Here is a short explanation of some of the security concerns that typically come up, and exactly why the SDG etherpads are safe.


Network Security Concerns, where one needs Off-Site access to Devices:
Static Internet IP vs. Local IP:
Typically, when one wants to control or access a device from off-site, one has to give the device a static internet IP, so that it can be connected to from the remote PC. This poses a security risk, because anyone can then connect to the device, and potentially bypass its security measures, and so potentially gain access to the site's private network.

If the device had an IP that was strictly local to the private network, it would not be accessible to the outside world (behind the firewall); and therefore inherently more secure. But how then to access it from off-site?

Usually, when you need off-site access, you know exactly who is supposed to do the access. With the SDG Etherpad, and most other etherpad devices, it is possible to configure a Client Connection from the device, to a Specific Remote IP and Port. In other words, you can set up exactly who has access. This makes the Local IP configuration inherently much safer, as far as security is concerned.

Since the device also has to traverse the firewall/gateway to get to the remote IP, the device can now be further restricted by settings on the firewall/gateway to only be able to connect to that particular IP and Port. This belt-and-braces approach to security makes absolutely sure that the device keeps to the rules, and puts the network administrator in full control of the device's behaviour.

Administrative Controls:
The device also supports Simple Network Management Protocol (SNMP); and a Web configuration interface, whereby the administrator has full access to all administrative and security features of the product, whilst on the local network. (These administrative features are all inherently hidden by the firewall, b.t.w. , because the device has a local ip, so they cannot be accessed from outside). Full device specs are published in documents that are readily available.

Physical Security & TCP Pipe:
All data that travels via this one TCP connection, is sent/received over the serial port. There are no escape codes and no way to send any other information over this link. Every byte is mirrored exactly on the serial port, and vice versa. This leaves no room for circumvention of the protocol.

Therefore, as long as the administrator makes sure that the serial port on the etherpad is physically connected only to the device it is meant to interact with, there can be no security breach through the etherpad, with a locally configured IP.