your actual concern over the UCCK is) will be the least of your worries.

View solution in original post

SuperUser
Posts: 20,367
Registered: ‎09-17-2013
Kudos: 5104
Solutions: 1455

Re: Concerns about Unifi Cloud Key Security

Few years back was that "wannacry" cryptolocker (and variants) that hunted down potential target PCs on a local network using SMBv1 (winXP, win7, and possibly win8/10 still supported it as a compatibility mode), so it wasn't so much that the worm knew about your network, but rather that it was able to use the godawful security of that protocol to hunt down the PCs, NAS, etc.  And well, those devices still use broadcasts to tell the whole network they're there (but thankfully the security is better).

 

Not saying your guests didn't bring the infection in though.  Realistically, the only thing that would've protected you at the time was segregation of the network into VLANs (with firewalls in between). 

 

View solution in original post


All Replies
Senior Member
Posts: 8,681
Registered: ‎08-04-2017
Kudos: 1401
Solutions: 421

Re: Concerns about Unifi Cloud Key Security

[ Edited ]

Hello @BengalTiger,

 

You want to put the controller on your CORE NETWORK, that only ADMINISTRATOR can access.

People from outside your network only can access your UCK if its port forwarded.

 

 

Regards,

Glenn R.

Professional Services | Cloud Hosted Controllers | Glenn R. | UniFi Installation Scripts | UniFi Easy Update Script | UniFi-Video Installation Scripts
USG-4-PRO • USG
USW-24-POE-250W 2x • USW-16-POE-150W • USW-24 • USW-8-150W • USW-8
UAP-SHD • UAP-HD • UAP-NanoHD • UAP-AC-PRO 2x • UAP-AC-LITE • UAP-AC-IW • UAP-AC-M
UCK-G2 • UCK
Emerging Member
Posts: 99
Registered: ‎11-12-2017
Kudos: 20
Solutions: 6

Re: Concerns about Unifi Cloud Key Security

@AmazedMender16  : If my core network today is 192.168.1.1/24 and my UCK is getting an IP of 192.168.1.3, then as per your reply, only an administrator can see/log-in/etc. on UCK. Assuming I don't have any port forwarding of course.

 

I still don't think its very safe, since hackers have differnt ways to compromise and enter the gateway. I don't know too much about the techniques but did hear stuff like ARP lookup/poisoning/memory dumps/etc.

 

Is there any rule in the firewall which can be possibly setup to harden this? Can I move my UCK into a dedicated VLAN with port isolation - and in which case will it break the entire cloud based/hybrid controller functionality? 

 

 

Ubiquiti Employee
Posts: 573
Registered: ‎10-04-2015
Kudos: 615
Solutions: 38
Contributions: 1

Re: Concerns about Unifi Cloud Key Security

@BengalTiger If you are overly concerned with enabling Cloud Access on the Cloud Key it is not required and can be disabled. You can then manage it locally. 

That said, the UniFi cloud service is very secure and encrypts traffic/doesn't permit anyone to access your Cloud Key unless you've given them the ability to do so or you compromise your credentials. Your Ubiquiti SSO account is secured, and there are added precautions you can use, for instance, enabling Two-factor Authentication on your Ubiquiti Account. I recommend taking this precaution if you are concerned. Do so at https://account.ubnt.com

You can always isolate your UniFi Controller in its own VLAN, however, it will need to communicate with the UniFi devices on the management VLAN. 

I would not consider any additional hardening to be needed on your Firewall for the Cloud Key specifically- if you want to disable Cloud Access by all means do so.

UBNT_Alternate_Logo.png
Ubiquiti Networks Enterprise Support Team

Check out our ever-evolving Help Center for answers to many common questions!

SuperUser
Posts: 20,367
Registered: ‎09-17-2013
Kudos: 5104
Solutions: 1455

Re: Concerns about Unifi Cloud Key Security

If they have already compromised your network, them knowing the subnet (or whatever your actual concern over the UCCK is) will be the least of your worries.

Emerging Member
Posts: 99
Registered: ‎11-12-2017
Kudos: 20
Solutions: 6

Re: Concerns about Unifi Cloud Key Security

@UBNT-APieper1 final question : UCK will need access to all devices in MGMT_LAN ; got it! But does MGMT_LAN need access to UCK? I can put a firewall rule allowing UCK to communicate with MGMT but not vice-versa.

Emerging Member
Posts: 99
Registered: ‎11-12-2017
Kudos: 20
Solutions: 6

Re: Concerns about Unifi Cloud Key Security

Please don't get me wrong here: I had few guests and their teen children staying over few years back. I did not have Unifi. After 3 months, my Synology and my entire network (home) was compromised. I had to pay $350 to someone in Belarus and then got back access to my home PC. Thankfully, I had a hidden partition which they did not find and compromise and where very sensitive financial data and other personal data was present. The $350 was paid only for me to get to that partition.

 

By profession - I am in IT, but Enterprise development. I did a lot of background audit and determined the teens via some game they played opened up a back-door which made my entire network wide open as everything was under 1 domain and subnet with rudimentary OOMA (a VOIP box) driven firewall.

 

This is the reason I am a little too an*l about it. Apologies - meant no dis-respect.

SuperUser
Posts: 20,367
Registered: ‎09-17-2013
Kudos: 5104
Solutions: 1455

Re: Concerns about Unifi Cloud Key Security

Few years back was that "wannacry" cryptolocker (and variants) that hunted down potential target PCs on a local network using SMBv1 (winXP, win7, and possibly win8/10 still supported it as a compatibility mode), so it wasn't so much that the worm knew about your network, but rather that it was able to use the godawful security of that protocol to hunt down the PCs, NAS, etc.  And well, those devices still use broadcasts to tell the whole network they're there (but thankfully the security is better).

 

Not saying your guests didn't bring the infection in though.  Realistically, the only thing that would've protected you at the time was segregation of the network into VLANs (with firewalls in between). 

 

Established Member
Posts: 1,456
Registered: ‎04-08-2014
Kudos: 467
Solutions: 74

Re: Concerns about Unifi Cloud Key Security

I think you have valid concerns, but to me you are looking at this a bit backwards. I have the same concerns (children, guests, nefarious beings :-) ) having access to personal stuff.

I have one network for infrastructure stuff (servers, AP's, switches, etc, this is where the CK would go).
I have one network for the trusted adults (me and wife) in it's vlan
I have one network for kids and guests that is in it's own VLAN
I have a network for IOT devices in it's own vlan

And I have FW rules that prevent access to the mgmt network, or between networks.

And in the cases where I've installed in a bar or public place where access to switch ports is possible, I apply port profiles to the unused ports so that the native network is the guest network in case someone plugs a laptop into the witch directly.
Controller: 5.9.26 | Sites: 12 | Devices: 55 | Clients: ~250
USGs (4.4.28): XG8 (x1) | Pro4 (x4) | USG3 (x4)
UAPs (3.9.50): AC-Pro (x17) | AC-LR (x3) | Mesh-Pro (x2) | Mesh (x1) | Outdoor+ (x2)
USWs (3.9.50): US-16XG (x2) | US-40-500w (x3) | US-24-250w (x2)| US-8-150w (x3) | US-8-60w (x3) | US-8 (x2)
Reply