Hi Scott, My internal network is “untrusted” because random strangers I barely know (but just enough to know they’re family and friends) wander onto it. The only reason it’s not entirely open is because my bandwidth is metered by the gigabyte and I’d get into trouble with the law of someone started surfing kiddie porn on it. The VPN server, running on the NAS (which is also the gateway) is only really there to make it easier to get to my internal machines from places where there’s no IPv6 connectivity, or as a way to get to my ad-blocking DNS server while I’m roaming and need some peace from the machinations of various worldly carriers and their silly traffic filtering policies and/or censorship. There is no filtering done at all; every host fights for itself, and defends itself, and nothing on my network fails to support authentication and encryption. The gateway allows anonymous port-knocking for any host to any other host, even to external hosts; all you need is a trusted (and valid) WPA2 RADIUS credential.
In other words, it’s the end-host security model, rather than the eggshell security model. I think that, in a world of IPv6 and mobility, this is probably the right long-term approach to adopt. Attacks against internal hosts are just as hard to pull off if you simply design your network so it makes no assumptions about the trustworthiness of other hosts, merely because they are on the “inside”. If you simply assume that any service will be accessible to the entire Internet, instead of to the hypothetical border provided by your firewall, it leads to all manner of sensible default configurations and paranoid security policies that are, really, entirely appropriate. Unsurprisingly, though, some people find this idea rather uncomfortable, because the logical (and correct) outcome of such a policy is to simply eliminate all firewalls. Yes I’m a heretic. But I’ll be careful. :) I still remember, with some fondness, when I had a non-NATed home network. Ah, now *that* was just wonderful. But we can do it again, if people just get on board with working IPv6 connectivity. Some people have argued that the simplest approach to solving this problem of untrusted devices is to set up second networks, much like you describe it. This works well, provided that you can communicate to your devices over the Internet. This is true for some IoT devices, but not all of them; printers and webcams being the obvious ones. Really, this is why you end up advocating for a secure-host posture in the first place: if you can’t trust your devices sufficiently to run them on your network, then it really doesn’t matter whether they’re firewalled or not, because they’ll give this hypothetical attacker access. Hence, buyer beware, and in the increasingly insecure IoT market, buyer had best not buy at all. I do hope this situation changes for the better, but at the very least, for now you can audit your device’s outgoing connections (read your DNS logs) and just make sure it’s not chattering away to anybody you wouldn’t expect it to be. A portscan here and there, after it’s configured and working, never goes amiss either: I discovered one device with completely open FTP and telnet access to the entire file system doing that, and it was a mobile device that I could never have defended if I’d not learned about it. That was a trial, but it did eventually get fixed by the vendor. So I guess, in all of this, what I’m saying is that, even though I completely understand where you’re coming from, the contemporary landscape makes it more important than ever to harden hosts. If you believe in defence in depth, then firewalls certainly won’t hurt either. Cheers, Sabahattin P.S.: the OpenBSD project maintains an ntpd that’s a thousand times easier to configure than the reference implementation and it doesn’t listen to the world by default. It’s only slightly less accurate, too. Check it out. -- The following information is important for all members of the Mac Visionaries list. If you have any questions or concerns about the running of this list, or if you feel that a member's post is inappropriate, please contact the owners or moderators directly rather than posting on the list itself. Your Mac Visionaries list moderator is Mark Taylor and your owner is Cara Quinn - you can reach Cara at caraqu...@caraquinn.com The archives for this list can be searched at: http://www.mail-archive.com/macvisionaries@googlegroups.com/ --- You received this message because you are subscribed to the Google Groups "MacVisionaries" group. To unsubscribe from this group and stop receiving emails from it, send an email to macvisionaries+unsubscr...@googlegroups.com. To post to this group, send email to macvisionaries@googlegroups.com. Visit this group at https://groups.google.com/group/macvisionaries. For more options, visit https://groups.google.com/d/optout.
