Updated:
| Insert excerpt |
|---|
...
|
...
|
Overview
This document provides answers to common network and security questions about the Building Optimization Broker from WennSoft™.
...
All data is sent from the MiniAgent to the AWS Database via SSL. The SSL Cipher used is ECDHE-RSA-AES256-GCM-SHA384. The data collected from the BAS uses BACnet or oBIX and the level of security is dependent on the level of security set up by the controls installer.
How do you authenticate the connections to the endpoints from AWS to prevent rogue systems from feeding data?
The WennSoft MiniAgent uses a specific set of credentials set up by K2A WennSoft and AWS to authenticate to the Database and store the data. All communications are secured via the SSL connection discussed above.
...
What security controls are in place to lock the gateway down to again protect customers and our systems & interests?
Our MiniAgent only uses outbound ports to AWS, uses SSL to communicate to AWS resources, and each agent has a client certificate for the server to verify the agent is legitimate.
...
We push automatic updates down to all MiniAgents and server patching is handled via a maintenance schedule.
Are there any communication/workflows that are bidirectional to customer equipment from the gateway?
Yes, the MiniAgent can receive requests to activate/adjust points in the BAS, but this must be configured by the installer of Building Optimization Broker. The communication from the configuration software to AWS is all SSL encrypted and locked down through login credentials. All communication between AWS and the MiniAgent is SSL encrypted and secured as described above.
How are ports filtered and managed?
AWS ports are filtered and managed by AWS security groups, OS Firewall rules, and Network ACLs. Ports on the customer's site where the MiniAgent reside are filtered and managed by their IT provider.
Do the gateways accept ANY information from external networks through the customer connections? For example, is the endpoint EVER routable to the Internet? How do you ensure this independent of customer network configurations?
It is recommended that the MiniAgent be placed behind a firewall with no inbound ports opened and routed to the MiniAgent. With that said, if the MiniAgent is exposed to the web via an inbound firewall port and public IP the device could accept requests, but the requests would need to conform to the Building Optimization Broker proprietary protocol and would require the SSL encryption to be deciphered.
...
The bandwidth requirements and frequency depend on trend interval and object counts configured by the user in the WennSoft Building Optimization Broker software. Building Optimization Broker requires ~25 bytes per object that is trended. If you trend 2,000 objects 4x per hour it’s roughly 200kB per hour.
Software updates range in size, but are typically applied once per month and are roughly 8MB.
Are there any load balancing requirements?
...
Are there any DNS requirements?
Yes, the MiniAgent installed on-site and the Building Optimization Broker website will require DNS to access the cloud services for Building Optimization Broker.
...
The bandwidth requirements and frequency depend on trend interval and object counts configured by the user in the WennSoft Building Optimization Broker software. Building Optimization Broker requires ~25 bytes per object that is trended. If you trend 2,000 objects 4x per hour it’s roughly 200kB per hour.
Software updates range in size, but are typically applied once per month and are roughly 8MB.
If we do network maintenance during our standard Sunday 2 am to 4 am maintenance window, will your application be ok?
...
The Building Optimization Broker MiniAgent (physical data pump) will need to be installed on the local network with access to the Building Automation System (BAS). The MiniAgent will require 4-outbound ports (5432, 57000, 57001, and a Custom Port assigned when contract is signed) for connectivity to the WennSoft Cloud.
...
One (1) internet connection is required per MiniAgent. A MiniAgent is required per Building Automation System connection.
What are the IP requirements?
Private Static IP per MiniAgent