KEN KIRSCHENBAUM, ESQ
ALARM - SECURITY INDUSTRY LEGAL EMAIL NEWSLETTER / THE ALARM EXCHANGE
You can read all of our articles on our website. Having trouble getting our emails?   Change your spam controls and white list ken@kirschenbaumesq.com 

******************************
Comments on Comcast blocking alarm signals
June 1,  2021
*****************
Comments on Comcast blocking alarm signals from article on May 20, 2021
*****************
Ken
          Though one never knows what big companies may do I am thinking they are not involved here. A typical residence gets its Internet service from a router that uses a public dynamic IP address. That address will be the same usually for months and then for no particular reason change. I think this is what is happening here and not any explicit port blocking. When providing remote access to devices connected to that router a known IP address for the router is required. One solution is to instead use a static IP address which is more costly and is oftentimes not available at residences. The other solution is to use a DDNS. Many providers of remote access services allow the use of their own DDNS for free. Or one can be obtained independently on the Internet. Usually the cost is something like around $25-$50 for a year for up to 25 different connections.
 Eric Levy
Integrated Fire and Security Solutions
******************
Ken         
          I would like to comment on the Comcast blocking our devices topic.  With the new Xfi app that Comcast is encouraging its customers to use, we have seen our cameras trigger a “threat warning” on the app.   I believe in the app the customer is also encouraged or at least given the option to block the threat.   I believe this may be what is causing the signals to be blocked.  Xfi sees our cameras connecting to their respective servers as some sort of threat. 
  Anthony Firmani, President
Structured Resources, Inc
********************
Ken
          Before accusing a large firm of nefarious acts, make sure the IP address has not changed. Many internet providers do not assign static IP addresses. Instead they are dynamic and each time you disconnect you release that IP for other users. When you log back in you may have a different IP address which is normal operation. In most cases you can pay an additional fee to get a static address but don’t assume it comes with the service.
 Mitch Cohen, COO
Bric Security LLC
New York
*********************
Ken
          Regarding COMCAST, this is likely the issue.  Xfinity xFi Advanced  Security
          They will need to login to the Customer’s Account and turn this feature off  
          This is a service that COMCAST, I believe, use to charge for; they ultimately released to all customers and then turned it on by default.  It has caused us some issues with Camera Systems, although I have never had an issue with an alarm
R. Greg Hammond, CML, MTCNA
Grande Systems & Security, LLC
Sarasota, FL
**********************
Ken,
          This is regarding the Comcast blocking ports issue raised in the May 20, 2021 newsletter
          Our Security firm is a spin-off of our IT services company.  We frequently see this issue with digital signage, VoIP, remote access and many other IP services and systems, including security.  There can be several issues at play here and most are easily corrected or worked around. 
          First, unless specifically ordered and paid for, internet connectivity comes with dynamic addresses that change frequently.  If a client needs a static, unchanging IP address for any system, they should order a static IP from their ISP.  Most cable ISPs sell them in blocks.  Alternatively, they can use a Dynamic DNS service to assign a URL to the system.  The dynamic DNS service monitors the system’s assigned IP address and auto updates the URL to point to whatever it is at the time.  Some systems have these built-in and they can simply be activated; others require subscriptions and advanced set up.  There are pros and cons to each solution, so you need to know your systems’ and clients’ needs. 
          Second, most ISPs block a variety of ports for security and management reasons.  Some of these can be overridden in the management console, some need to be done by the ISP, and others cannot be changed at all.  Where possible we open them, but sometimes we change the port requirements on the system in question, so that it uses an available port.  See the linked site for a list of ports that Comcast automatically blocks. https://business.comcast.com/help-and-support/internet/ports-blocked-on-comcast-network/Cable  This list is pretty standard, but it can vary from provider to provider.  It can even vary based on what type of service the client has.  Modems and routers are computers designed for a specific purpose.  They, like all computer systems, need updates from time to time.  These updates typically get applied automatically and the customer rarely knows that it happened.  Often times, when updates are applied, some of the custom port settings get reset to default.  That is why, after having an installer work with tech support, the system works for a while then stops.  It likely updated.  When this happens it requires someone to go in a re-apply the custom settings.  We do this A LOT.  We, as a best practice, document all of the network settings in the client’s file, so that when we have to go back and do this, it can be done quickly and easily.  We also use a port monitoring system from our IT side to make monitor when certain ports are up or down. This lets us know something “broke” right away so we can notify the client.  Often, we know before the client even realizes something is wrong.
          There could also be other factors such as IT techs or clients changing things without understanding the needs of the security systems, but we’ll leave those alone for now.
          I hope this helps.
 Dom Gennello
Gentech
********************
Ken
          This is a subject near and dear to my heart. While I don’t believe that Comcast is doing anything deliberate to block any signals, it is possible that there are settings that should be changed inside the Router that Comcast provided to the client. Each device in the installation that is connected to the Internet is being issued an IP address by the Comcast Router. It is possible that security settings inside the Router are causing the device being “blocked” to be seen as a security threat. It is also possible that there are so many devices on the network that the Router runs out of IP addresses to issue. This would cause some devices to lose connectivity. A third possibility and one I’ve seen many times not only with Routers but also with Firewalls, is that at some pre-determined point, the Router has a firmware update pushed to it and this will sometimes cause the Router to revert to its factory “out of the box” settings. This can cause real problems and guess what…Comcast doesn’t send you any notice that this is going to happen, It just happens. There are some easy things you can do: get in the habit of logging into the Router and change the security settings to lessen the possibility of being seen as a threat. Another thing you can do is reserve a list of IP addresses just for your devices. This will require logging in as well but if the network gets crowded with all kinds of IoT (Internet of Things) devices like thermostats, lights, music devices and such, your IP addresses should be protected by your reservations. You may also take Comcast out of the picture by bringing your own Router to the network. You’ll have to set the Comcast device to “Bridge” mode where it acts only as a modem and so only provides Internet and no IP addresses. This way you set the security parameters and your Router hands out the IP addresses. Beware though, they can still force a firmware update through which can kick it out of Bridge mode. If that happens, the Comcast device will be acting as a Router again and since you then would have two routers, you’ll have what is called “double NATing”. Not good.
          One last thing on the subject of double NATing. Many times a client, on their own will install what they think is a WiFi hotspot to get better coverage. Many of these devices can also act like Routers if not set up correctly. Again you’d have two routers on the same network and that’s bad. You’ve got to caution your clients to be careful with this and of course check beforehand.  Finally, some of your larger businesses will be set up so that their own Server hands out addresses. Consult with the client to see if that is the case.
          Remember what I said at the start: I don’t believe Comcast is doing anything deliberate. If that were to be the case it would certainly be actionable, correct Ken?  BUT any chaos introduced by some of the things I mentioned CAN cause the client to blame you and any questions that are directed at Comcast can then be directed to their sales department. Better educate your clients to exactly what is going on. Hope this information helps you Alexandra but if you’ve got any questions, please feel free to reach out to me at the number below.
          If you are interested in TAKING CLIENTS AWAY from Comcast and Cox and Spectrum, see our AD in The Alarm Exchange under Technology and Services That increase or preserve your RMR. Remember, all of your commercial clients also have business phone systems. Why shouldn’t you handle those as well?
 John Haenn, President
Concord Communications Group, Inc
866-362-0705 
JHW@voip-rmr.com
******************

