Redian新闻
>
家庭网络正确姿势3路由网
avatar
家庭网络正确姿势3路由网# Hardware - 计算机硬件
g*t
1
大牛找博后,其因有三:
1. 大牛找的博后,也是别家杰出二代弟子,云游交流的
武当奔少林,少林奔峨眉,联络感情搞不好贫道还跟秃驴抢师太
以后一起捣江湖的说
2. 但凡打算出师的学生,手里都压了点杀手锏没发
拼命压一压,经常能蹭出几篇顶刊通讯
付个45K,白得两篇CNS,超值了
3. 大牛未必事事精通,但是江湖资历在哪
压得住后辈宵小,张无忌一身功夫也不敢揍灭绝不是,备份在那
长幼有序,以后本门有事,又多了可以看家护院的笛子
------------------------------------------------------------------------
小AP就算是star,找个这样的也抓虾
搞不好把你打算开店那点牛黄狗宝全给偷了去,天天还拿一堆看不懂的公式羞辱你
动不动还偷偷拿着小AP的救命钱搞自己的自留地
------------------------------------------------------------------------
初次创业不可贪高求全
老老实实弄个便宜的实验员档次的,大妈也可
最好家就在本地,不会轻易换工作的
目的就是赚工钱办身份
文章authorship冲突也好处理
快速出文章
得摊子铺起来,再招自家徒弟
实验技术练好了也很牛逼的啊,公司高薪抢呢
但记住,钱少title就要高,钱高title就要低
avatar
p*m
2
Steve Gibson's Three Router Solution to IOT Insecurity
Author: Nicolae Crisan
Date: August 15, 2016
Subject: General Tech
Manufacturer: Various
Tagged: networking, network, iot
Introduction
Even before the formulation of the term "Internet of things", Steve Gibson
proposed home networking topology changes designed to deal with this new
looming security threat. Unfortunately, little or no thought is given to the
security aspects of the devices in this rapidly growing market.
One of Steve's proposed network topology adjustments involved daisy-chaining
two routers together. The WAN port of an IOT-purposed router would be
attached to the LAN port of the Border/root router.
View Full Size
In this arrangement, only IOT/Smart devices are connected to the internal (
or IOT-purposed) router. The idea was to isolate insecure or poorly
implemented devices from the more valuable personal local data devices such
as a NAS with important files and or backups. Unfortunately this clever
arrangement leaves any device directly connected to the “border” router
open to attack by infected devices running on the internal/IOT router. Said
devices could perform a simple trace-route and identify that an intermediate
network exists between it and the public Internet. Any device running under
the border router with known (or worse - unknown!) vulnerabilities can be
immediately exploited.
View Full Size
Gibson's alternative formula reversed the positioning of the IOT and border
router. Unfortunately, this solution also came with a nasty side-effect. The
border router (now used as the "secure" or internal router) became subject
to all manner of man-in-the-middle attacks. Since the local Ethernet network
basically trusts all traffic within its domain, an infected device on the
IOT router (now between the internal router and the public Internet) can
manipulate or eavesdrop on any traffic emerging from the internal router.
The potential consequences of this flaw are obvious.
View Full Size
The third time really is the charm for Steve! On February 2nd of this year (
Episode #545 of Security Now!) Gibson presented us with his third (and
hopefully final) foray into the magical land of theory-crafting as it
related to securing our home networks against the Internet of Things.
Continue reading our editorial covering IOT security methodology!!
With this iteration Steve moved us from a two-router solution to a three-
router solution. The new arrangement involves three fundamental elements to
the network – an “external” or “border” router that has one purpose and
one purpose ONLY; to move traffic back and forth between the public
Internet and the two internal subnets underneath it. The second is an IOT-
purposed router which houses all “Smart” / “Internet of Things” / “
Internet-Enabled” devices whose uplink port is connected to an open LAN
port of our border router. Devices such as PCs, laptops, phones and network
storage devices have NO place inside this segment of the network. The third
and last element is the “Secure” or internal router which, in similar
fashion to the IOT router, has its uplink port connected to an open LAN port
of the border router. Any valuable device (high value targets to hackers)
such as desktops, laptops and network storage devices (a NAS of similar
network appliance)) are all clustered together inside this subnet.
