[Cryptography] FBI: Don't trust IoT devices
Henry Baker
hbaker1 at pipeline.com
Wed Dec 11 18:57:48 EST 2019
At 08:13 AM 12/11/2019, Jeremy Stanley wrote:
>On 2019-12-10 10:57:30 -0800 (-0800), Henry Baker wrote:
>[...]
>> To a first approximation, just consider isolating
>> each device in such a way that it can't "see" any
>> other device, but it can still talk to the internet.
>[...]
>
>For wired LANs, the most common solution is referred to as "port
>isolation" or "Private VLAN" but Cisco has a patent stranglehold on
>the concept laid out in IETF RFC 5517 and has litigated against
>perceived infringers who don't bow to their demands for license
>tithes:
>
>https://en.wikipedia.org/wiki/Private_VLAN
>
>https://www.essentialpatentblog.com/2016/07/itc-rejects-de-facto-standard-defense-337-ta-944-cisco-v-arista/
>
>For IEEE 802.11 wireless, many WAPs implement something called
>"wireless client isolation" or "AP isolation" to prevent client
>systems from communicating with anything besides the Internet
>gateway:
>
>https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan#step_2copy_the_existing_wireless_network
>
>https://wiki.dd-wrt.com/wiki/index.php/Advanced_wireless_settings#AP_Isolation
>
>So the options are there, but I agree, if I hadn't spent years as a
>network engineer I probably wouldn't begin to know what to look for.
>--
>Jeremy Stanley
Mucho thanks for the info & links!
What about achieving this isolation goal via encrypted tunnels/encrypted VPN's, etc? Yes, I know, one could still do traffic analysis, but they could probably do that (with additional effort) even with Cisco's mechanisms.
I don't know if I would trust Cisco "port isolation" to devices that can run tcpdump/wireshark/snort/etc. 24x7, even if I had Cisco routers.
More information about the cryptography
mailing list