[Nut-upsuser] ISE review of I-D: deprecate command VER?
Harlan Stenn
harlan at pfcs.com
Sun Mar 20 23:51:33 GMT 2022
On 3/20/2022 2:15 PM, Manuel Wolfshant wrote:
> On 3/20/22 22:02, gene heskett wrote:
>> ...
>> Even better, hide your local network by getting a good router, reflashing
>> it to something like dd-wrt or its ilk, and using it to NAT your local
>> net somewhere in the 192.168.xxx.yyy address space but which is not
>> transmitted thru a router without coming under the control of the NAT in
>> the router. All your stuff behind such a router is invisible to the black
>> hats, making all your machines at least 1000 times more secure unless you
>> leave the router passwd at its default, in which case you'll be powned by
>> 10 seconds after its powered up and the modem cable plugged into it.
>
> That's not really feasible for enterprise locations. At home I used
> dd-wrt since 2013 until 2 months ago when I replaced my router but I
> will certainly not insert such a router in my work environment when I
> could simply configure the enterprise-grade switches to use dedicated
> VLANs for the various equipment. I have one VLAN for video cameras,
> another one for the management of the network equipment and so on . And
> yes, I know very well that VLAN's primary role is separating broadcast
> domains, not security. However coupled with proper firewall rules
> separating the VLANs, one can create a decent environment.
>
> And no home user will dedicate a separate router for an UPS. On top of
> that, separating the UPS from the other devices is possible but not easy
> because any and all home-grade routers by default will inject a single
> rule that NATs the single class defined behind it. Separating the UPS
> from the rest requires manual intervention, many times directly in the
> CLI. And please do not imagine for a single second that you will be safe
> simply because you NAT everything, as there are miriad of scripts that
> rely on UPNP or client vulnerabilities to propagate inside user
> networks, behind any firewalls.
My UPSes are on a limited/restricted-access VLAN at my place...
H
More information about the Nut-upsuser
mailing list