New Device Alert
I recently moved from Untangle to pfsense. Everything is running great but I cannot seem to figure out a good way to get alerts when new devices appear on my internal network(s). I like to be aware of new connections so I know if someone new jumped on my wireless or connected to my LAN. It's just for the sake of knowing and making sure it's legit and not some rogue device. Untangle had an easy way of doing this, and I understand that pfsense is a completely different platform and I'm not necessarily looking for an as easy solution…just a solution...either using what's part of the platform by default or through the use of an additional package. Either works for me, I just want to be able to get an email every time a device, not previously known or on the network, connects. Thanks!
Sorry, never heard about such a thing.
pfSEnse is not going to mail mail you in this case.
But … what about locking up the AP - don't use the wired LAN on public places - put in place WPA2 on the AP and a nice password and you won't have any roque devices on your network ?
I currently just run https://www.domotz.com/ on my network, its not free but very cheap.. $36 a year or something like that. It provides for way more than just alerts of new devices but it also does that. Can get emails, sms or alerts on your phone (they have app).
They do sell a small box, you can run it on a pi or any other linux box your running - I run it on a vm on my network.
So an email alerts is like this when it sees a new device (see attached)
I have it setup to alert me when my son's phones join and leave the network ;) They are no longer living at home - but its funny I get a pop up on my phone when they pull into the driveway and their phones join my wifi network ;) Also I know when one son is over at the house picking up the grandkids (my wife watches them) when I am away. And then what time he leaves even.
It monitors all my devices - so I get alerts on my phone when something critical goes down, like my home internet connection or any of my other devices I have alerts setup for.
It is the big brother to the https://www.indiegogo.com/projects/fingbox-network-security-wi-fi-troubleshooting#/
The flingbox has no vlan support.. So pretty pointless if you ask me ;)
Other option is you could setup arpwatch (2nd pic)
I had posted about this a while back
It use to be a package, but was removed.. I currently do not see it on the package list. But for sure could be installed on its own.. Or just ran on some other box on your network.
I would highly recommend the domotz solution if you don't mind putting out a few bucks a year.. Its a really slick easy to use simple network monitoring tool, and they keep adding features. Monitoring specific services was one of those recent additions. Screen shot of phone app attached (3rd pic) you can see status of all your devices I currently have 49 devices on my network. Some are offline for sure - different phones, tablets, laptops, vms, etc. etc. As you can see in that pic my son Sean phone was last on 4 days ago..
edit: Oh one of the other really slick features is the snmp info you can get, so if you have a switch that supports snmp you can get your interface util pretty much in real time, etc. House is empty currently so nothing really going on with the network at home but you can see that I can just from the app on the phone check my switch interfaces, etc. (4th pic)
@johnpoz, Thank you for the post and great information. Very helpful and I appreciate it! I'm curious as I couldn't find the details around the domotz site. Is all management done via a mobile app? Is there no web UI for it? Thank you again for the great information!
@johnpoz, curious what the agent send "back home"? How much visibility into my network does Domotz have? I see that I can log into the agent on my server, but Domotz portal is not local, but from their servers, correct?
nmiller0113, to answer your question, yes they have a web portal to log into.
The is a local portal as well, you can hit it via port 3000 to what is running. But yes they have a server side you can hit.
As to what info they can see - that would be a great question for them.. Sniff the traffic they send if your curious, my tinfoil hat is not as tight ;)
…my tinfoil hat is not as tight ;)
Not so much paranoia as knowledge. We spend so much time/energy getting our networks secure and locked down. Then we go and install software or buy their hardware that scans our network and sends everything back to a third parties servers without knowing what it is sending. Additionally it is a threat vector either on purpose or by acccident/bug.
Just want to know so I can make an educated decision as to weather I want to keep running this system. I posed this to Domotz on their forum and I have only received a passing and evasive response. Not confidence inspiring. I sent the question to their support email and it got bounced back, again not confidence inspiring…
What info could they send? It monitors if devices are up down, and only internal.. The bigger concern I think would be the connect feature that they have that allows you to directly connect into your network. Which if their site was compromised could be a serious issue to be sure.
While I agree with your concerns - I am only using it on a home network, and not production. While it should still be secure. The device is in my dmz and only has limited outbound access and I monitor where it sends data. I have not gotten to the point of sniffing the traffic and or even doing a mitm attack since its all https..
