Communication and security

In a Meter network, the security appliance is the central point for information ingress and egress. It routes all traffic between the local area network and the internet (ISP). It orchestrates network security (ACLs) and configuration (Dashboard), access point provisioning, VLAN tagging, and communication between Meter devices and the Meter Cloud.

Meter devices are secured against attacks as best as possible. All ports are blocked by default which means, all traffic not originating from local devices is dropped. Ports can be enabled as needed. 

There are two types of communication that happen on the Meter network:

A.

Between the security appliance and access points (APs).

B.

Between the security appliance and the Meter Cloud.

Security appliance and access points

Access points (APs) never access the Internet directly, and all traffic from the APs goes through the security appliance. If an AP is removed from the network, the AP is deactivated, and its identity is deleted. The AP must be re-provisioned to the specific security appliance(s) to become part of the network again.

Security appliances are configured with four VLANs by default:

VLAN
Management
Devices
Private
Guest
Access type
Security appliance and control plane
Access point and switches
Corporate devices
Guest devices

Communication between VLANs can be controlled via ACLs, and customers may configure additional VLANs to meet their needs. All devices on the VLANs have the capability to communicate with each other, ensuring connectivity within the network while maintaining security through access control.

Security appliances and the Meter Cloud

The security appliance communicates with the Meter Cloud 

1

 API in order to perform basic operations such as:

·

Uploading diagnostic information about the network, security appliance, access points, and switches.

·

Receiving and applying network configurations e.g. updates to the private or guest network passwords or other changes to an AP, security appliance, or switch’s settings.

Requests to the API are over a secure WireGuard tunnel using a private key that only lives on the security appliance. The Meter Cloud API authenticates requests using the security appliance's public key. The Meter Cloud API does not have access to the security appliance's private key.

Data Storage and Processing

We store network configuration and general network metrics metadata in the Meter Cloud. Network configuration is also stored on the device as a backup.

Metrics data includes DHCP logs (client IP and MAC addresses, when a client was last seen), Client roaming data (which AP is a client connected to now and which AP was it connected to last), Bandwidth usage (how much bandwidth is each client using), and other wireless client network data (RSSI, packet drops, etc). All of these metrics are available to the customers via our dashboard.

Only admins of your Meter Dashboard can access this data and logs.

SOC 2 Type II Compliance

Meter has achieved SOC 2 Type II compliance. This report validates, through an independent third party, that Meter holds itself to the highest standards for protecting your information.

Some of the procedures we follow include:

·

Data access is limited to the appropriate individuals in the course of their roles

·

We continually monitor our procedures to ensure we remain compliant in the protection of your data and can quickly respond to any issues that arise

·

All employees regularly go through mandatory security training

This audit is just the beginning of our commitment to maintaining your trust, being vigilant about security, and following the industry’s best practices for data protection. We will continue to evaluate the leading practices for exceeding compliance with data security standards to protect our customers' data.

If you are interested in viewing Meter’s SOC 2 Type II report, please contact our team.

For existing customers, Meter’s SOC 2 Type II report is available for customers to download from the settings section of your Meter Dashboard.

Access and Security

All Meter employees use two-factor authentication for all services that support it (email and Github for example), as well as a password manager to ensure strong and random passwords.

In the event of network problems, for debugging and customer service, we access your security appliance through a secure WireGuard tunnel encrypted via public-key encryption. Secure Shell (SSH) access to the security appliance is secured with a long (>50 characters) unique password encrypted with SHA-512.

An attacker who gains physical access to the security appliance may gain access to the data on the security appliance. You are responsible for securing physical access to the security appliance.

We do not decrypt any network traffic — it's your private data. Most internet traffic today is made using HTTPS. We do not do MITM (man-in-the-middle / decrypt SSL) to read any of your data nor do we provide a mechanism for the network administrator to do so.

FAQ

1.

What are the current firewall settings?

The firewall is based on access control lists. Every port is closed by default and must be opened manually.

The current settings are:

1.

Out-to-in connections cannot be established from the WAN.

2.

Block everything between all VLANs.

3.

Require explicit rules defined by the customer to port forward or open a port.

Rules:

1.

Management VLAN: used for management traffic and by services on the security appliance.

2.

Devices VLAN: used by access points.

3.

Private VLAN: used by devices on the corporate network.

4.

Guest VLAN: used by guest devices. Primarily accessed via guest SSID.

2.

Does the firewall use an allowed-list or a deny-list of acceptable traffic sources?

The firewall is designed to block everything by default, which means an allowed-list of traffic sources is needed to allow traffic. One way to ensure a secure connection is to set port forwarding from a trusted IP address.

3.

Which services and ports are allowed on the firewall?

Ports: all ports are disabled and each service has to initiate contact to the outside world.

Services:

·

Cloud management daemon: This forms a connection to the Meter Cloud using a secure WireGuard tunnel.

·

Wireless management daemon: Listens on LAN ports 443, 80 and 8080. This forms a connection to our cloud using TLS.

·

Remote access daemon: Opens a connection to the proxy server using a random TCP port.

4.

Is there an allowed-list of all approved SSH IP addresses, and is all SSH traffic to and from addresses on this list blocked?

The SSH port (22) is not open on the firewall. Access to the security appliance during support or network problems is via a secure private tunnel which is between the security appliances and the Meter Cloud. Information such as IP address, port number, or traffic is not exposed to the outside world. 

5.

Is remote access to the network only possible via a VPN or an SSH login from an allowed-list IP address?

We take a different approach to securing remote access to the network. Instead of using IP allowlisting, we use two layers of protection. First, our operators need to authenticate to our secure private network which is encrypted using symmetric encryption. Second, public key-based authentication is needed to access the network. The secure private connection is unique between each security appliance and Meter Cloud and the password or key is unique to each security appliance.

6.

How do software updates work?

We release periodic software updates, which include new features and security patches. We schedule a time with you to perform the updates to cause minimal disruption to the network. All software updates are done remotely.

Network architecture diagram
Meter architecture for local networks and cloud communication
Meter Cloud
1
Dual internet/ISP
2
Corporate network
ISPs
Meter Security Appliance
3
VLANs:
Management
Devices
Private
Guest
Meter Switches
4
Private SSID
Guest SSID
Meter Access Points
5