Re: Protecting my network from rogue IoT devices.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 29 February 2016 at 17:49, Niels Kobschaetzki <niels@xxxxxxxxxxxxxxxx> wrote:
> On 16/02/29 12:24, Javier Perez wrote:
>>
>> Probably Off Topic, but maybe tangentially related to Fedora.
>>
>> I read with interest this forum piece about IoT devices phoning home.
>>
>>
>> https://isc.sans.edu/forums/diary/IoT+The+Rise+of+the+Machines+Guest+Diary/19173/
>>
>> What caught my attention is the following phrase: " My home network
>> is hardened and any new (unknown) device connected to it receives an IP
>> address from a specific range which has no connectivity with other hosts
>> or
>> the Internet but its packets are logged"
>>
>> I imagine it is done through the Gateway Router at home. Is there any
>> tutorial somewhere to learn how to do this?
>
>
> Out of my head you would need to implement 802.1x with a radius-server
> and depending on the Mac a device gets into one of two VLANs and then a
> DHCP-server hands out an IP-address depending on the VLAN. The
> DHCP-server has one network-device in one VLAN and one in another VLAN,
> both have different subnets. And then there is an additional firewall
> (needs probably 3 network devices, one for each VLAN, one for WAN) that
> manages the traffic between the networks (firewalld, iptables,
> nftables). The subnet that is in the VLAN for the unknown devices
> redirects all traffic that should go into the internet through a proxy
> (squid) which logs everything. The inter-network-traffic can be logged
> by the firewall. At least that's what I would do with a
> wired network.
> I am not sure how you would realize that with WLANs.
> The only idea I would have is that there are two different WLANs. One
> for trusted, one for untrusted devices. The one with the untrusted
> devices routes internet-traffic again through a proxy. And you need a
> again the firewall for the inter-network-traffic. In both cases a router
> might be enough, but tbh I am not sure right now.
> I hope that gives you enough into your hand to be able to get to the
> right answers in google.

I think you and Pete Travis are right that you'd need two wlans, a MAC
address-based approach could be defeated by an attacker (think
compromised device). It doesn't look like RADIUS allows the level of
control where different authentication credentials can be granted
different access, which is the only way I can think of to achieve it
securely, so they have to join separate networks they need to
authenticate too.

-- 
imalone
http://ibmalone.blogspot.co.uk
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org



[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux