On 03/02/2019 06.14, Toshi Esumi wrote:
On 2/2/19 8:47 PM, David T-G wrote:
...and then Toshi Esumi said... % % On 2/2/19 1:28 PM, Dave Howorth wrote: % ... % 2) Put your vendor ADSL router/modem in modem/bridge mode, so that % the FW in 1) behind the vendor modem can handle NAT/VIP and all % other firewalling needs.
But that puts a "good" server on the same network as all of those IoT devices. Shouldn't we want the fridge and the thermostat and so on to not even be able to see a computer we want to protect?
Ok, I guess I should have put 3).
3) have a cheap VLAN capable switch to do internal segmentation and trunk all segments (either with VLANs or multiple ports if the FW chassis has them) pulled to the FW without interconnecting them together. The FW should be the gateway between segments.
But IoT devices never get hacked or virus infected unless it's connected to the internet. And the FW is controlling both those IoT devices and your servers, etc.
Nope. They connect from inside to an outside server. Firewalls do not block those connections by default. And blocking them negates the utility to control the sitting room intelligent lamp from the phone... -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)