Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 29 replies
  • Answers 2 answers
  • Subscribers 10 subscribers
  • Views 86794 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Arlo Netgear Cameras

NicholasChase

I use Sophos UTM 9  and alongside this I use Arlo Netgear cameras.

Netgear say they only need port 80 and 443 open, and all is fine when Web Filtering Standard Option is turned on.  As soon as you switch this to Transparent mode, the playback of Live Streaming (which used Flowplayer and Amazon services) stops working.   You can use all other functions, just live playback fails with the onscreen error message that the cameras have gone offline.

I have tried setting up an exception as follows

^https?://[A-Za-z0-9.-]+\.arlo.netgear\.com
^https?://[A-Za-z0-9.-]+\.arlos3-prod-z1.s3.amazonaws\.com
^https?://[A-Za-z0-9.-]+\.www.w3.org
^https?://[A-Za-z0-9.-]+\.angularjs.org
^https?://[A-Za-z0-9.-]+\.www.google-analytics.com

and also put arlo.netgear\.com and subdomains as a trusted site but nothing seems to work. 

The weblog only shows the following

2016:01:05-22:29:27 utm httpproxy[5262]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.0.22" dstip="54.231.130.233" user="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="203096" request="0xdf99a800" url="arlos3-prod-z1.s3.amazonaws.com/" referer="" error="" authtime="0" dnstime="19444" cattime="0" avscantime="0" fullreqtime="13845978" device="0" auth="0" ua="" exceptions="content,url" application="amazonws" app-id="800"

Any help appreciated



This thread was automatically locked due to age.
  • 0 in reply to Arthur Hammond

    Assuming that the base station is trusted, create your exceptions based on source address, rather than destinstion address.   This will limit your risk by changing nothing for other source devices.

  • 0 in reply to Arthur Hammond

    just re-resd this post.

    In the intervening tume, I learned that "input-output error" is a very poor way of saying that UTM could not negotiate an acceptsble ciphersuite.   It should only occur when HTTPS inspection is enabled, because that is the only time that UTM is negootuating the ciphersuite.  I started seeinv it afterUTM dropped support for TLS 1.0, in response to threat research announcements.   Workarounds are to bypass https inspection for that source address or change profile to yranspsrent mode.

    Late correction:. It is https inspection that triggers negotistion, not proxy mode.

  • 0

    Having the same issue with my Arlo setup. The solution worked but indeed a big hole.

  • 0 in reply to Andrew Parker

    Does this issue relate to all Arlo security cameras? I wonder if the same issue occurs with Arlo Q cameras since they don't use the Arlo base station.

  • 0 in reply to Andrew Parker

    Part of security management involves evaluating what risks are acceptable to you.   Why does your camera security system need to connect to the vendor at all?   Does that create any risk to you if the vendor is hacked?

    If they are doing https without DNS names, then they are not checking certificate integrity, so tbe cameras will not be aware if the traffic gets diverted to a bad guy's server.  I always cringe when a security product neglects security.

    Is your login to the vendor site secured with two-factor authentcation?  What is your risk of a password guessing attack?

    Could you get the same result with a configuration that is entirely in-houze and accessed with VPN, or is the vendor performing monitoring that adds a lot of value?

    There is much more to your situation than the question of how to create a hole in UTM's defenses that will let tbe camera software work.

  • 0 in reply to Andrew Parker

    Andrew Parker said:
    This is a big hole, as you say, but I don't think it'll be often that https requests are made to direct IP addresses so I'm ok with it.
     

     
    If it's just https traffic than remove the ? sign behind https in your regex since by adding it you are actually including both http and https (I know http doesn't use certificates so that's also a reason to just remove it....

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to Michael Klement

    Invalid method is telling you that the applucatiob does not follow the specification for http.  That is why you have to bypass the proxy.  The problem is in tbe application, not in UTM.

  • 0 in reply to apijnappels

    Yes, I don't really like it much either.  As you can see, they don't provide a range of IPs that they utilize https://community.netgear.com/t5/Arlo/Internet-Connection-through-proxy-OR-firewall/td-p/1201096

    I wish they would just use a domain name rather than raw IP addresses.

    This is a big hole, as you say, but I don't think it'll be often that https requests are made to direct IP addresses so I'm ok with it.

  • 0 in reply to Andrew Parker

    Andrew, it sounds like you want Accessing Internal or DMZ Webserver from Internal Network.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to Andrew Parker

    That is an awful lot of IP-addresses (actually all existing IPv4 addresses and much much more) that you just skip SSL and certificate checks on.....

    Thats a giant hole you shoot into your webfiltering checks...

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Unfiltered HTML