[193653] in North American Network Operators' Group
RE: IoT security
daemon@ATHENA.MIT.EDU (Keith Medcalf)
Fri Feb 10 03:49:20 2017
X-Original-To: nanog@nanog.org
Date: Thu, 09 Feb 2017 18:01:59 -0700
In-Reply-To: <CALFTrnP-Qq8RPXKfgTLiLwRCtT6qfvozFrp+GKQZa4h3gFEH3g@mail.gmail.com>
From: "Keith Medcalf" <kmedcalf@dessus.com>
To: "Ray Soucy" <rps@maine.edu>,
"William Herrin" <bill@herrin.us>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Tuesday, 7 February, 2017 06:59, Ray Soucy said:
> I think the fundamental problem here is that these devices aren't good
> network citizens in the first place. The odds of getting them to add
> functionality to support a new protocol are even likely than getting them
> to not have open services externally IMHO.
>
> Couldn't a lot of this be caught by proactive vulnerability scanning and
> working with customers to have an SPI firewall in place, or am I missing
> something?
>
> Historically residential ISP CPE options have been terrible. If you coul=
d
> deliver something closer to user expectations you would likely see much
> more adoption and less desire to rip and replace. Ideally a cloud-manage=
d
> device so that the config wouldn't need to be rebuilt in the event of a
> hardware swap.
I do not permit "cloud managed" devices on my network unless the "cloud" al=
so belongs to me and is located on my network (in other words, a good old f=
ashioned server on my network run by me). No ISP is permitted to put "clou=
d" or even remotely configured (by anyone who is not me) devices on my netw=
ork. Such devices go on THEIR network not MY network. If they malfunction=
or get hacked, the problem is THEIRS not MINE.
Such a policy ensures that I am entirely and exclusively responsible for th=
e good behaviour of the equipment on MY network. If I were to permit devic=
es managed by NOT-ME on MY network, then I would not be responsible. There=
fore such filth should stay on NOT-MY network.
So the CPE equipment owned, managed and configured by the ISP is on the ISP=
network, not my network. The demarc is the ethernet connection between th=
e ISP network and MY network. The ISP cannot configure nor touch anything =
on MY network, nor I on THEIRS.
As for "cloud" crap, anything that even mentions the work "cloud" on the bo=
x or glossy brochure gets an immediate 10,000,000 point penalty applied to =
ensure that it is forever off the consideration list.
If someone is opposed to this policy and cannot live with it, either a netw=
ork carrier or ISP, product vendor or whatever, I really do not give a rats=
butt. I will simply go do business with someone who has more sense.
