Slashdot Mirror
Ask Slashdot: Could A 'Smart Firewall' Protect IoT Devices?
To protect our home networks from IoT cracking, Ceaus wants to see a smart firewall:
It's a small box (the size of a Raspberry Pi) with two ethernet ports you put in front of your ISP router. This firewall is capable of detecting your IoT devices and blocking their access to the internet, only and exclusively allowing traffic for the associated mobile app (if there is one). All other outgoing IoT traffic is blocked... Once you've plugged in your new IoT toaster, you press the "Scan" button on the firewall and it does the rest for you.
This would also block "snooping" from outside your home network, and of course, keep your devices off botnets. The original submission asks "Does such a firewall exist? Is this a possible Kickstarter project?" So leave your best answers in the comments. Could a smart firewall protect IoT devices?
This would also block "snooping" from outside your home network, and of course, keep your devices off botnets. The original submission asks "Does such a firewall exist? Is this a possible Kickstarter project?" So leave your best answers in the comments. Could a smart firewall protect IoT devices?
All you really need is... some rules.
If you have an openwrt, dd-wrt or similar router, you can definitely block whatever traffic you want without new hardware.
You can whitelist devices by IP or MAC and not permit anything else to generate egress traffic, which won't prevent against devices smart enough to spoof your IP and MAC sending data but which will defeat the casual attacks.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I'm pretty sure that this "smart firewall" is more commonly known as a "firewall". Any firewall that can't block traffic can't legitimately be called a firewall at all.
Sounds like you want to spin up a managed security provider for home users, to manage their gateways. It's been tried before, but not enough people want to pay for it. Much easier and more economical to just get large ISPs to do it. All we need is the right leverage. As Bruce Schneier observed, it is in part a problem because the device manufacturers and the home users really don't have a strong motivation (yet) to do anything.
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
not plugging your fucking toaster into the internet so it cat tweet out whenever your toast is done.
I love that idea! It's like FDA labeling laws, but for electronics. It would be totally cheap for the manufacturer to do, and it would make it totally transparent as to which devices are total crap. And if they lie, they could be liable for it at LEAST under false advertising laws. Now that you say this -- why the heck haven't we done this before? It seems so simple and obvious.
This device communicates on the following protocols:
IP address | Protocol | Destination
.
.
.
Wait a minute. You want someone to make a device that will identify random IoT devices when we can't even get current home/soho router/firewall device makers to update THEIR firmware?
-EB
Do you ever walk alone like a drifter in the dark?
The IoT device is installed in a home, and writes the 'manifest' to the firewall device at installation. If it ever changes, the firewall would immediately know.
At which point the consumer would see "Hey, your lightswitch wants permission to send a whole bunch of traffic to a random server" and they'd approve the change like they always do.
So your solution to securing incredibly insecure IoT devices is to allow those incredibly insecure IoT devices privileged access to the security device that polices access to your network.
This is why you don't let novices come up with security solutions.
Bad analogies are like waxing a monkey with a rainbow.
This is called UPNP, and is exactly the problem why so many devices are reachable through the internet while their owners don't suspect a thing.