[192479] in North American Network Operators' Group
Re: Spitballing IoT Security
daemon@ATHENA.MIT.EDU (Eliot Lear)
Sat Oct 29 02:40:23 2016
X-Original-To: nanog@nanog.org
To: Mike Meredith <mike.meredith@port.ac.uk>, nanog@nanog.org
From: Eliot Lear <lear@ofcourseimright.com>
Date: Sat, 29 Oct 2016 08:37:56 +0200
In-Reply-To: <20161027100455.3fe4cf14@scrofula.eps.is.port.ac.uk>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--3rUfKEunKLfbIXE1Mi7G59pBw4uI3Pnbo
From: Eliot Lear <lear@ofcourseimright.com>
To: Mike Meredith <mike.meredith@port.ac.uk>, nanog@nanog.org
Message-ID: <40134ffd-906b-7a44-49ca-e0b29e5ffe33@ofcourseimright.com>
Subject: Re: Spitballing IoT Security
References: <4246.1477383031@segfault.tristatelogic.com>
<580F19BF.2070002@vaxination.ca>
<b68aaff7-4a1a-b74e-9e60-a03d8689b9d9@ofcourseimright.com>
<20161027100455.3fe4cf14@scrofula.eps.is.port.ac.uk>
In-Reply-To: <20161027100455.3fe4cf14@scrofula.eps.is.port.ac.uk>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Hi Mike,
On 10/27/16 11:04 AM, Mike Meredith wrote:
> On Thu, 27 Oct 2016 07:59:00 +0200, Eliot Lear <lear@ofcourseimright.co=
m>
> may have written:
>> Well yes. uPnP is a problem precisely because it is some random devic=
e
>> asserting on its own that it can be trusted to do what it wants. Had
> From my own personal use (and I'm aware that this isn't a general
> solution), I'd like a device that sat on those uPnP requests until I lo=
gged
> into the admin interface to review them. Now if you could automate _me_=
> then it might become more generally useful :-
You need to go further. It is no longer enough to tackle this problem
simply as a firewall problem, because there are too many
reflection-style attacks. Not only do you want to prevent devices from
opening pinholes to the Internet, but you really want to know what
they're going to be doing inside the home. And Quite frankly, I
disagree that you want to nag the user unless it is absolutely
necessary. To me, that means authorizing the device in the first place,
and the access point having access to enough intelligence to know what
sort of access is necessary for a device, given its purpose.
> As someone who manages an application-based firewall, every problem loo=
ks
> like it would be easier to solve using an application-based firewall :)=
I don't generally prefer application firewalls except in limited
circumstances.
Eliot
--3rUfKEunKLfbIXE1Mi7G59pBw4uI3Pnbo
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2
iQEcBAEBCAAGBQJYFEPEAAoJEIe2a0bZ0noz0voH/RXPj/bAs3WpFGY9wnWy0tec
+MzMDSqADrFtfPNGoJ9XHuk++07OuJp6mLLFJsgXIES3Yl7eVWU0e2jB2A84jksF
GzQ5ErCjNECNMK5c9rpiAQtSPS8eROGWS9YNclRdHOjuYckmIPP12xNLY/JJ9zK7
aJO/BAzOq2EVgG+PhodnAhQclvktsS6C7kk6QVS/swZ7zbVka2/wbBFyRgxZJkH1
9H5/CU59mQS/t9KPzer4bHIyNi48852jb0CcQOPIGvojQ2dqsg20dPxenjm6UIh9
UdoLFWw/m5TrWCgNU3PQLWuFDTHQQRUDiiXm0g1QlRhNzudv+EOhbhr1nUS2Vhs=
=BP8q
-----END PGP SIGNATURE-----
--3rUfKEunKLfbIXE1Mi7G59pBw4uI3Pnbo--
