RE: Synology Disk DS211J

["Blake T. Pfankuch" <blake () pfankuch me>]

The easy way around the unhappy significant other/minion shaped offspring solution is to put all of the "end user" 
devices On a separate VLAN, and then treat that as an open DMZ.  Then everything operational (ironic in a home) on your 
secured production network (restrict all outbound/inbound except what is needed).  If you really want to complicate it 
you should even put your wireless into a separate VLAN as well, and secure it as appropriate.  Gives you the ability 
firewall between networks, thus making sure that when your minions eventually get something nasty going on the PC they 
use, it doesn't spread through the rest of the network.  Also means you can deploy some form of content filtering 
policies through various solutions to prevent your minions from discovering the sites running on the most recent TLD 
addition.  

This assumes that most people reading this email have the ability to run multiple routed subnets behind their home 
firewall.  Be it a layer 3 switch with ACL's or multiple physical interfaces and the ability to have them act 
independently.  

Personally I run 8 separate networks (some with multiple routed subnets).  Wireless data, management network, voice 
networks, game consoles, storage, internal servers, DMZ servers and Project network.  Only reason why there is no "end 
user" network is that there are no wired drops anywhere in the house, so that falls under the wireless data. That 
network gets internet access and connectivity to file sharing off the internal servers and all internet traffic runs 
through Anti-Virus/Anti-Spyware before going outbound and inbound.

Blake

-----Original Message-----
From: Matthew Palmer [mailto:mpalmer () hezmatt org] 
Sent: Friday, September 30, 2011 12:19 AM
To: nanog () nanog org
Subject: Re: Synology Disk DS211J

On Thu, Sep 29, 2011 at 07:10:10PM -0700, Joel jaeggli wrote:
> On 9/29/11 17:46 , Robert Bonomi wrote:
> > > From: Nathan Eisenberg <nathan () atlasnetworks us>
> > > Subject: RE: Synology Disk DS211J
> > > Date: Thu, 29 Sep 2011 21:58:23 +0000
> > >
> > > > And this is why the prudent home admin runs a firewall device he 
> > > > or she can trust, and has a "default deny" rule in place even for 
> > > > outgoing connections.
> > > >
> > > > - Matt
> > >
> > > The prudent home admin has a default deny rule for outgoing HTTP to 
> > > port 80?  I doubt it.
> >
> > No, the prudent nd knowledgable prudent home admin does not have 
> > default deny rule just for outgoing HTTP to port 80.
> >
> > He has a  defult deny rule  for _everything_.  Every internal source 
> > address, and every destination port.  Then he pokes holes in that 'deny everything'
> > for specific machines to make the kinds of external connections that 
> > _they_ need to make.
>
> Tell me how that flys with the customers in your household...

Perfectly fine.  My users know not to go plugging random devices in, and I properly configure the firewall to account 
for all legitimate traffic before the device is commissioned.

- Matt