Response
*********************
          Thanks to all the above experts who have taken the time to contribute and share their knowledge and experience.  I kept having trouble connecting my home laptop with my office computer network and it turned out to be IP address changes.  It’s resolved now; not sure how my IT people accomplished it.  It never effected my alarm.
           By the way, this issue is precisely why the Standard Form Agreements exclude responsibility or liability for communication pathway failure which is beyond the control of the alarm company.  Communication failure should of course be reported to the subscriber and an alarm company should not be using equipment which it knows is defective or incompatible with the subscriber's communication pathway.
**********************

To order up to date Standard Form Alarm /  Security / Fire and related Agreementsclick here:  www.alarmcontracts.com
*************************
CONCIERGE LAWYER SERVICE PROGRAM FOR THE ALARM INDUSTRY
You can check out the program and sign up here: https://www.kirschenbaumesq.com/page/concierge or contact our Program Coordinator Stacy Spector, Esq at 516 747 6700 x 304.
***********************
 
NOTICE:  You can always read our Articles on our website at ww.kirschenbaumesq.com/page/alarm-articles
***********************
THE ALARM EXCHANGEalarm classifieds alarm security contracts

    This area is reserved for alarm classifieds, alarm company announcements, solicitations, offers, etc. 
    There is no charge to post a listing here.Include your contact information, phone, email and web site.  If you would like to submit a post, please send an email to ken@kirschenbaumesq.com.  To create a reciprocal link to our website, click here.

************************************************
Getting on our Email List / Email Articles archived: 
    Many of you are forwarding these emails to friends or asking that others be added to the list.  Sign up for our daily newsletter here: Sign Up.  You can read articles and order alarm contracts on our web site www.alarmcontracts.com
**************************
Ken Kirschenbaum,Esq
Kirschenbaum & Kirschenbaum PC
Attorneys at Law
200 Garden City Plaza
Garden City, NY 11530
516 747 6700 x 301
ken@kirschenbaumesq.com
www.KirschenbaumEsq.com