Spitballing IoT Security

Eliot Lear lear at ofcourseimright.com
Sat Oct 29 06:37:56 UTC 2016


Hi Mike,


On 10/27/16 11:04 AM, Mike Meredith wrote:
> On Thu, 27 Oct 2016 07:59:00 +0200, Eliot Lear <lear at ofcourseimright.com>
> may have written:
>> Well yes.  uPnP is a problem precisely because it is some random device
>> asserting on its own that it can be trusted to do what it wants.  Had
> From my own personal use (and I'm aware that this isn't a general
> solution), I'd like a device that sat on those uPnP requests until I logged
> into the admin interface to review them. Now if you could automate _me_
> then it might become more generally useful :-

You need to go further.  It is no longer enough to tackle this problem
simply as a firewall problem, because there are too many
reflection-style attacks.  Not only do you want to prevent devices from
opening pinholes to the Internet, but you really want to know what
they're going to be doing inside the home.  And Quite frankly, I
disagree that you want to nag the user unless it is absolutely
necessary.  To me, that means authorizing the device in the first place,
and the access point having access to enough intelligence to know what
sort of access is necessary for a device, given its purpose.

> As someone who manages an application-based firewall, every problem looks
> like it would be easier to solve using an application-based firewall :)

I don't generally prefer application firewalls except in limited
circumstances.

Eliot

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 481 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20161029/17e009f6/attachment.pgp>


More information about the NANOG mailing list