DISCLAIMER: The following serves as a suggestion for eSPACE clients that use certain Internet-connected devices that integrate with eSPACE.
- By devices, we mean any HVAC and door access controls that you integrated with eSPACE through COOLSPACE and SECURESPACE where we push schedules (so this excludes the COOLSPACE Driver and North ObSys since both of those pull the schedules for HVAC integrations).
- We are not network security experts, and we strongly recommend you consult your network administrator before implementing this suggestion.
Depending on the device(s) your organization is integrating with eSPACE, it is possible your network administrator may need to allow inbound traffic from eSPACE to those devices (or to an on-premises management computer) so they can be activated based on your schedules defined in eSPACE. If this is the case (and you should confirm this with the device maker), we recommend your network administrator take the following Internet safety precautions.
- If your devices have an onboard web interface for direct configuration, prevent access to that web portal from outside their firewall. If your firewall is allowing anyone on the Internet to access the devices web interface, even if a login is required, this is a significant risk. In most cases, it would be easy for a moderately skilled attacker (or even a bot) to get around that login and cause trouble. If you absolutely must permit access to your device's web interface from outside of the firewall, consider setting up a rule to only allow access from specific IP addresses.
- For traffic to your device's API endpoints that are originating from the Internet, configure your firewall to only allow such traffic to come from specific IP addresses. It is likely that only eSPACE (IPs: 67.227.165.72, 67.227.165.122, 209.59.151.182), and possibly a select few other sites (like maybe the device's cloud service) need to be able to make API calls from outside your organization's firewall. Leaving access wide open can also open an attack vector for someone with nefarious intentions.
As a side note, these restrictions can come with some inconvenience. For example, if you need a contractor to assist with troubleshooting your devices, the firewall recommendations mentioned above may hinder them. So, it might be a good idea to wait to implement these recommendations until everything is up and running as it expected, then tighten up the firewall rules. Additionally, making sure your network administrator has the means to temporarily loosen the rules will make it easier for contractors to get involved when troubleshooting the devices.