1. Home
  2. Electronics Design
  3. OT isolated subnet for talking to "foreign"/untrusted devices

OT isolated subnet for talking to "foreign"/untrusted devices

I rescue a fair bit of kit. Much of it "(networked) appliances". As I've no idea of its past pedigree, I typically bring it up using a sacrificial laptop (one that I can wipe and rebuild in a matter of minutes) on a two node network (the laptop and the DUT).

I'm *tempted* (but wary) to serve up a small subnet off my main network via DHCP (most appliances seem to want dynamically assigned IP's -- if not "as is", then "when reset to factory defaults").

But, this opens up the hosts on the network to any malware on the device in question. If I introduce a firewall/filter between the particular router ports and the device, then I've got to deal with tweaking that "as appropriate" for the particular device -- and, hope I don't overlook something (like how it may have been configured for the previous device, days/weeks/months earlier).

I.e., it doesn't look like there's a "100% safe" way to do this. That I should stick to the sacrificial laptop approach?

How do others handle this? Or, just blissful ignorance? :>

Reply to
Don Y
Loading thread data ...

An analogy comes to mind. If you connect your main network and the DUT somehow, they're having sex.

As everyone who has had sex education knows, there's no such thing as "100% safe" sex. Only risk-reduction.

It's up to you to decide what level of risk is acceptable for the benefit gained from the network and DUT not remaining forever celibate.

Reply to
bitrex

No, there's only the *potential* for it. Just like having guys and gals in the same room doesn't necessarily imply that THEY are "having sex".

The firewall/packet filter is, effectively, the condom -- like putting the "newcomer" (boy/girl) outside a protective bubble.

The analogy falls down because a hole in the bubble can lead to others in the room being "infected" -- even if they'd not opted to "engage" with the newcomer. Like wearing a condom -- and someone ELSE in the room ending up catching an STD, instead!

There are other options between "promiscuity" and "celibacy".

Reply to
Don Y

You'd do this with two WAN addresses. One WAN address would be dedicated for a NAT+router for the IoT pool. Preferably, the router would have a connection rate throttle in case any of those devices are programmed for attacks.

Some SOHO routers can manage multiple NAT subnets from one WAN address. Unfortunately, SOHO routers are typically buggy, easily hacked, piles of garbage that will never be upgraded to working condition. They're worse than IoT junk because they offer hackers more power.

--
I will not see posts from astraweb, theremailer, dizum, or google 
because they host Usenet flooders.
Reply to
Kevin McMurtrie

Would it serve your purpose to simply put three NAT routers in a Y arrangement, so one connects to the internet and feeds the other two? Then you'd have two networks that could never talk to each other, but both can reach out.

Reply to
Tom Del Rosso

Any decent router can do that all-by-itself.

I have a separate guest WiFi network that works exactly like that. And I could add a hardware ethernet port to it when required.

Of course it is not possible to connect to the devices on that network from my normal network, and I think that is what he sort of suggests to be required (adapting the firewall to the situation, avoiding the laptop).

Reply to
Rob

He said he "rescues a fair bit of kit", meaning that he might have a lot of cheap routers that can't be set up to do that.

Reply to
Tom Del Rosso

ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.