On 3/20/2022 2:15 PM, Manuel Wolfshant wrote:
On 3/20/22 22:02, gene heskett wrote:
...
Even better, hide your local network by getting a good router, reflashing
it to something like dd-wrt or its ilk, and using it to NAT your local
net somewhere in the 192.168.xxx.yyy address space but which is not
transmitted thru a router without coming under the control of the NAT in
the router. All your stuff behind such a router is invisible to the black
hats, making all your machines at least 1000 times more secure unless you
leave the router passwd at its default, in which case you'll be powned by
10 seconds after its powered up and the modem cable plugged into it.
That's not really feasible for enterprise locations. At home I used
dd-wrt since 2013 until 2 months ago when I replaced my router but I
will certainly not insert such a router in my work environment when I
could simply configure the enterprise-grade switches to use dedicated
VLANs for the various equipment. I have one VLAN for video cameras,
another one for the management of the network equipment and so on . And
yes, I know very well that VLAN's primary role is separating broadcast
domains, not security. However coupled with proper firewall rules
separating the VLANs, one can create a decent environment.
And no home user will dedicate a separate router for an UPS. On top of
that, separating the UPS from the other devices is possible but not easy
because any and all home-grade routers by default will inject a single
rule that NATs the single class defined behind it. Separating the UPS
from the rest requires manual intervention, many times directly in the
CLI. And please do not imagine for a single second that you will be safe
simply because you NAT everything, as there are miriad of scripts that
rely on UPNP or client vulnerabilities to propagate inside user
networks, behind any firewalls.
My UPSes are on a limited/restricted-access VLAN at my place...
H
_______________________________________________
Nut-upsuser mailing list
Nut-upsuser@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/nut-upsuser
