Allegedly, on or about 29 February 2016, Javier Perez sent: > I read with interest this forum piece about IoT devices phoning home. > > https://isc.sans.edu/forums/diary/IoT+The+Rise+of+the+Machines+GuestDiary/19173/ > > What caught my attention is the following phrase: " My home network > is hardened and any new (unknown) device connected to it receives an > IP address from a specific range which has no connectivity with other > hosts or the Internet but its packets are logged" > > > I imagine it is done through the Gateway Router at home. To do it simply, you do need to do it in the router (whether that's a dedicated device, or a computer doing that role). My gateway/modem has a feature like that, there are two wireless LANs on different subnets that cannot talk to each other. It *was* also possible to do that with the wired LAN, but firmware upgrades took that feature away. Since passphrases are required to use the WLAN (at least mine is set up properly, like that), devices can only connect to the networks you want them to (you choose which network, and supply the credentials). So, that's hardly in the category of defence against "rogue" things. Just normal network security. I imagine that most networked non-computer things in the home are going to be wireless, since few non-tech homes will have ethernet cabling all over the place. Cabled networks are another matter, it's rare to require authorisation to use a cabled ethernet network, it's mostly plug in and automatic setup. Though, if you can configure your DHCP server, you can set it up to dole out special addresses to unknown devices. Of course, that require you to do the opposite; hand out another set of addresses to everything that you do allow; rather than allow a fully automatic uncustomised DHCP service. Again, this doesn't do anything against malicious use of the network, where such things can configure themselves to get through (or a person configuring past your roadblocks). But you can use it take steps against things in your own house that you've connected, but want to limit their network functionality. If you're going to take the subnetting approach, I tend to favour the idea of one lan on 192.168.x.y and the other on 10.x.y.z, as *some* routers are too helpful (they may not treat 192.168.0.x and 192.168.1.x as being different networks, and allow them to talk to each other). Some routers are the opposite of security, and just try to make networks work. And some are the opposite of useful, they may not allow you to have more than one subnet, though in your case that might be an advantage (your unwanted appliances would be on a non-working network). A better approach is to use completely isolated LANs. If you use a computer as your gateway/firewall, then put a second ethernet card in it, and run the second network through the second card. But since I mentioned simple approaches, you can do it with hardware. Buy two routers, put your LAN on one, put the home appliances on the other. /-- fridge appliance router --+-- toaster / \-- television ISP modem \ /-- computer 1 computing router --+-- computer 2 +-- computer 3 \-- printer I dread the technical support issues of the internet fridge, though. Quite apart from the questions of the fridge not recognising that your out of eggs even though it realises the milk needs replacing, there'd be the configuring of the auto-ordering service with your local shops. -- [tim@localhost ~]$ uname -rsvp Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64 Boilerplate: All mail to my mailbox is automatically deleted, there is no point trying to privately email me, I only get to see the messages posted to the mailing list. Long ago I gave up on using Windows (TM) [Tantrum Machine], and I've never regretted it. -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
