Security & Network
This document describes the information that may be of importance for IT/Security Teams as it pertains to software running on-premise connected to the Lumeo cloud platform.
Background
Lumeo is a "no-code" video analytics platform that lets you create and deploy custom video analytic solutions in minutes, and provides you the flexibility to run analytics on-premise, in your cloud, or on Lumeo's cloud.
In order to do that, some of Lumeo's software runs on customer's equipment, VMs or GPU-based AI gateways inside a customer network or cloud, and communicates with Lumeo's Cloud services for command and control.
Lumeo Agent
Lumeo Agent is the software that runs on the customer-owned equipment and is installed using an installation script. It is responsible for communicating with Lumeo's Cloud via an API, running analytic pipelines, streaming video, and discovering local cameras and video management systems.
Open Ports - Inbound
Lumeo will listen on port 554 for RTSP connections. This is used by VMS to ingest/record Lumeo output.
Depending on configuration, Lumeo will also create WebRTC stream(s) on one or more random ports, with random identifiers. This is used to view the video using a browser.
Local Network Connections - Outbound
On the local network, Lumeo will periodically run WS-Discovery process to detect other ONVIF cameras and video management systems on the network. This communication can use the standard ports or vendor specific ports for particular customer integrations.
Lumeo will also (depending on deployment settings) ingest local video streams from cameras or network video recorders. These streams are typically over RTSP.
Additionally, Lumeo may be configured to send alarms and events to locally deployed VMS systems over vendor-specific ports.
External Network Connections - Outbound
Lumeo makes outbound connections to various cloud services for command & control and integrations.
MQTT
Lumeo initiates an SSL socket connection (using MQTT) over port 8883 to mqtt.lumeo.com please note that the ip address is likely to change.
REST API - HTTPS
Lumeo will make https requests to Lumeo's REST API [https://api.lumeo.com](https://api.lumeo.com) over port 443. These communications are also over SSL.
Integrations, Data Storage - HTTPS
Lumeo will make https connections over port 443 to other domains and REST APIs. These connections are for storing/retrieving large data files, Integrations with cloud services (ex. SMS, Email, Elasticsearch, etc.). These communications are also over SSL.
WebRTC
Depending on the deployment configuration, Lumeo will make video streams available over WebRTC to authorized internet clients (user's looking at video output from deployments on Lumeo's web based admin console: https://console.lumeo.com ). As part of WebRTC, Lumeo will make connections to traverse.lumeo.com and stun.google.com to attempt STUN and TURN to make a direct peer-to-peer connection to the video stream viewer.
Updates - HTTPS
During installation and automatic updates, Lumeo will also need access to public software repositories over https(tcp port 80 & tcp port 443) and dns (udp port 53).
Safe & Secure Programming
Lumeo is written in a secure programming language called Rust (https://rust-lang.org). It is used by many large companies, like Microsoft, Cloudflare, Dropbox, Google, Yelp, Firefox, and more. The language is designed to be highly performant (on par with C/C++) and prevent any memory overflows, buffer overflows, and the types of programming errors that account for a large majority (around 70%) of security vulnerabilities. https://msrc-blog.microsoft.com/2019/07/22/why-rust-for-safe-systems-programming/
Recommended Network Configuration
This document describes the basic network setup for the Lumeo Agent running locally on customer sites.
The recommended simplified network configuration for the Gateway running the Lumeo agent:
- No restrictions on outbound connections to the Cloud (UDP, TCP)
- Allow
554(TCP, UDP) inbound connections from your local network / VMS IP Address ranges - Allow ONVIF (
80,443TCP&UDP),RTSP(554TCP&UDP) outbound connections to your local cameras & VMS.- If your VMS or Camera is running ONVIF / RTSP service on a different port, you will need to open those up too.
Troubleshooting Ports
For troubleshooting purposes only, the main outbound destination ports from Lumeo are listed in the table:
| Function | Ports | Protocol |
|---|---|---|
| Installation, Updates, Operations | 80 & 443 (outbound) | HTTP(S) |
| WebRTC (stun & turn) | 3478 (outbound) | HTTP |
| Agent Communication | 8883 (Secured) (outbound) | MQTT |
| RTSP | 554 | TCP, UDP |
| DNS | 53 (outbound) | UDP |
| Camera Discovery | 3702 (TCP / UDP) 80/443 (TCP) Other ports may be used based on camera vendor. | WS-Discovery ONVIF |
| Integrations | Check node documentation for additional ports you need to allow outbound communications on. Ex. Milestone integration (port 9090), Genetec (port 4590) https://docs.lumeo.com/docs/node-reference |
Updated 11 months ago