Security & Network

This document describes the information that may be of importance for IT/Security Teams as it pertains to software running on-premise connected to the Lumeo cloud platform.

Background

Lumeo is a "no-code" video analytics platform that lets you create and deploy custom video analytic solutions in minutes, and provides you the flexibility to run analytics on-premise, in your cloud, or on Lumeo's cloud.

In order to do that, some of Lumeo's software runs on servers/edge appliances or VMs deployed in customer networks or customer cloud, and communicates with Lumeo's Cloud services for command and control.

Lumeo Agent

Lumeo Agent is the software that runs on the on-prem equipment or in your cloud, and is installed using an installation script. If you use Lumeo-Ready Gateways, it comes pre-installed on the Lumeo-ready devices. It is responsible for communicating with Lumeo's Cloud via an API, running analytic pipelines, streaming video, and discovering local cameras and video management systems.

Open Ports - Inbound

Lumeo will listen on port 554 for RTSP connections. This is used by VMS to ingest/record Lumeo output.

Depending on configuration, Lumeo will also create WebRTC stream(s) on one or more random ports, with random identifiers. This is used to view the video using a browser.

Local Network Connections - Outbound

On the local network, Lumeo will periodically run WS-Discovery process to detect other ONVIF cameras and video management systems on the network. This communication can use the standard ports or vendor specific ports for particular customer integrations.

Lumeo will also (depending on deployment settings) ingest local video streams from cameras or network video recorders. These streams are typically over RTSP.

Additionally, Lumeo may be configured to send alarms and events to locally deployed VMS systems over vendor-specific ports.

External Network Connections - Outbound

Lumeo makes outbound connections to various cloud services for command & control and integrations.

MQTT

Lumeo initiates an SSL socket connection (using MQTT) over port 8883 to mqtt.lumeo.com please note that the ip address is likely to change.

REST API - HTTPS

Lumeo will make https requests to Lumeo's REST API api.lumeo.com over port 443. These communications are also over SSL.

Integrations, Data Storage - HTTPS

Lumeo will make https connections over port 443 to other domains and REST APIs. These connections are for storing/retrieving large data files, Integrations with cloud services (ex. SMS, Email, Elasticsearch, etc.). These communications are also over SSL.

WebRTC

Depending on the deployment configuration, Lumeo will make video streams available over WebRTC to authorized internet clients (user's looking at video output from deployments on Lumeo's web based admin console: https://console.lumeo.com ). As part of WebRTC, Lumeo will make connections to traverse.lumeo.com and stun.google.com to attempt STUN and TURN to make a direct peer-to-peer connection to the video stream viewer.

Updates - HTTPS

During installation and automatic updates, Lumeo will also need access to public software repositories over https(tcp port 80 & tcp port 443) and dns (udp port 53).

Safe & Secure Programming

Lumeo is written in a secure programming language called Rust (https://rust-lang.org). It is used by many large companies, like Microsoft, Cloudflare, Dropbox, Google, Yelp, Firefox, and more. The language is designed to be highly performant (on par with C/C++) and prevent any memory overflows, buffer overflows, and the types of programming errors that account for a large majority (around 70%) of security vulnerabilities. https://msrc-blog.microsoft.com/2019/07/22/why-rust-for-safe-systems-programming/

Recommended Network Configuration

This document describes the basic network setup for the Lumeo Agent running locally on customer sites.

The recommended simplified network configuration for the Gateway running the Lumeo agent:

  • No restrictions on outbound connections to the Cloud (UDP, TCP)
  • Allow 554 (TCP, UDP) inbound connections from your local network / VMS IP Address ranges
  • Allow ONVIF (80, 443 TCP & UDP), RTSP (554 TCP & UDP) outbound connections to your local cameras & VMS.
    • If your VMS or Camera is running ONVIF / RTSP service on a different port, you will need to open those up too.
  • We recommend running Lumeo on a Dual-NIC device. Lumeo-Ready Gateways are all mostly equipped with Dual-NICs as well. With a Dual-NIC device, you can connect one NIC to your camera network, and the other to a network with internet access.

Troubleshooting Ports

For troubleshooting purposes only, the main outbound destination ports from Lumeo are listed in the table:

FunctionPortsProtocol
Installation, Updates, Operations80 & 443 (outbound)HTTP(S)
WebRTC (stun & turn)3478 (outbound)HTTP
Agent Communication8883 (Secured) (outbound)MQTT
RTSP554TCP, UDP
DNS53 (outbound)UDP
Camera Discovery3702 (TCP / UDP)
80/443 (TCP)

Other ports may be used based on camera vendor.
WS-Discovery ONVIF
IntegrationsCheck node documentation for additional ports you need to allow outbound communications on.

Ex. Milestone integration (port 9090), Genetec (port 4590)

https://docs.lumeo.com/docs/node-reference