For the new house I’m commissioning I face a similar challenge - various
automation devices which communicate using TCP/IP but which probably don’t have
the best security hardening and don’t get regular patch updates from the
manufacturers to fix security vulnerabilities. Some of these are doing
sensitive roles like managing access control and interfacing with the intruder
alarm system.
In line with Dave’s advice I’ve set up multiple VLANs and mapped those to
separate Shorewall Zones with different sets of Policies and Rules at the Zone
level. I also have multiple WiFi SSIDs which each map to separate VLANs so they
can have different policies applied - so e.g. my own WiFi devices use 802.1X
authentication (against a RADIUS server) on one SSID and are allowed to access
the local wired networks whereas there’s a separate SSID for Visitors, and
that’s only allowed to access the Internet and not the local wired networks.
The main requirement is a VLAN-capable network switch. I currently use a Unifi
model from ubnt.com but companies like Netgear make small, VLAN-capable
switches which are relatively inexpensive. On Bering-uClibc you set up a
sub-NIC per VLAN (e.g. eth1.112) and map each sub-NIC to a Shorewall Zone.
A useful trick for devices which need NTP access and hard-code an FQDN for that
is to use the “address” entry in dnsmasq.conf to tell a white lie and return a
local NTP server address for that FQDN in place of a remote NTP server address.
For example:
address=/time.euro.apple.com/192.168.112.1
davidMbrooke
> On 3 Nov 2016, at 19:07, Dillabough, Dave <dave.dillabo...@bcgeu.ca> wrote:
>
> I would add logging so that you would know if anything was amiss.
>
> To test you could temporarily install a PC at the blocked address and see
> what happens.
>
> For more complete control as IoT devices proliferate I would add a separate
> zone and set up a VLAN for home automation etc.
>
> -----Original Message-----
> From: Victor McAllister [mailto:victo...@sonic.net]
> Sent: Thursday, November 03, 2016 11:53 AM
> To: Bering List
> Subject: [leaf-user] prevent Iot from the net
>
> I have a couple devices, such as a DVR, on the local net (loc) that I do not
> want to have access to the Internet. Remember the recent DDOS attacks that
> originated with Iot devices! I added this to shorewall rules.
>
> DROP loc:192.168.1.x,192.168.1.y net all
>
> They get their time from the local time server so they have no reason to
> access the net.
>
> I have not tested this, but at least shorewall compiles and runs. Any
> comments.
>
> Victor
>
>
> ------------------------------------------------------------------------------
> Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon
> Phi processor-based developer platforms.
> With one year of Intel Parallel Studio XE.
> Training and support from Colfax.
> Order your platform today. http://sdm.link/xeonphi
> ------------------------------------------------------------------------
> leaf-user mailing list: leaf-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> Support Request -- http://leaf-project.org/
>
> ------------------------------------------------------------------------------
> Developer Access Program for Intel Xeon Phi Processors
> Access to Intel Xeon Phi processor-based developer platforms.
> With one year of Intel Parallel Studio XE.
> Training and support from Colfax.
> Order your platform today. http://sdm.link/xeonphi
> ------------------------------------------------------------------------
> leaf-user mailing list: leaf-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> Support Request -- http://leaf-project.org/
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
------------------------------------------------------------------------
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/
