Liste des Groupes | Revenir à e design |
On 4/16/2024 10:39 PM, Edward Rawde wrote:"Don Y" <blockedofcourse@foo.invalid> wrote in message>
news:uvnlr6$1e3fi$1@dont-email.me...On 4/16/2024 9:21 PM, Edward Rawde wrote:>>The internal network isn't routed. So, the only machines to worry>
about
are
this one (used only for email/news/web) and a laptop that is only used
for ecommerce.
My LAN is more like a small/medium size business with all workstations,
servers and devices behind a firewall and able to communicate both with
each
other and online as necessary.
I have 72 drops in the office and 240 throughout the rest of the house
(though the vast majority of those are for dedicated "appliances")...
about 2.5 miles of CAT5.
Must be a big house.
The office is ~150 sq ft. Three sets of dual workstations each sharing a
set of monitors and a tablet (for music) -- 7 drops for each such set.
Eight drops for my "prototyping platform". Twelve UPSs. Four scanners
(two B size, one A-size w/ADF and a film scanner). An SB2000 and Voyager
(for cross development testing; I'm discarding a T5220 tomorrow).
Four "toy" NASs (for sharing files between myself and SWMBO, documents
dropped by the scanners, etc.). Four 12-bay NASs, two 16 bay. Four
8-bay ESXi servers. Two 1U servers. Two 2U servers. My DBMS server.
A "general services" appliance (DNS, NTP, PXE, FTP, TFTP, font, etc.
services). Three media front ends. One media tank. Two 12 bay
(and one 24 bay) iSCSI SAN devices.
....
>>>>I have an out-facing server that operates in stealth mode and won't>
appear
on probes (only used to source my work to colleagues). The goal is
not
to
look "interesting".
Not sure what you mean by that.
Given what gets thrown at my firewall I think you could maybe look more
interesting than you think.
Nothing on my side "answers" connection attempts. To the rest of the
world,
it looks like a cable dangling in air...
You could ping me if you knew my IP address.
You can't see me, at all. You have to know the right sequence of packets
(connection attempts) to throw at me before I will "wake up" and respond
to the *final*/correct one. And, while doing so, will continue to
ignore *other* attempts to contact me. So, even if you could see that
I had started to respond, you couldn't "get my attention".
>>>
I wouldn't bother. I'd just not connect it to wifi or wired if I
thought
there was a risk.
What I mean by that is I'd clean it without it being connected.
The Avira boot CD used to be useful but I forget how many years ago.
If you were to unplug any of the above mentioned ("house") drops,
you'd find nothing at the other end. Each physical link is an
encrypted tunnel that similarly "hides" until (and unless) properly
tickled. As a result, eavesdropping on the connection doesn't
"give" you anything (because it's immune from replay attacks and
it's content is opaque to you)
>>So, you'd have to *police* all such connections. What do you do with>
hundreds
of drops on a factory floor? Or, scattered throughout a business? Can
you prevent any "foreign" devices from being connected -- even if IN
PLACE
OF
a legitimate device? (after all, it is a trivial matter to unplug a
network
cable from one "approved" PC and plug it into a "foreign import")
Devices on a LAN should be secure just like Internet facing devices.
They should be secure from the threats they are LIKELY TO FACE.
If the only access to my devices is by gaining physical entry
to the premises, then why waste CPU cycles and man-hours protecting
against a threat that can't manifest? Each box has a password...
pasted on the outer skin of the box (for any intruder to read).
>
Do I *care* about the latest MS release? (ANS: No)
Do I care about the security patches for it? (No)
Can I still do MY work with MY tools? (Yes)
>
I have to activate an iPhone, tonight. So, drag out a laptop
(I have 7 of them), install the latest iTunes. Do the required
song and dance to get the phone running. Wipe the laptop's
disk and reinstall the image that was present, there, minutes
earlier (so, I don't care WHICH laptop I use!)
>
Les messages affichés proviennent d'usenet.