[Nut-upsuser] ISE review of I-D: deprecate command VER?

Harlan Stenn harlan at pfcs.com
Sun Mar 20 23:51:33 GMT 2022

On 3/20/2022 2:15 PM, Manuel Wolfshant wrote:
> On 3/20/22 22:02, gene heskett wrote:
>> ...
>> Even better, hide your local network by getting a good router, reflashing
>> it to something like dd-wrt or its ilk, and using it to NAT your local
>> net somewhere in the 192.168.xxx.yyy address space but which is not
>> transmitted thru a router without coming under the control of the NAT in
>> the router. All your stuff behind such a router is invisible to the black
>> hats, making all your machines at least 1000 times more secure unless you
>> leave the router passwd at its default, in which case you'll be powned by
>> 10 seconds after its powered up and the modem cable plugged into it.
> That's not really feasible for enterprise locations. At home I used 
> dd-wrt since 2013 until 2 months ago when I replaced my router but I 
> will certainly not insert such a router in my work environment when I 
> could simply configure the enterprise-grade switches to use dedicated 
> VLANs for the various equipment. I have one VLAN  for video cameras, 
> another one for the management of the network equipment and so on . And 
> yes, I know very well that VLAN's primary role is separating broadcast 
> domains, not security. However coupled with proper firewall rules 
> separating the VLANs, one can create a decent environment.
> And no home user will dedicate a separate router for an UPS. On top of 
> that, separating the UPS from the other devices is possible but not easy 
> because any and all home-grade routers by default will inject a single 
> rule that NATs the single class defined behind it. Separating the UPS 
> from the rest requires manual intervention, many times directly in the 
> CLI. And please do not imagine for a single second that you will be safe 
> simply because you NAT everything,  as there are miriad of scripts that 
> rely on UPNP or client vulnerabilities to propagate inside user 
> networks, behind any firewalls.

My UPSes are on a limited/restricted-access VLAN at my place...


More information about the Nut-upsuser mailing list