On Sat, 2 Feb 2019 21:14:33 -0800
Toshi Esumi
On 2/2/19 8:47 PM, David T-G wrote:
...and then Toshi Esumi said... % % On 2/2/19 1:28 PM, Dave Howorth wrote: % ... % 2) Put your vendor ADSL router/modem in modem/bridge mode, so that % the FW in 1) behind the vendor modem can handle NAT/VIP and all % other firewalling needs.
But that puts a "good" server on the same network as all of those IoT devices. Shouldn't we want the fridge and the thermostat and so on to not even be able to see a computer we want to protect?
Ok, I guess I should have put 3).
3) have a cheap VLAN capable switch to do internal segmentation and trunk all segments (either with VLANs or multiple ports if the FW chassis has them) pulled to the FW without interconnecting them together. The FW should be the gateway between segments.
But IoT devices never get hacked or virus infected unless it's connected to the internet. And the FW is controlling both those IoT devices and your servers, etc. I don't mind putting them together at my home as long as those are behind a solid FW, which I have a hadware-based+subscription-based one. Of course, if something that has another way to connect to the interet, like 4G/5G phones/tablet.etc, (I don't connect them to LAN, other than WiFi, which is connected to the same FW), you need to take care of that side separately. Beacuuse that's another "Point ot Entry from the Intenet". You need FWs on those too probably at device level.
Toshi
Thanks David and Toshi. Between you I think you've identified a good strategy for me. I'll start looking for a suitable device or devices. We don't let phones etc connect to the Internet except via our wi-fi, and my wife is aware not to click on links etc so hopefully they're reasonably safe. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org