nanog mailing list archives

RE: IoT security

From: "Keith Medcalf" <kmedcalf () dessus com>
Date: Thu, 09 Feb 2017 18:01:59 -0700


On Tuesday, 7 February, 2017 06:59, Ray Soucy said:

I think the fundamental problem here is that these devices aren't good
network citizens in the first place.  The odds of getting them to add
functionality to support a new protocol are even likely than getting them
to not have open services externally IMHO.

Couldn't a lot of this be caught by proactive vulnerability scanning and
working with customers to have an SPI firewall in place, or am I missing
something?

Historically residential ISP CPE options have been terrible.  If you could
deliver something closer to user expectations you would likely see much
more adoption and less desire to rip and replace.  Ideally a cloud-managed
device so that the config wouldn't need to be rebuilt in the event of a
hardware swap.


I do not permit "cloud managed" devices on my network unless the "cloud" also belongs to me and is located on my 
network (in other words, a good old fashioned server on my network run by me).  No ISP is permitted to put "cloud" or 
even remotely configured (by anyone who is not me) devices on my network.  Such devices go on THEIR network not MY 
network.  If they malfunction or get hacked, the problem is THEIRS not MINE.

Such a policy ensures that I am entirely and exclusively responsible for the good behaviour of the equipment on MY 
network.  If I were to permit devices managed by NOT-ME on MY network, then I would not be responsible.  Therefore such 
filth should stay on NOT-MY network.

So the CPE equipment owned, managed and configured by the ISP is on the ISP network, not my network.  The demarc is the 
ethernet connection between the ISP network and MY network.  The ISP cannot configure nor touch anything on MY network, 
nor I on THEIRS.

As for "cloud" crap, anything that even mentions the work "cloud" on the box or glossy brochure gets an immediate 
10,000,000 point penalty applied to ensure that it is forever off the consideration list.

If someone is opposed to this policy and cannot live with it, either a network carrier or ISP, product vendor or 
whatever, I really do not give a rats butt.  I will simply go do business with someone who has more sense.

Current thread:

Re: IoT security, (continued)
- - - Re: IoT security Marco Slater (Feb 10)
    - Re: IoT security clinton mielke (Feb 10)
    - Re: IoT security clinton mielke (Feb 10)
    - Re: IoT security Rich Kulawiec (Feb 09)
    - Re: IoT security William Herrin (Feb 09)
    - Re: IoT security valdis . kletnieks (Feb 09)
    - Re: IoT security bzs (Feb 09)
    - Re: IoT security William Herrin (Feb 07)
    - Re: IoT security Michael Thomas (Feb 07)
- Re: IoT security Ray Soucy (Feb 07)
  - RE: IoT security Keith Medcalf (Feb 09)
  - Re: IoT security Rich Kulawiec (Feb 10)
- Re: IoT security Michael Yoon (Feb 08)