I am more trusting since its just my home network.. But your concerns are warranted for sure.. I saw your posts on their forum - I will chime in on them when I get a chance asking for more details and bring up the remote in feature as a possible security issue and asking how they guard against possible unauthed access into this, etc.
Thanks for the responses. Just out of curiosity, are all the features, options..etc available in the WebUI as in the Mobile App? I've seen times with other software vendors where they want you to use the mobile app so they'll limit the abilities of the web app. Just curious before I go through the effort to install this. From reading about it the application does suit my needs, but I'd rather not spend the money on it and only be able to use / access half the features from the mobile app. Thanks!
they have like a 21 day trial - so you can for sure see if what is different between the mobile and the website. As I recall pretty much its all available in both the app or the website. But some stuff is a bit easier to do on the full site vs the app.
Thanks! It's actually available to run on my Synology which is nice. I'm gonna test it out.
Can your synology do vlans? For it to monitor multiple networks it has to have a connection in that layer 2. So you really need a device that supports vlans to be able to monitor multiple networks, or it has to have a physical interface in each L2 network.
Sure can :) Yeah, it definitely would need a layer 2 presence in order to function properly.
Nice! Have fun with it and let us know what you think.. AR15USR does bring up some valid security concerns.. But then again my home network is not a dod facility ;) hehehe.. But his concerns are very valid and would nice to see some feedback from them on their precautions and security practices..
Yeah, a sniff isn't going to yield you a ton of info unless your sniffing traffic before it's getting encrypted at the app layer. The app maker should have something documented around what data they are storing, how and where they store it, retention times, transport methods…etc. Also a document showing their incident response around data breach.
Or after via a mitm on your network which really wouldn't be all that hard..
AR15USR created a thread on their forums - which don't get all that much traffic. But the owners/admins do chime in on questions, if a bit late. I noticed when the aws box they talk to was being queried for every freaking minute.. TTL of 60's which was throwing off my listing of top queried for site and hosts on my network that I watch.. They had set it back to 10 minutes, but other day it went back to 60 seconds.. I have since them just overrode it locally to be longer TTL.. Until they fix change it.. There is like zero reason for such a short ttl.
If we chime in on that thread maybe we can get them to give it a bit more attention.
RE MITM, yep :)
Can you PM me that thread and I'll go check it out. Thanks!
What info could they send? It monitors if devices are up down, and only internal..
Which is my concern in a nut shell. We really don't know what it's doing without them laying it out in a document somewhere. I too only run it on my home network, which is actually more important to me that production networks.
Credit cards, online banking, SSN, emails, address. There is enough info about you flying around on your home network on a daily basins to completely ruin you financially, not to mention worse if a bad guys was real psycho.
Anyway, not to sound too dramatic, but I just like to know what Im installing and the risks it imposes, thats all.
BTW, I did get a response from their support email, I will post shortly…
Here is their response:
Thanks for reaching us. All answers are available on this link https://www.domotz.com/domotz-product-privacy-policy/, below I have separated the parts that answer your questions:
What exact types of data/information does Domotz extract from our devices/network?
We collect the following categories of information:
Information you give us. You may give us information about you by filling in forms or by corresponding with us by e-mail or otherwise. This includes information you provide when you subscribe to our service, search for networks using our service, sync to the cloud, and when you report a problem. This information may include your name, email address, mailing address and communication preferences in order to help us create your settings to use our products and services.
Geo-location data: we may collect information such as zip code, area code, referrer URL, approximate location, and the time zone where our products and services are installed to provide our services and to assist you in case of troubleshooting.
Technical information from your network and devices: we collect technical and diagnostic information about the devices in your network. For instance, we automatically collect the MAC address, maker name and model of your devices, up and down status, operating system version, unique device identifiers and the related software. We also collect real time operating status of your network and its connected devices (i.e. network speed, IP addresses, device event information such as disconnections, system activity, hardware settings, the date and time of your requests) and the related diagnostics information. We may process information from your devices so that we can send you alerts when something happens. We may also use this data as described below; for example, we may use the data in aggregated format for statistical and research purposes to show you how your network performance compares with other users in your area.
Environmental data:We may collect data from sensors or devices which may be present in your network, such as data on whether something in the room is moving, temperature data, and the occurrence of smoke or CO alarms in order to deliver such information to you or to security services during the use of our products and services.
