Sujet : Re: Re:Predictive failures
De : blockedofcourse (at) *nospam* foo.invalid (Don Y)
Groupes : sci.electronics.designDate : 17. Apr 2024, 05:17:12
Autres entêtes
Organisation : A noiseless patient Spider
Message-ID : <uvnf00$1cu2a$1@dont-email.me>
References : 1 2 3 4 5 6 7 8 9 10 11 12 13 14
User-Agent : Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.2.2
On 4/16/2024 6:38 PM, Edward Rawde wrote:
Simple solution: router has no radio! Even if the appliances wanted
to connect (ignoring their "disable WiFi access" setting), there's
nothing they can connect *to*.
I'd have trouble here with no wifi access.
I can restrict outbound with a firewall as necessary.
I have 25 general purpose drops, here. So, you can be in any room,
front/back porch -- even the ROOF -- and get connected.
When I *need* wifi, I have to turn on one of the radios in
the ceiling, temporarily. (they are there as convenience
features for visiting guests; they are blocked from all of
the wired connections in the house)
But IP and MAC masquerading are trivial exercises. And, don't require
a human participant to interact with the target (i.e., they can be
automated).
That's why most tor exit nodes and home user vpn services are blocked.
I don't allow unauthenticated access to anything (except web sites).
I prefer to keep authentication simple and drop packets from countries and
places who have no business connecting.
Granted a multinational bank may need a different approach since their
customers could be anywhere.
If I were a multinational bank I'd be employing people to watch where the
packets come from and decide which ones the firewall should drop.
The internal network isn't routed. So, the only machines to worry about are
this one (used only for email/news/web) and a laptop that is only used
for ecommerce.
I have an out-facing server that operates in stealth mode and won't appear
on probes (only used to source my work to colleagues). The goal is not to
look "interesting".
The structure of the house's fabric allows me to treat any individual
node as being directly connected to the ISP while isolating the
rest of the nodes. I.e., if you bring a laptop loaded with malware into
the house, you can't infect anything (or even know that there are other
hosts, here); it's as if you had a dedicated connection to the Internet
with no other devices "nearby".