IoT security

Keith Medcalf kmedcalf at
Fri Feb 10 01:01:59 UTC 2017

On Tuesday, 7 February, 2017 06:59, Ray Soucy said:

> I think the fundamental problem here is that these devices aren't good
> network citizens in the first place.  The odds of getting them to add
> functionality to support a new protocol are even likely than getting them
> to not have open services externally IMHO.
> Couldn't a lot of this be caught by proactive vulnerability scanning and
> working with customers to have an SPI firewall in place, or am I missing
> something?
> Historically residential ISP CPE options have been terrible.  If you could
> deliver something closer to user expectations you would likely see much
> more adoption and less desire to rip and replace.  Ideally a cloud-managed
> device so that the config wouldn't need to be rebuilt in the event of a
> hardware swap.

I do not permit "cloud managed" devices on my network unless the "cloud" also belongs to me and is located on my network (in other words, a good old fashioned server on my network run by me).  No ISP is permitted to put "cloud" or even remotely configured (by anyone who is not me) devices on my network.  Such devices go on THEIR network not MY network.  If they malfunction or get hacked, the problem is THEIRS not MINE.

Such a policy ensures that I am entirely and exclusively responsible for the good behaviour of the equipment on MY network.  If I were to permit devices managed by NOT-ME on MY network, then I would not be responsible.  Therefore such filth should stay on NOT-MY network.

So the CPE equipment owned, managed and configured by the ISP is on the ISP network, not my network.  The demarc is the ethernet connection between the ISP network and MY network.  The ISP cannot configure nor touch anything on MY network, nor I on THEIRS.

As for "cloud" crap, anything that even mentions the work "cloud" on the box or glossy brochure gets an immediate 10,000,000 point penalty applied to ensure that it is forever off the consideration list.

If someone is opposed to this policy and cannot live with it, either a network carrier or ISP, product vendor or whatever, I really do not give a rats butt.  I will simply go do business with someone who has more sense.

More information about the NANOG mailing list