Security & Network
This document describes the information that may be of importance for IT/Security Teams as it pertains to software running on-premise connected to the Lumeo cloud platform.
Background
Lumeo is a "no-code" video analytics platform that lets you create and deploy a wide range video analytic solutions in minutes, and provides you the flexibility to run analytics on-premise, in your cloud, or on Lumeo's cloud.
In order to do that, some of Lumeo's software runs on servers/edge appliances or VMs deployed in customer networks or customer cloud, and communicates with Lumeo's Cloud services for command and control.
Lumeo Agent
Lumeo Agent is the software that runs on the on-prem equipment or in your cloud, and is installed using an installation script. If you use Lumeo-Ready Gateways, it comes pre-installed on the Lumeo-ready devices. It is responsible for communicating with Lumeo's Cloud via an API, running analytic pipelines, streaming video, and discovering local cameras and video management systems.
Open Ports - Inbound
Lumeo will listen on port 554
for RTSP
connections. This is used by VMS to ingest/record Lumeo output.
Depending on configuration, Lumeo will also create WebRTC stream(s) on one or more random ports, with random identifiers. This is used to view the video using a browser.
Local Network Connections - Outbound
On the local network, Lumeo will periodically run WS-Discovery
process to detect other ONVIF
cameras and video management systems on the network. This communication can use the standard ports or vendor specific ports for particular customer integrations.
Lumeo will also (depending on deployment settings) ingest local video streams from cameras or network video recorders. These streams are typically over RTSP.
Additionally, Lumeo may be configured to send alarms and events to locally deployed VMS systems over vendor-specific ports.
External Network Connections - Outbound
Lumeo makes outbound connections to various cloud services for command & control and integrations.
MQTT
Lumeo initiates an SSL socket connection (using MQTT) over port 8883
to mqtt.lumeo.com
please note that the ip address is likely to change.
REST API - HTTPS
Lumeo will make https
requests to Lumeo's REST API api.lumeo.com
over port 443
. These communications are also over SSL.
Integrations, Data Storage - HTTPS
Lumeo will make https
connections over port 443
to other domains and REST APIs. These connections are for storing/retrieving large data files, Integrations with cloud services (ex. SMS, Email, Elasticsearch, etc.). These communications are also over SSL
.
WebRTC
Depending on the deployment configuration, Lumeo will make video streams available over WebRTC to authorized internet clients (user's looking at video output from deployments on Lumeo's web based admin console: https://console.lumeo.com ). As part of WebRTC, Lumeo will make connections to traverse.lumeo.com
and stun.google.com
to attempt STUN
and TURN
to make a direct peer-to-peer connection to the video stream viewer.
Updates - HTTPS
During installation and automatic updates, Lumeo will also need access to public software repositories over https
(tcp port 80
& tcp port 443
) and dns
(udp port 53
).
Safe & Secure Programming
Lumeo is written in a secure programming language called Rust (https://rust-lang.org). It is used by many large companies, like Microsoft, Cloudflare, Dropbox, Google, Yelp, Firefox, and more. The language is designed to be highly performant (on par with C/C++) and prevent any memory overflows, buffer overflows, and the types of programming errors that account for a large majority (around 70%) of security vulnerabilities. https://msrc-blog.microsoft.com/2019/07/22/why-rust-for-safe-systems-programming/
Recommended Network Configuration
This document describes the basic network setup for the Lumeo Agent running locally on customer sites.
The recommended simplified network configuration for the Gateway running the Lumeo agent:
- No restrictions on outbound connections to the Cloud (UDP, TCP)
- Allow
554
(TCP, UDP) inbound connections from your local network / VMS IP Address ranges - Allow ONVIF (
80
,443
TCP
&UDP
),RTSP
(554
TCP
&UDP
) outbound connections to your local cameras & VMS.- If your VMS or Camera is running ONVIF / RTSP service on a different port, you will need to open those up too.
- We recommend running Lumeo on a Dual-NIC device. Lumeo-Ready Gateways are all mostly equipped with Dual-NICs as well. With a Dual-NIC device, you can connect one NIC to your camera network, and the other to a network with internet access.
Ports
The main ports for Lumeo on-prem agent / device are listed in the table.
outbound
direction indicates that the Lumeo agent makes an outbound connection to the specified Domain on those portsinbound
direction indicates that the Lumeo software listens on that port for inbound connections on the local network.- Note that no ports need to be opened in your firewall for inbound connections.
Function | Ports | direction | Protocol | Domain |
---|---|---|---|---|
Installation, Updates, Operations | 80 & 443 | outbound | TCP | api.lumeo.com assets.lumeo.com |
WebRTC (stun) | 3478, 19302 | outbound | TCP/UDP | traverse.lumeo.com stun.google.com stun.l.google.com |
WebRTC (turn, turns) | 3478, 5349 | outbound | TCP/UDP | traverse.lumeo.com |
WebRTC (streaming) | 49152-65535 | outbound | UDP | traverse.lumeo.com and local network |
Agent Communication | 8883 | outbound | TCP | mqtt.lumeo.com |
RTSP | 554 | outbound - inbound (to pull output streams into a VMS) | TCP, UDP | local network |
Web management interface, ONVIF & Discovery Only for Lumeo-Ready Gateways | 80 (ONVIF) 443 (Web-based Gateway Management interface) Following ports are opened only when Media Server & ONVIF are enabled: 8555 (ONVIF RTSP) 8322 (RTSPS) 8888 (HLS) | inbound | TCP | local network |
DNS | 53 | outbound | UDP | |
Camera Discovery | 3702, 80, 443 Other ports may be used based on camera vendor. | outbound | TCP/UDP | camera network or streams |
Integrations | Check node documentation for additional ports you need to allow outbound communications on. Ex. Milestone integration (port 9090), Genetec (port 4590) https://docs.lumeo.com/docs/node-reference |
Ports - Lumeo Cloud Gateways
Lumeo Cloud Gateways do not open any publicly accessible ports. They make outbound connections to your Cameras from Lumeo's cloud.
Updated about 1 month ago