Support for tablo and device on different subnets

General Discussion
1

My Tablo was working fine remote without any port changes.

About a week ago though the config screen is showing port forwards I need to enable.

I'm not sure what the OS is on the tablo or how secure the code is, but i'm for sure not going to open port forwards to a device on my home LAN.

Is there any ETA for devices to point at an IP so I can put my tablo on a DMZ or un-trusted zone, open the ports so the app works, but also i can point my lan devices back to the DMZ IP for tablo.

This may be a show stopper so in todays climate, port forwards are a real no-no back to you home LAN.

2

I use port forwarding all the time at work. I have our firewall device, a Cisco 5510 ASA forward specific ports used for VPN to an internal server. It NATS the addresses both forward and reverse NAT.

Packets for specific ports aimed our outside public address, say 165.200.100.5 are taken by the firewall and translated - NAT - to a PRIVATE internal server address of 10.252.111.222 and the firewall forwards * only packets matching a specific rule *, all others are dropped with no response. They go into na-na land.
The traffic from the server that needs to respond to the VPN client “out there” on the Internet leaves 10.252.111.222 over the VPN-specific ports and protocols and the firewall NATs them back to 165.200.11.5
The VPN client, or for that matter, anything out there, never knows there’s a server with 10.252.111.222, it only knows there’s an address of 165.200.100.5 and the firewall ONLY allows 3 protocols/ports through in either direction. 
A firewall on the server itself further blocks all traffic except for VPN traffic matching certain patterns. 
You can NAT or PAT or whatever. 
You can allow only the ports and protocols that the Tablo needs and forward only to that specific IP address, since it’s not an OS that’s subject to attack or responding there’s so very little risk, it’s not any more risky than a home computer accessing a web site, IMO. In fact far LESS risky as a web server can do all sorts of things to your iPad, PC, phone, etc.
A DMZ that’s secure doesn’t allow your home LAN devices in to it so if a Tablo is in a DMZ, your network devices should never be able to get to it, or the Tablo to your other devices, that sort of defeats the purpose, really, isolating the Tablo but allowing local devices to go back and forth with it?

We port forward in some cases of our LAN-to-LAN VPN office connections, too, where we ride a host network to get to the Internet. In some cases we are co-located in colleges and universities. We use their networks to get “out” so the ASA5505s can establish connections back to the home office. There’s port forwarding involved. On the DSL supplied offices, the modem is doing port forwarding in order for the ASA to establish a connection. 
It’s how things work. OTherwise our remote office computers would never be able to use the home office resources, they’d be stuck with only their local stuff and the Internet for browsing which is a terrible risk. 
Since the Tablo is not a user-interface sort of device or “endpoint” in the normal sense I see it as a nearly 0 risk device myself. It doesn’t instigate communications it only responds so even if someone “got in to it” there’s little they could do but poke around and wonder what the @#$ it was. So stateful firewalls on your internal devices should protect them. 
I currently support a WAN with 34 remote office locations using LAN-to-LAN and a handful of others using VPN clients. I have created a VPN Gateway server using port forwarding and firewalls. It’s not DMZ but it’s sure safe according to even other security folks since it’s very limited as to what gets through and what doesn’t. Pen tests have failed to get past my security here, we are the only agency in this state to pass all tests and are the highest ranking as far as security. We are over 4 years 100% virus-free, malware-free and haven’t had a single incident in years. 
3

@brian0


If the Tablo worked without any port changes on your end, it would have used UPnP or NAT-PMP to configure the ports automatically. It’s possible that the port entries were invalidated if the Tablo’s IP was changed. This has happened a couple of times with some folks, and they’ve fixed it by assigning the Tablo a static IP.


4

Ok meaning port forwards wouldn't be needed at that point?

What is the hold up to allowing devices point to a tablo rather then force the subnets to be the same. If it's never going to happen I'll likely return my tablo as i'm never going to put my tablo on my home LAN and open ports. That's just plain foolish from a security standpoint.

I want to put my Tablo on a DMZ which I can open the ports on. This way worst case someone breaks my tablo.

You should look into Dlink cameras or WEMO devices from Belkin. Both are able t get commands from an iOS app into the device without PNP or opening ports.

5

On the above comment on we use port forwards into our LAN and not DMZ you may want to rethink that personally but more importantly from a company.

You always want some form of authentication before someone gets in. If someone talks to the tablo device and owns it, you just gave them a device on you network to begin to have fun on.

You really dont' want that on your lan or a trusted zone.

6

@Brian0


There may be a disconnect here. The Tablo lives on the LAN - it doesn’t use the Internet to stream its video, just to grab guide data. If the Tablo was set up for UPnP originally, it means that it opened up the ports (just for the Tablo) automatically - this is what UPnP does.

That said, there is authentication in the Tablo Connect logic - the Tablo will only allow a ‘paired’ or ‘registered device ID’ to use those ports remotely. The only traffic that can go in (or out) is through the Tablo, and while using a device that has already been paired.

