Reply to post: Re: NOT the solution for internet of infected things

Ubuntu Core Snaps door shut on Linux's new Dirty COWs

bombastic bob Silver badge
Devil

Re: NOT the solution for internet of infected things

the real solution is a lot more obvious: don't expose them to the public intarwebs without a secure shell of some kind that uses an actual LOGIN...

best way to handle that is an ssh tunnel capability in your firewall. that would mean running sshd on every firewall system out there (quite possibly on a fixed IPv4 address, or an IPv6 address), with PROPER security even, and allowing ONLY properly credentialed users to secure-tunnel into your network to access the devices (say 'phone application with an assigned ssh cert'). THEN all of the IOT devices won't use UPnP to tunnel past the firewall and listen on the intarwebs, or even use publically viewable IPv6 addresses for the same purpose, but would INSTEAD listen on a private LAN IP [and/or non-public IPv6]. The sshd login would then become the 'single point of failure' so the firewall makers would have to goad people into setting it up PROPERLY, then SHUT! OFF! THAT! HIDEOUS! SECURITY! CRATER! known as 'UPnP support on the router'.

/me notes my FreeBSD computer serves as firewall, router, IPv6 tunnel, web server, and sshd for remote access, on a fixed IP, with a 'godaddy registered' name server running, and a few other things. Ok most people don't want this, but if EVERYBODY HAD TO DO THIS to get IoT to work right, it would be a HELL of a lot more secure!

the alternative would be a cloud-based "solution" involving a) a 3rd party sshd-based cloudy server, b) connect to it from your network directly using a daemon/service/whatever to connect your LAN to the service, and c) tunnel through that connection from the 3rd party sshd, through that daemon/service/whatever [which could JUST be ssh invoked with the proper parameters], so that the connection works on both ends.

Anyway, IoT devices using such a service would be as secure as the ssh config. But at least it would become a stumbling block to scanning the ENTIRE address space looking for poorly configured TELNET on IoT devices...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019