View Full Size
Maintaining three separate purpose-driven subnets affords our network some
key protective features unavailable to us with both of our previous
configurations.
1. Separation of Ethernet Segments: Compromised devices and or malicious
payloads no longer have the luxury of unfettered access to devices (either
upstream or downstream) by exploiting the trusting Ethernet protocol.
2. Damage control: Compromised devices and or malicious payloads are
separated from higher value targets such as PC workstations and network
attached storage devices. In the event of a breach, the damage an “
expendable” IOT device can cause on the network will be contained and
compartmentalized to the local subnet.
View Full Size
Although our proposed variation so far seems very bullet-proof (it is for
the most part), we cannot neglect to briefly discuss one outstanding caveat.
Even though corralling all of our less secure devices into a single subnet
will dramatically improve our overall security, the threat of an already
infected device hijacking or exploiting the vulnerabilities of an adjacent
device in the same IOT subnet is still a very real possibility. For this
reason, I would propose an additional modification to this blueprint (Which
Steve also slightly alluded to). Whether built in software or (preferably)
hardware, a per IP “virtual LAN pipe” should be constructed on the fly
with each new IOT device connection that would allow IP-based communication
to only one endpoint – the publicly facing Internet. It’s important to
note that a VLAN does not provide the form of security we desire on a
wireless interface. Our goal is to draw on the concepts of how a VLAN works
while the implementation will most likely utilize some other method/protocol
. In other words, a device would ONLY have the capability to transmit and
receive as if it were the only device behind the protection of the NAT. The
idea here isn’t to over-engineer a solution (even though it feels very much
that way). This is about advancing our networking technology to address the
very real threat IOT devices carry with them.
View Full Size
Router Configuration Walk-Through
The IT veterans among us are most likely already well acquainted with the
concepts at work in this type of router configuration. In fact, I would
wager that most of you also could easily purchase and configure a system
like this blindfolded. Even though most of us might already understand the
concepts and steps involved, there are several benefits all of us can take
advantage of. Less experienced readers can get a grasp on some basic
networking concepts while the IT veterans among us can fill-in some
knowledge gaps (we all have them). As a community we can all fine-tune
various aspects of this alternative approach to IOT security and begin
implementing this network configuration at home or in the office.
Whether you're a beginner or a CISCO certified professional, we will all
learn nuances of this alternative router configuration that we wouldn't have
had we not walked through it together.
So, let’s assume we’re sold on the idea that Gibson’s router
configuration will answer all of our IOT security woes. We’re going to un-
box and configure three identical routers so they adhere to this alternative
way of handling “insecure” and “secure” traffic. You can, of course,
use three completely different router models. To keep things in the realm of
sanity and because it’s much more efficient and easy to manage one unified
interface, we will be using the same router model for all three.
For this setup we’ll be using three ASUS RT-N12 “3-In-1” Wireless Routers.
View Full Size
I have to pause a moment and chuckle at the advertising ASUS has come up
with on this line of routers. The word “FAST” wasn’t good enough
apparently – ASUS had to make an acronym out of it to really drive home the
point that “this router be FAST, yo!”
View Full Size
This isn’t a Warranty Notice insert that I should just throw away. People,
this is a “VIP Member” warranty notice! I am SO important to ASUS they had
to include that specific verbiage just for me!
View Full Size
After unpacking all three units, lay everything out so it emulates the
network topology we are creating – as shown below. I would HIGHLY recommend
labeling each router to eliminate any confusion as to what that router’s
purpose is in your network. Ten months from now when you hobble back into
your server closet or re-approach the tangled rats-nest of wires we all know
you have near your cable modem, you won’t remember why you have three
identical routers or what each of them does!
avatar
a*e
3
这帖子技术含量还是挺高的。
avatar
M*6
5
Mark一下,感谢楼主
avatar
m*i
6
很有道理啊
相关阅读
logo
联系我们隐私协议©2024 redian.news
Redian新闻
Redian.news刊载任何文章,不代表同意其说法或描述,仅为提供更多信息,也不构成任何建议。文章信息的合法性及真实性由其作者负责,与Redian.news及其运营公司无关。欢迎投稿,如发现稿件侵权,或作者不愿在本网发表文章,请版权拥有者通知本网处理。