On Wednesday 24 March 2010, Mohacsi Janos wrote: > > Your NAS should run link-local or ULA if you don't want it to reach the > > outside world. > > How to configure the NAS for such a setup? > - If I use SLAAC? Do I have to prevent RAs with global prefix to be > arrived to NAS? Do I have to filter on NAS? But what about the ULA? Do I > get ULA via SLAAC? This requires a pretty complex setup. If I would build the NAS I would let it operate as usual, but add a few simple packet filter rules to the rudimentary firewall inside the device: allow absolutely everything out; allow everything in that targets me at fe80::/10; allow everything in that targets me at fc00::/7 if it comes from a locally advertise network, do not allow anything else in. I would also give the user an option to disable the packet dropping code (if I felt too lazy to implement a proper configuration). I wouldn't expect the router or any other device to protect or fool my NAS device. Maybe someone needs to define a few more simple-security rules for devices other than CPE gateways? I don't really see an incentive for device engineers to put proper security into "dumb" devices if there is no spec - they are used to letting the "magic of NAT" take care of this. Konrad
Attachment:
signature.asc
Description: This is a digitally signed message part.