On 29 February 2016 at 17:49, Niels Kobschaetzki <niels@xxxxxxxxxxxxxxxx> wrote: > On 16/02/29 12:24, Javier Perez wrote: >> >> Probably Off Topic, but maybe tangentially related to Fedora. >> >> I read with interest this forum piece about IoT devices phoning home. >> >> >> https://isc.sans.edu/forums/diary/IoT+The+Rise+of+the+Machines+Guest+Diary/19173/ >> >> What caught my attention is the following phrase: " My home network >> is hardened and any new (unknown) device connected to it receives an IP >> address from a specific range which has no connectivity with other hosts >> or >> the Internet but its packets are logged" >> >> I imagine it is done through the Gateway Router at home. Is there any >> tutorial somewhere to learn how to do this? > > > Out of my head you would need to implement 802.1x with a radius-server > and depending on the Mac a device gets into one of two VLANs and then a > DHCP-server hands out an IP-address depending on the VLAN. The > DHCP-server has one network-device in one VLAN and one in another VLAN, > both have different subnets. And then there is an additional firewall > (needs probably 3 network devices, one for each VLAN, one for WAN) that > manages the traffic between the networks (firewalld, iptables, > nftables). The subnet that is in the VLAN for the unknown devices > redirects all traffic that should go into the internet through a proxy > (squid) which logs everything. The inter-network-traffic can be logged > by the firewall. At least that's what I would do with a > wired network. > I am not sure how you would realize that with WLANs. > The only idea I would have is that there are two different WLANs. One > for trusted, one for untrusted devices. The one with the untrusted > devices routes internet-traffic again through a proxy. And you need a > again the firewall for the inter-network-traffic. In both cases a router > might be enough, but tbh I am not sure right now. > I hope that gives you enough into your hand to be able to get to the > right answers in google. I think you and Pete Travis are right that you'd need two wlans, a MAC address-based approach could be defeated by an attacker (think compromised device). It doesn't look like RADIUS allows the level of control where different authentication credentials can be granted different access, which is the only way I can think of to achieve it securely, so they have to join separate networks they need to authenticate too. -- imalone http://ibmalone.blogspot.co.uk -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org