Collaboration and remote connectivity data:One of the features of Domotz is to provide you, or people enabled by you, to remotely connect to your network via secure sessions. For example, you (or others you allow) could be accessing your home PC remotely via our Remote Desktop feature or you could login remotely into the configuration page of your router or any of your home devices. We do not view or access any of your devices remotely without prior authorization by you or from your support provider that has obtained your consent.
Information we may receive from other sources. We may receive information about you if you use the Services. We work with third parties (including, for example, business partners, sub-contractors in technical and delivery services, advertising networks, analytics providers, search information providers) and may receive information about you from them.
Where is this data sent? How is this data stored? Is it encrypted? What security systems/precautions do you have inlace to protect our data?
Domotz users residing in the United States will have their information sent to Domotz Cloud servers located in the United States when transmitting information in the United States.
Domotz users residing in Europe and the rest of the world will have their information sent to Domotz Cloud servers based in the European Union when transmitting information from outside of the United States.
We take security seriously and care about the integrity of your data. We use administrative, physical, and technical safeguards to protect the confidentiality of personally identifiable information, including encryption, firewalls and SSL (Secure Sockets Layer). However, no information system can be 100% secure, so we cannot guarantee the absolute security of your information.
Who has access to this data? How is this data used? How does Domotz use the information it collects?
We may use the information we collect to provide, develop and improve our products and services, such as for:
We may also combine or aggregate in anonymized or non-personally identifiable format any of the information collected through the use of the Services or elsewhere for any of these purposes and for research, statistical and business purposes.
In what circumstances does Domotz share my data?
The following are the situations where we may share your data:
We may share your personal information with any member of our group, which means our ultimate holding company and its subsidiaries (as defined in section 1159 of the UK Companies Act 2006).
Domotz partners and third party developers: We may share deidentified data for research, statistical, and business purposes. Additionally, to improve their software, hardware and services designed for use with our products and services, Domotz may provide any such partner or third party developer with information that is relevant to that partner’s or developer’s software, hardware and/or services, as long as the diagnostic information is in a form that does not personally identify you.
Business Transitions: If we are involved in a merger, acquisition or sale of all or a portion of our assets, your information may be transferred as part of that deal.
Is this data ever transmitted to a third party?
When you choose to connect third-party products and services through Domotz products and services, you are shown details about proposed exchange(s) of data between Domotz products and services and the third party that is providing the products or service. In some cases, Domotz Services or the third party will instead (or also) ask for permission to control the products that you have connected. Domotz products and services may receive and process information from third parties, and some of this information may be associated or stored with your Domotz account.
Please, don't hesitate to contact us for any further clarification.
I'm going to post this up in their forum when I get a chance as well..
And your take on it? As to your comment about CC and SSN.. While that is transmitted over the public internet as well - but at no time is that data ever transmitted in the clear.. Its always SSL..
While you have a point they could be hacking your network from the software you installed to monitor your network.. That seems pretty tinfoil hatish to me.. They ping and monitor arp traffic in a nut shell. you can set it up to see if your http or ssh server is up. They use a public snmp that you give it to access your switch for interface info, etc.
You make it sound like your worried its some trojan or rootkit/malware.. hehehe That is the part that is your tin foil hat is pretty freaking tight ;)
The bigger to concern if you ask me is the fact that someone on their system or if they were compromised could remote into your system.. But then again while they let a tunnel into your network. You still have to auth to the remote system. IE you still have to RDP auth to whatever, or ssh auth, etc.. They are just providing the tunnel in.
Any company who's products exfiltrate data from my network I hold to a higher burden of proof. Since I am not in this field professionally I have to error on the side of caution when it comes to these. Unless there is a dire need for a feature set, and the company does a good job at satisfying my requirements for disclosure I won't use them. Thats how I ended up at pfSense, got sick of web filtering products sponsored by Disney and came here to do it all myself, in a overly cautious sort of way ;)
Hi - I am in the same boat. I would like to know when new devices pop onto my network. Any suggestion for something local that would stay on my own network?
Use arpwatch then if you don't like domotz, etc.
I am also interested in what Domotz can do, but like AR15USR I am concerned about the security issues associated. Since Johnpoz mentioned there is a local server, I was wondering if it makes sense to block all outbound communication of the Domotz server and use VPN. Does anyone think this will work?