Hope this helps.
7

@TableSupport

How can I configure my Tablo to use static IP address (as you mention a couple of messages back)? I’ve been looking for this for a while and see no config choices for it! My firewall/DHCP server will not allow me to reserve MAC addresses for assignment of IP addresses so periodically I lose my Tablo due to newly assigned IP address. I REALLY wish I could assign it statically, as I consider it network infrastructure equipment that should be static.

8

@greymont

What is the make and model of your router? You should be able to do it from the settings of the router.

If not, you need a new router.

9
@TableSupport

How can I configure my Tablo to use static IP address (as you mention a couple of messages back)? I've been looking for this for a while and see no config choices for it! My firewall/DHCP server will not allow me to reserve MAC addresses for assignment of IP addresses so periodically I lose my Tablo due to newly assigned IP address. I REALLY wish I could assign it statically, as I consider it network infrastructure equipment that should be static.

Don’t think there is a menu option for this in the Tablo interface…yet, but some routers will allow for you to do an IP reservation via DHCP reservation. 

10

You cannot use STATIC. You must use RESERVED. There’s a huge difference. STATIC is assigned ON THE DEVICE that has the IP address.

RESERVED is where you set it on the DHCP server.
If your router can’t allow you to configure reserved or persistent IP addresses then you can’t assign Tablo a specific address.
To be clear - static is assigned on the endpoint, not the router. Static is where you configure the device itself to declare the address it’s going to use. With static you can get into IP address conflicts if you assign the same address on multiple devices. 
With persistent, which is what folks are really talking about here, this can’t happen because the DHCP server still assigns the address but it assigns it based on or according to MAC addresses.
I live this daily at work and if you talk static then you have to assign that address within the computing device. You can’t assign static in a router, only persistent or reserved addresses.
Now with DNS you can set up static mapping. You say this is the device name, this is a static address and then if something uses DNS to find a device the DNS server responds with the static address and no other device can spoof that device or poison your DNS since the device has a static address mapped in DNS. 
Most of us don’t worry about a DNS server at home as we use web-based DNS services or servers. But at work I go into our DNS servers and configure our server addresses as static. That way no other device can say “this is MY address” and map that same address to its name instead. DNS will not allow it.

So ideally you have a router where you can go in and either choose a MAC address already in the DHCP table and assign it an IP address, or you can type in a MAC and assign that MAC an IP address (and most decent routers allow this, but some more simple or cheaper ones do not)

I’m not sure what protocols are used by Tablo but keep in mind that not all protocols are routable in the Internet sense. Some can’t cross subnet boundaries. We have some scanners that must be configured by a PC on the same subnet as the protocols used won’t cross subnets, they can’t be routed directly. 

By the way - I followed what a lot of security folks are now doing on port forwarding. Juniper even has big documents on using that for the same purposes I am using it for. You restrict the ports, restrict where the traffic can go to, you firewall all else, drop any other packets. You also do packet inspection to ensure it’s not traffic you don’t want regardless of port or protocol.  There’s a whole lot of this going on now and it’s very accepted. There’s a lot of stuff happening that’s not in a DMZ if all you want is very specific traffic and to a very specific address. Further, the server that’s receiving said traffic also inspects the traffic and will access calls only from very specific devices. I can restrict by MAC as well. 
I can play “what-if” with the Cisco ASAs and traffic that’s not wanted simply disappears. We have IPS at the boundary as well as on each server so traffic is inspected using packet inspection. I’ve also written some custom IPS rules. I can block by pattern or key words or strings inside of packets. We’re safe, we’ve been tested, been at this game a lot of years. I’m working with a pretty well-know and respected German company on this project and they are fine with it.
The Europeans take security more seriously than Americans ever will, I’m afraid. 
I also have the Juniper core switches setup for security and they will pass traffic that meets only specific criteria based on LAN, switch port, etc. - the config in the Junipers here gets rather complex I’m afraid. I had Juniper support help with that, at least in testing it, I had the basics set up already. 


So, if they get into a Tablo, what will they be able to do?

If it’s in a REAL DMZ how will you access it? 
If your Tablo is in a TRUE DMZ then even YOU can’t get into it unless you go out to the web and back in!
DMZ means that it’s isolated from your LAN. That means that you can’t get to it from any device on your LAN. That’s DMZ - isolation from anything that is on your lan even though it’s “on your lan” You can’t ping it, you can’t detect it, you can’t connect to it. 

Port forwarding exists in the best Juniper and Cisco gear because it’s ok to use. It’s safe if done correctly and with the proper precautions. We’re fine. It was security pros who suggested the very setup I am using. I work with the best companies. 
11

I think you're missing the point. If I could put it on a DMZ it would be fine, Someone hacks into the tablo and just messes with the table.

The issue is if Tablo is on the DMZ and my Roku and Fire TV devices are on my LAN they will not work.

If i put them all on my Lan the port forwards put my Tablo directly on the internet for the 3 open ports. I'm not sure what OS table is on, but every OS out that has been cracked at some point.

