[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security of devices other than the Gateway (was Re: simple security)

On Sun, 28 Mar 2010 19:06:32 +0200
Mark Townsley <townsley@cisco.com> wrote:

> On 3/28/10 6:41 PM, Konrad Rosenbaum wrote:
> > On Wednesday 24 March 2010, Mohacsi Janos wrote:
> >    
> >>> Your NAS should run link-local or ULA if you don't want it to reach the
> >>> outside world.
> >>>        
> >> How to configure the NAS for such a setup?
> >> - If I use SLAAC? Do I have to prevent RAs with global prefix to be
> >> arrived to NAS? Do I have to filter on NAS? But what about the ULA? Do I
> >> get ULA via SLAAC? This requires a pretty complex setup.
> >>      
> > If I would build the NAS I would let it operate as usual, but add a few
> > simple packet filter rules to the rudimentary firewall inside the device:
> > allow absolutely everything out; allow everything in that targets me at
> > fe80::/10; allow everything in that targets me at fc00::/7 if it comes from
> > a locally advertise network, do not allow anything else in. I would also
> > give the user an option to disable the packet dropping code (if I felt too
> > lazy to implement a proper configuration). I wouldn't expect the router or
> > any other device to protect or fool my NAS device.
> >
> > Maybe someone needs to define a few more simple-security rules for devices
> > other than CPE gateways?
> >    
> Not a bad idea at all. Security certainly doesn't start or stop at the 
> gateway.
> 
> > I don't really see an incentive for device engineers to put proper security
> > into "dumb" devices if there is no spec - they are used to letting
> > the "magic of NAT" take care of this.
> >    
> Agreed. If the applications (or devices built for a specific 
> application) were a bit more aware of the scoping of an IPv6 address, 
> perhaps they could use this for better security, not to mention ease of 
> use.
> 

As much as I think using ULAs for this is a good simple solution, one
model I've thought could be better is the "association" model used by
bluetooth or DECT handsets and base stations. If you setup an
trusted association between devices, via some sort of enrolment
process (e.g. press a button on both devices at once, then acknowledge
the relationship), probably with an expiry period (to allow short
term trust e.g. temporary access to your printer for a day), the access
to devices could then be addressing independent. Following that model,
you could access your home NAS, fridge etc. from any location, ULA or
global.


Regards,
Mark.

> These problems aren't easy, and probably require peeking into APIs and 
> such to be done properly, but perhaps this is where our efforts should 
> be directed.
> 
> - Mark
> 
> >
> > 	Konrad
> >    
> 
>