Ethernet Physical Security and your lighting controllers.

Let me start with the two questions.

1. Would you install a wireless access point with open access to the public on your home network?

2. Would you freely provide an Ethernet (network) port for strangers to plug into out in your yard?

I would hope that in both cases you answered with a resounding NO.

The security of you home network and all the private information it has along with usually family photos and other important things should be paramount in your mind when deciding how to set up your lighting network.

I highly recommend as best practice for non technical people a physically separated network be setup and used. This provides the comfort that your home network is safe from physical intrusion by a hacker.

Buy the separate network switch to plug in all your controllers, Pi's, BBB's, projectors, show computers.
This does make it a little more complex for IP addresses as you will need to run manually fixed IP addresses for all devices.
The lack of DHCP can be quite cheaply solved by buying a cheap Wireless access point and using it to provide DHCP service to you separate network, you can turn off the Wireless for full security or use it for management access from your home PC/Laptop, just ensuring that the WAP does not route multicast traffic out.

Reading the above paragraph, with the prolific use of laptops and wireless in general this overcomes the immediate objection that you can't access this from you home network.

The key message though is we spend thousands every year on lights and controllers but seem to baulk at spending less that $100 to set up a separate network as it is often touted as being "too hard".

The diagram give an example simple setup

Very solid advise Phil; fortunately for me my only outdoor ethernet connection is on my roof matrix. I've used PPX pixel extenders (over what looks like / is ethernet cabling), so if someone plugged in to that whilst it's live they might be in for a surprise!


I would also keep controllers out of sight, hidden away, within the range of sensor lights.


This year I will probably also add reed-switches to the controller boxes and/or the tubs that go over them so I can monitor if the covers are removed, etc.

Hello Phil,


I did that last year ie had a separate router and switch for the show, and a separate laptop running it all, but it was not connected to my home network or to the Internet.


But that was more because I did not want the rest of my family running my show by doing something unexpected to the home router. And I did not want windows doing some sily update that may then ruin everything.


This year , what with the Pi and the BBB, I am not quite sure as yet what to do and have been scouring the various threads.
I assume that with the official FPP for BBB instal, that the sd card can be used for the sequences and the usb slot can then be used for a wifi connection and that the BBB would be a slave.


But am not sure the best way to go about having it access the Internet , connect to the master FPP and still have a secure network.

AussiePhil said:

1. Would you install a wireless access point with open access to the public on your home network?

Click to expand...

Thats called the internet, and its what we probably all quite legitimately have. Did you mean, would you install a Wireless Access point that had open access to your home network ( on your home network ). When it comes to network security the Devil literally is in the devil. So, the answer to your question is yes. but if the question is what i think you mean, then its no.


But this is a good discussion.

The security of you home network and all the private information it has along with usually family photos and other important things should be paramount in your mind when deciding how to set up your lighting network.



I'd say, that you probably should consider security when setting up any network.

I highly recommend as best practice for non technical people a physically separated network be setup and used. This provides the comfort that your home network is safe from physical intrusion by a hacker.

Click to expand...

An isolated network that contains only lighting stuff is sometimes a good idea. It does keep things separate and easy. But that doesn't do *anything* to your 'home' network. If it was insecure to start with, its still insecure. The only thing that having the isolated network is that it doe'snt add any additional risk to it.


Of course the security of your show network is probably well worth considering as well. Given the time, effort and money in these shows, you've protected your home network, but not your lighting network.


There are lots of small things you can do, that really do make a big difference to security. But you need to do it in a structured an layered way.

what are the small steps you are talking about Andrew???

BensChristmasLights said:

what are the small steps you are talking about Andrew???

Click to expand...

First thing before you even start with thinking about "how", make a list of "what" you are "securing".

and then what you need to provide more info as i think your advice is good if you share it.

I think trolls are a big security risk.

First step in any security work is to work out what you are securing and what the risks are.


In the physical world, we could say "lets secure this empty paddock". We could put up big fences.. but what have we achieved. We've fenced an empty paddock, that had never been touched previously and never will be touched again. Just spent a bunch of money for no reward.


Likewise, in a "network", we can spend a lot of time, money and hassle securing something that didn't need securing.


Heres a small bit of my home;


- Printer: - no data to steal. worst thing someone could do is to run it out of paper, or toner, or reconfigure it. Risk low, consequence low.


- media box - got all sorts of stuff on it. mostly its stuff that could be replaced, but some of it is personal stuff that i'd rather keep personal. Its backed up, so if it was destroyed it could be recovered. but i don't want stuff getting out to public. risk medium, consequence medium


- apple tv - Nothing stored on it, its an appliance. No interface to get to it remotely anyway.. Risk Low, Consquence low.




- Wifes imac - Locked down, but does have stuff on it, that could be useful to a ugly person, ( browser caches etc etc ).. Risk low, consequences high.




- Transient devices ( Laptops, Phones etc etc ).. these devices come and go from this network to other networks all the day, everyday.. wow. theres a big security issue, and it walked right past your firewall. Better make sure these things are kept away from valuable stuff. And in fact these things themselves need to be protected really well.


So, in looking at that lot, theres little that your 'firewall' or security device can do to improve your situation anyway..




If you can see what i'm saying here theres a trend. Before you can have any sensible thoughts about 'security' you have to classify you 'assests' and see what risks are associated with them.

Thank you for making everyone think about this.

Real world example. I work in a secure facility, with a phone in an outside lobby (open 24/7) for visitors to request access. Recently we discovered the phone was on our internal VOX line. Someone could have unplugged the phone and plugged in a laptop to have full access to our internal lan. Not really that simple, but close.

My personal home lan has a firewall with a massively long & complex password that gets rotated every so often. It's a pain when one of our kids come over and wants access, but worth it for peace of mind. Before the firewall, my lan was being attacked hundreds of times an hour. In the past 10 years - Zero... tat I have detected.

so does this mean that if i have a wireless hotspot AP for people to place a message on a sign matrix...
I could hijack someone's phone , i loveing this..

Place a Message on the Colourfull Sign (while i rip an sell all your information from ya)

smartalec said:

so does this mean that if i have a wireless hotspot AP for people to place a message on a sign matrix...
I could hijack someone's phone , i loveing this..

Click to expand...

Funny you should mention that - For mine, not likely, inter-device WiFi traffic is blocked on the access point.

Could the encrypted wi-fi traffic be sniffed? Absolutely but I could do the same thing at McDonalds or the airport. But that doesn't affect my network.

Then my router has extra tricks to lock the ARP lookup to DHCP lease, so you can't set a different static IP. Then blanket redirects for DNS/HTTP/HTTPS to my server & drop all afters that


And of course the Access Point being installed outside, but acting as a bridge only was still on the "public" side of my network.

so which piece of firewall hardware, for the home, would be good for the home BEFORE the cable modem, or is there nothing like that out there, I always feel the cable modem is the weakest link in my house..