If someone figures out a hack for the listeners on the 3 open ports they could gain access to the tablo then use it as a jump box into my network.

The fact that juniper has port forwarding is not a reason to open it up. I can assure you NO ONE port forwards an internet accessible IP / Port to a LAN IP if they know the holes it causes. That's the point of a DMZ.

12

@brian0 speaks truth.  Tablo folks need to work on this.

IMHO, it’s as simple as just allowing the hardcoding/selecting of the IP on the frontend.  But there may be good reasons for why Tablo works the way it does.  I know they don’t want people to obtain their direct Tribute/Gracenote api id (for example).  But can’t say if that’s would even be an issue in this case.

13

my guess is it's some for of DRM. There is definately no blocking issues which would prevent. There are a ton of devices like tablo which you can point a client out. There are also a long of in-home camera and automation products which don't require any port triggering or port forwarding to establish connectivity to a mobile device, or a device on another LAN.

I wish they would just move to somthing more liberal like make sure it's a 10 address or 192 address to control it's not routable thru the internet and allow users to point a roku or iphone at a private IP lan instead of requiring it to be on the same subnet.

There is a way to work around you can create a network bridge with OpenVPN so the 2 locations look like a single flat network, but it's a pain for no reason.

Also the port forwards should be easy to work around or use port triggers. Opening up ports to your lan is a no no though.

14

oh… if you know what you’re doing, I’m pretty sure you can make it work… it’s just requires the right knowledge and equipment.

I know I’ve done and seen many protocols that were not meant to go beyond local Layer 2 get routed to other networks… so it’s definitely possible, just may require some effort.

15


The fact that juniper has port forwarding is not a reason to open it up. I can assure you NO ONE port forwards an internet accessible IP / Port to a LAN IP if they know the holes it causes. That's the point of a DMZ.

If you can access the Tablo from inside your private network, it’s not fully isolated and I bet your firewall is letting traffic through. A TRUE isolated system means you can’t get to it directly yourself. What I’m doing -  it’s common, it’s frequent, it’s built into the best security devices. Cisco even has their own name for it. I can show you hundreds of pages of documents on that very topic from all the major players. I’ll see if I can remember to bring home the documentation I have from Cisco on it-  and how they suggested the exact scenario I have at work. 


I do NOT call this a DMZ but it’s pretty close to what I’m doing as the “firewall” in my case is a Cisco Adaptive Security appliance or ASA and it’s taking a public address, NAT to an internal address, allowing just 3 specific packet types through, there’s a physical and a virtual NIC in the server, well, the physical NIC is really a VMWare virtual NIC but it’s more like a physical NIC than the other. the other takes the VPN traffic and translates and manages traffic between it and the other VMWare NIC. The ASA allows only very specific traffic through. Our Juniper core switches have security rules, too - if the traffic hasn’t come through the ASA, from the ASA’s virtual externior address and isn’t aimed directly at specific ports on a specific address, the switches drop the packets. Return traffic has to come from specific apps on the VPN server. I filter by source application as well. DNS traffic has to come from specific files or apps, be aimed directly at something specific or it’s dropped. the ASA does packet inspection, the firewalls running on the servers do packet inspection, the core switches do traffic inspection. We have 2 appliances running from the OCIO (Office of the CIO) that watch traffic on our nets, and we have a dedicated IPS as well as IPS on the servers for which  have written some custom signatures myself. My firewalls block by packet content, type, source, target, patterns, etc. as do the core switches. the cores have a long list of source networks the get blocked. We’ve passed pen tests year after year and have been shown to have the most reliable network of any agency in the state - which my boss says I get credit for. One of my co-workers says that my name comes up a lot at CIO meetings when they talk security and how to accomplish certain things.
I can’t explain things well, that’s part of ADHD, you may call something a DMZ and I don’t believe it to be DMZ - and there are several opinons out there on what exactly one is and how to configure it correctly, but I have it in me what needs to be done and how. The OCIO has tried all of their “tricks” to try to make our network or even just one device on it fail and so far can’t. Are we impenetrable? No, I’d never say never. But we are as safe as anyone out there and more than most.
this isn’t exact by any means but fairly close to what I’m working with now:

16

This really wouldn’t be that hard for Tablo to integrate. I completely agree that if you are going to open ports on the Internet it’s not responsible to leave this in your LAN, it needs isolation. Your clients (Android, Roku, whatever) need to have a place to enter an IP address and a port for the Tablo device so that your firewall can route to the DMZ. All of these devices that are going to be open on the Internet are huge vectors and an entry point for your network, I seriously doubt Tablo has considered security issues if these other considerations have been left out. Plex had security problems but they addressed them and while it’s not perfect, it’s much better and many people appreciate that. I messaged Tablo and asked for this but they said not enough people have asked for this feature, a problem is present but most people have no idea there is a problem. The majority will plug it in, uPnP will do its thing and then you are happy watching TV from outside your network but in reality you are exposing your LAN to the Internet.

17