1) Amateur projects generally use their own network, so I
understood configure the public IP and the no-ip of the modem to access
remotely. But there is no implication in the security of the
my network? Since I can access it remotely
The fact of using a Dynamic IP service as no-ip does not imply vulnerability. Services such as no-ip only provide a way to update DNS with the dynamic IP provided by the provider. You only need a configuration or script on the router that periodically updates the current IP provided by the provider for the dynamic DNS service. Remember that the router is always reachable via IP, even without dynamic DNS. Anyway, a name is no more secure than a number.
What generates vulnerability problems are poorly configured routers and the indiscriminate use of certain functionalities, such as port redirection. Don’t be alarmed if there are multiple companies that redirect the ports of a database like Mysql, SQL Server. With this, anyone can at least try to connect in these databases. Of course, it is necessary to make a proprietary authentication of the bank itself, but just the fact of exposing the database in this way is already a gigantic security hole.
The alternatives for secure remote access are several. One of them is to allow access to the internal network only by VPN, another is to make an SSH tunnel. In both, the ideal is that VPN and SSH services are running, preferably, on the router. This requires a router running Linux. There is a Linux distribution called Openwrt that runs on multiple routers (I have the TP-LINK N750). From the moment you have a Linux running on your router, the possibilities increase exponentially. It is possible, for example, to install the Openvpn and make a VPN server for you to connect on your internal network securely (there is Openvpn for Windows, you can connect from Windows on your Linux router). If the case is just a port redirect, do an SSH Tunnel. However, in this case, I don’t know if the client could be Windows (should exist).
Finally, I would not claim that using the network itself configures an amateur project. If you know what you are doing, your project can be as professional in security matters compared to a large company.
2) AWS Iot, Azure Iot, Google Cloud etc.
I need to check to answer with more background.
3) Have a remotely hosted database which stores the
status of my sensor. My Arduino and my application will check,
update according to the status and change the database. However
no need to keep keeping sensor logs, would
just a "status" field with an on/off option and it wouldn’t be much
complex to accomplish something so simple?
The advantage of a connected world is that there are many possibilities of doing the same thing. The idea of a remote database is interesting and easily implemented. It could even be done together with a Webservice-style WEB App. Thus, you could implement in Arduino something that accesses this Webservice and gets/updates some information remotely. The problem with this type of approach is safety. It becomes complicated to make the Arduino authenticate in a safer way (HTTPS) due to its limited processing/memory. You could probably only use basic HTTP authentication. However, I suspect that the AWS Iot replaces this in a more Internet of Things-oriented way.
Your concerns are extremely relevant and I think a lot of people who are working with home automation don’t understand these security concepts. This implies, unfortunately, in homes easily hacked.
An alternative in-house
Another option is to build a Webservice application that would run inside the residence. This application would be accessed by the internal Arduinos with basic HTTP authentication. The Arduinos would update the sensor data in this application. This same application would be exposed on the Internet via HTTPS, being possible to access the residence in a safe way, including acting (turning things off and on). Obviously, the database, in this case, would be indoors as well. A service like no-ip becomes essential in this context.
The Scadabr is an excellent alternative in this context (it even works as Webservice as well). It "talks" various protocols, including the famous Modbus. There is Modbus library for the Arduino that works very well. Both the Serial version and the Ethernet version. A related response: /a/100148/3084
As I said in my comment, the scenario of the company I work is: Scadabr + Arduino + Proprietary device (which speaks Modbus) and together monitor + command (turning on and off) a power substation. Scadabr is internally accessible via HTTPS and has its own authentication. It is not available for external access, except for a specific person who, via VPN (Openvpn), can reconnect the substation remotely when there is a power outage.
It is interesting to use the AWS Iot to manage the devices, seems to me a technology that would save you a lot of work if in the future you would want to expand your project.
– gato
But, there must be other solutions that better adapt to your need, as I have no knowledge in this area it is difficult for me to point a way, however, I would rather see an answer from someone in the community, because this is a great question (+1).
– gato
I’m running out of time to come up with an answer now, but in the company where I work we did the following combination: Scadabr to store the sensor data (here we need it). In addition, for a specific person, we release Scadabr on the company’s VPN. This person can turn an electrical substation on and off. Finally, the database is Internal, the Application is Internal and external access only occurs via VPN.
– cantoni
Here is a real example of the complete lack of security concern with residential or commercial automations: in this case it was in a Hotel in England: https://mjg59.dreamwidth.org/40505.html
– cantoni