Netlinx security within the web server – AMX Signature Series NetLinx Integrated Controller NI-3101-SIG User Manual
Page 43
NetLinx Security within the Web Server
33
NI-3101-SIG Signature Series NetLinx Integrated Controller
NetLinx Security within the Web Server
NetLinx Masters incorporate built-in security for HTTPS and Terminal sessions (enhanced with SSL and SSH
respectively
), ICSP data verification/encryption, and Server Port configuration. By using both SSL certificate
verification and encryption over a secured HTTP (HTTPS) connection, this version of NetLinx firmware
provides users with a more convenient web-based method of securing both the Master and its data
communications. Additional features in this release are the use of both authentication protocols and the ability
to perform online NetLinx Diagnostics via the web server.
Terminal setup and security configuration are still valid and supported in this build of the NetLinx Master
firmware.
This NetLinx Web Server is used to power Master security, data encryption, and SSL certificate/encryption
features on current AMX Masters such as the ME260/64 and NI-Series of Controllers. This web server not
only provides username and password security for the target Master, but also a new level of secure encryption
for ICSP data communication among the various AMX software and hardware components. New security
features for the Masters include:
Enhanced Username and Password requirements
HTTPS and SSL certificate interaction
Use of a pre-installed AMX SSL certificate
ICSP communication and encryption
The first layer of security for the Master involves prompting a user to enter a valid username and password
before gaining access to a secured feature on the target Master. This data is pre-configured by the administrator
within the Group and User Level pages of the Security section. If an option is enabled within the System
Security page
, a user is prompted to enter a valid username and password before gaining access to the
corresponding feature. This access is only granted if their information matches a previously created profile
assigned sufficient rights for that action. An already logged in user can enter a new profile by using the Login
field to enter a new profile’s
username and profile.
This username and password information is also used by both G4 touch panels (within the System
Connection firmware page) and AMX software applications such as NetLinx Studio v 2.4 (via the
Master Communications dialog) to communicate securely with a Master using encrypted
communication.
The second layer of security uses a combination of secure HTTP (HTTPS) communication and SSL
encryption to secure data being transferred from the web server application and the target Master.
To ensure this higher degree of security on the Master, an administrator can disable the HTTP Port access,
enable HTTPS Port access (both from within the same Manage System > Server page), and then alter the
level of encryption on the current SSL Certificate to meet their security needs.
SSL
(Secure Sockets Layer) is a protocol that works by encrypting data being transferred over an
HTTPS connection. URLs that require a secure connection begin with https: instead of http: (in
the browser’s Address field). These security capabilities are configured to function via a web
session within your browser. The encryption level (64 or 128-bit) achieved over the HTTPS Port is
done via the SSL Certificate currently in use on the target Master. Whereas SSL creates a secure
connection between a client and a server, over which any amount of data can be sent securely,
HTTPS is designed to transmit individual messages securely. Therefore both HTTPS and SSL can
be seen as complementary and are configured to communicate over the same port on the Master.
The third layer of protection is an SSL Certificate (specifically identifying the target Master and using a
unique key to encrypt data). SSL works by using a private key to encrypt data that's transferred over the SSL
connection. By default, current Masters are shipped with a default AMX SSL certificate called
sslexample.amx.com
. This pre-configured certificate can be used as a road map to create a unique certificate.
The Master’s SSL certificate can be either requested (from an external CA) or self-generated, and then
installed/imported onto the target Master. This action adds the certificate to the trusted site certificate listing
within the computer’s Internet browser.
A fourth layer of security enables the encryption of data communication amongst the various AMX hardware
and software components (such as between NetLinx Studio and the Master, or TPDesign4 and the touch panel
(communicating through the Master)). Refer to theSecurity Features section on page 38 for more information.