[145178] in North American Network Operators' Group
RE: Synology Disk DS211J
daemon@ATHENA.MIT.EDU (Blake T. Pfankuch)
Fri Sep 30 09:57:50 2011
From: "Blake T. Pfankuch" <blake@pfankuch.me>
To: Matthew Palmer <mpalmer@hezmatt.org>, "nanog@nanog.org" <nanog@nanog.org>
Date: Fri, 30 Sep 2011 13:56:42 +0000
In-Reply-To: <20110930061844.GE3401@mistress.hezmatt.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
The easy way around the unhappy significant other/minion shaped offspring s=
olution is to put all of the "end user" devices On a separate VLAN, and the=
n treat that as an open DMZ. Then everything operational (ironic in a home=
) on your secured production network (restrict all outbound/inbound except =
what is needed). If you really want to complicate it you should even put y=
our wireless into a separate VLAN as well, and secure it as appropriate. G=
ives you the ability firewall between networks, thus making sure that when =
your minions eventually get something nasty going on the PC they use, it do=
esn't spread through the rest of the network. Also means you can deploy so=
me form of content filtering policies through various solutions to prevent =
your minions from discovering the sites running on the most recent TLD addi=
tion. =20
This assumes that most people reading this email have the ability to run mu=
ltiple routed subnets behind their home firewall. Be it a layer 3 switch w=
ith ACL's or multiple physical interfaces and the ability to have them act =
independently. =20
Personally I run 8 separate networks (some with multiple routed subnets). =
Wireless data, management network, voice networks, game consoles, storage, =
internal servers, DMZ servers and Project network. Only reason why there i=
s no "end user" network is that there are no wired drops anywhere in the ho=
use, so that falls under the wireless data. That network gets internet acce=
ss and connectivity to file sharing off the internal servers and all intern=
et traffic runs through Anti-Virus/Anti-Spyware before going outbound and i=
nbound.
Blake
-----Original Message-----
From: Matthew Palmer [mailto:mpalmer@hezmatt.org]=20
Sent: Friday, September 30, 2011 12:19 AM
To: nanog@nanog.org
Subject: Re: Synology Disk DS211J
On Thu, Sep 29, 2011 at 07:10:10PM -0700, Joel jaeggli wrote:
> On 9/29/11 17:46 , Robert Bonomi wrote:
> >> From: Nathan Eisenberg <nathan@atlasnetworks.us>
> >> Subject: RE: Synology Disk DS211J
> >> Date: Thu, 29 Sep 2011 21:58:23 +0000
> >>
> >>> And this is why the prudent home admin runs a firewall device he=20
> >>> or she can trust, and has a "default deny" rule in place even for=20
> >>> outgoing connections.
> >>>
> >>> - Matt
> >>>
> >>>
> >>
> >> The prudent home admin has a default deny rule for outgoing HTTP to=20
> >> port 80? I doubt it.
> >>
> >=20
> > No, the prudent nd knowledgable prudent home admin does not have=20
> > default deny rule just for outgoing HTTP to port 80.
> >=20
> > He has a defult deny rule for _everything_. Every internal source=20
> > address, and every destination port. Then he pokes holes in that 'deny=
everything'
> > for specific machines to make the kinds of external connections that=20
> > _they_ need to make.
>=20
> Tell me how that flys with the customers in your household...
Perfectly fine. My users know not to go plugging random devices in, and I =
properly configure the firewall to account for all legitimate traffic befor=
e the device is commissioned.
- Matt
