Security & Network
This document describes the information that may be of importance for IT/Security Teams as it pertains to software running on-premise connected to the Lumeo cloud platform.
Background
Lumeo is a flexible video analytics platform that lets you create and deploy a wide range video analytic solutions in minutes, and provides you the flexibility to run analytics on-premise, in your cloud, or on Lumeo's cloud.
In order to do that, some of Lumeo's software runs on servers/edge appliances or VMs deployed in customer networks or customer cloud, and communicates with Lumeo's Cloud services for command and control.
Lumeo AI Gateway
Lumeo AI Gateway is the software that runs on the on-prem equipment, in your cloud or Lumeo Cloud, and is installed using an installation script. If you use Lumeo-Ready Gateways, it comes pre-installed on the Lumeo-ready devices. It is responsible for communicating with Lumeo's Cloud via an API, running analytic pipelines, streaming video, and discovering local cameras and video management systems.
Lumeo AI Gateway is written in a secure programming language called Rust (https://rust-lang.org). It is used by many large companies, like Microsoft, Cloudflare, Dropbox, Google, Yelp, Firefox, and more. The language is designed to be highly performant (on par with C/C++) and prevent any memory overflows, buffer overflows, and the types of programming errors that account for a large majority (around 70%) of security vulnerabilities. https://msrc-blog.microsoft.com/2019/07/22/why-rust-for-safe-systems-programming/
Network Configuration - On-prem / Edge Deployment
In the on-prem / edge deployment mode, Lumeo AI Gateway is deployed within your network or in your cloud, while command-and-control functions are performed via Lumeo Cloud.
This section describes the basic network setup for the Lumeo AI Gateway running locally on customer sites.
Recommended Network Configuration
The recommended simplified network configuration for the Gateway running the Lumeo agent:
- We recommend running Lumeo on a Dual-NIC device. Lumeo-Ready Gateways are all mostly equipped with Dual-NICs as well. With a Dual-NIC device, you can connect one NIC to your camera network, and the other to a network with internet access.
- No restrictions on outbound connections to the Cloud (UDP, TCP)
- Allow
554(TCP, UDP) inbound connections from your local network / VMS IP Address ranges - Allow ONVIF (
80,443TCP&UDP),RTSP(554TCP&UDP) outbound connections to your local cameras & VMS.- If your VMS or Camera is running ONVIF / RTSP service on a different port, you will need to open those up too.
Network Configuration - Viewing Lumeo Live Streams
To view Lumeo live streams from your browser, with a Lumeo Gateway running on-site, your network needs to allow the following outbound communications to the specified domains.
| Function | Ports | Direction | Protocol | Domain |
|---|---|---|---|---|
| WebRTC (stun, turn, turns) - View Lumeo live streams | 3478, 5349, 13902 | Allow outbound traffic from your network | TCP/UDP | traverse.lumeo.com |
| WebRTC (streaming) - View Lumeo live streams | 49152-65535 | Allow outbound traffic from your network | UDP | traverse.lumeo.com and local network |
Connections & Ports
The main ports for Lumeo AI Gateway are listed in the table.
outbounddirection indicates that the Lumeo agent makes an outbound connection to the specified Domain on those portsinbounddirection indicates that the Lumeo software listens on that port for inbound connections on the local network.- Note that no ports need to be opened in your firewall for inbound connections.
| Function | Ports | direction | Protocol | Domain |
|---|---|---|---|---|
| Installation, Updates, Operations | 80 & 443 | outbound | TCP | api.lumeo.com assets.lumeo.com link.lumeo.com |
| WebRTC (stun, turn, turns) | 3478, 5349, 19302 | outbound | TCP/UDP | traverse.lumeo.com |
| WebRTC (streaming) | 49152-65535 | outbound | UDP | traverse.lumeo.com and local network |
| Agent Communication | 8883 | outbound | TCP | mqtt.lumeo.com |
| RTSP | 554 | outbound inbound (to pull output streams into a VMS) | TCP, UDP | local network |
| Web management interface, ONVIF & Discovery Only for Lumeo-Ready Gateways | 80 (ONVIF) 443 (Web-based Gateway Management interface) Following ports are opened only when Media Server & ONVIF are enabled: 8555 (ONVIF RTSP) 8322 (RTSPS) 8888 (HLS) | inbound | TCP | local network |
| DNS | 53 | outbound | UDP | |
| Camera Discovery | 3702, 80, 443 Other ports may be used based on camera vendor. | outbound | TCP/UDP | camera network or streams |
| Integrations | Check node documentation for additional ports you need to allow outbound communications on. Ex. Milestone integration (port 9090), Genetec (port 4590) https://docs.lumeo.com/docs/node-reference |
Open Ports - Inbound
Lumeo AI Gateway will listen on port 554 for RTSP connections. This is used by VMS to ingest/record Lumeo output.
Depending on configuration, Lumeo AI Gateway will also create WebRTC stream(s) upon request, on one or more random ports, with random identifiers. This is used to view the video using a browser.
Local Network Connections - Outbound
On the local network, Lumeo AI Gateway will periodically run WS-Discovery process to detect other ONVIF cameras and video management systems on the network. This communication can use the standard ports or vendor specific ports for particular customer integrations.
Lumeo AI Gateway will also (depending on deployment settings) ingest local video streams from cameras or network video recorders. These streams are typically over RTSP.
Additionally, Lumeo AI Gateway may be configured to send alarms and events to locally deployed VMS systems over vendor-specific ports.
External Network Connections - Outbound
Lumeo AI Gateway makes outbound connections to various cloud services for command & control and integrations.
MQTT
Lumeo AI Gateway initiates an SSL socket connection (using MQTT) over port 8883 to mqtt.lumeo.com please note that the ip address is likely to change.
REST API - HTTPS
Lumeo AI Gateway will make https requests to Lumeo's REST API api.lumeo.com over port 443. These communications are also over SSL.
Integrations, Data Storage - HTTPS
Lumeo AI Gateway will make https connections over port 443 to other domains and REST APIs. These connections are for storing/retrieving large data files, Integrations with cloud services (ex. SMS, Email, Elasticsearch, etc.). These communications are also over SSL.
WebRTC
Lumeo AI Gateway will make video streams available upon request over WebRTC to authorized internet clients (user's looking at video output from deployments on Lumeo's web based admin console: https://console.lumeo.com ). As part of WebRTC, Lumeo AI Gateway will make connections to traverse.lumeo.com to attempt STUN and TURN to make a direct peer-to-peer connection to the video stream viewer.
Updates - HTTPS
During installation and automatic updates, Lumeo AI Gateway will also need access to public software repositories over https(tcp port 80 & tcp port 443) and dns (udp port 53).
Network Configuration - Lumeo Cloud Deployment
In the Lumeo Cloud deployment mode, Lumeo AI Gateways are deployed and managed by Lumeo in the Lumeo Cloud.
While Lumeo Cloud Gateways do not open any publicly accessible ports, they do make outbound connections to your Cameras from Lumeo's cloud.
If you need Lumeo Cloud Gateways to process video from cameras within your firewall, you will need to forward the following ports in your firewall to the camera or the VMS:
| Function | Public Port | Forward to Port | Direction | Protocol | Originating IP |
|---|---|---|---|---|---|
| RTSP | Camera IP Address, Port 554 (RTSP) | Allow inbound traffic to your network | TCP/UDP | Lumeo Cloud Gateway IP Addresses (found in your Lumeo account) | |
| HTTP Streaming | Camera IP Address, Port 443 | Allow inbound traffic to your network | TCP | Lumeo Cloud Gateway IP Addresses (found in your Lumeo account) |
Data Retention and Access
The following table details the type of user data collected by Lumeo and where it is utilized and persisted.
- Lumeo Cloud refers to Lumeo-managed cloud services and 3rd party subprocessors that may be used to store the data.
- Lumeo AI Gateway refers to Lumeo AI Gateway software running on the device. Any data stored on device is
| Data Type | Utilization Location | Data Storage & Retention | Retention Duration |
|---|---|---|---|
| Camera information: IP addresses, credentials, snapshots | Lumeo AI Gateway, Lumeo Cloud | Lumeo AI Gateway, Lumeo Cloud | Until the camera or source is deleted by User |
| Gateway information: IP addresses, serial number, specifications and utilization | Lumeo AI Gateway, Lumeo Cloud | Lumeo AI Gateway, Lumeo Cloud | Until the gateway is deleted by User |
| Camera video streams | Lumeo AI Gateway (processing), Lumeo Cloud (viewing) | - | - |
| Video stream snapshots | Lumeo AI Gateway (processing), Lumeo Cloud (processing & viewing), 3rd party services (processing, if so configured) | - | - |
| Analytics configuration data : Regions of interest, AI Models, etc. (varies based on the nature of analytics used) | Lumeo AI Gateway, Lumeo Cloud | Lumeo AI Gateway, Lumeo Cloud | Until a Pipeline or deployment is deleted by User |
| Integration configuration data : VMS credentails, Webhook URLs, Endpoints, Credentials, etc. | Lumeo AI Gateway, Lumeo Cloud | Lumeo AI Gateway, Lumeo Cloud | Until a Pipeline or deployment is deleted by User |
| Generated Analytics Media ex. Event Clips/Snapshots | Lumeo Cloud | Lumeo AI Gateway (interim, till uploaded to cloud), Lumeo Cloud | Until deleted by User or configured retention period (30/60 days) |
| Generated Analytics Data ex. Event counts, entry / exit counts | Lumeo Cloud, 3rd party services (if so configured) | Lumeo AI Gateway (interim, till uploaded to cloud), Lumeo Cloud, 3rd party services (if so configured) | Configured retention period (30/60 days) for Lumeo Cloud. 3rd party services retention is customer managed |
| Email addresses of authorized users | Lumeo Cloud | Lumeo Cloud | Until deleted by User |
Updated about 1 month ago