Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Could A 'Smart Firewall' Protect IoT Devices?

Posted by EditorDavid on from the home-network-of-things dept.

To protect our home networks from IoT cracking, Ceaus wants to see a smart firewall: It's a small box (the size of a Raspberry Pi) with two ethernet ports you put in front of your ISP router. This firewall is capable of detecting your IoT devices and blocking their access to the internet, only and exclusively allowing traffic for the associated mobile app (if there is one). All other outgoing IoT traffic is blocked... Once you've plugged in your new IoT toaster, you press the "Scan" button on the firewall and it does the rest for you.
This would also block "snooping" from outside your home network, and of course, keep your devices off botnets. The original submission asks "Does such a firewall exist? Is this a possible Kickstarter project?" So leave your best answers in the comments. Could a smart firewall protect IoT devices?

5 of 230 comments (clear)

  1. Ideally a manifest/profile from IoT makers... by mlts · · Score: 5, Informative

    Ideally, there should be a profile/manifest IoT makers have as standard with their devices. This shows what incoming/outgoing ports and hosts the IoT device communicates with. Everything else should be blocked as default from the router. This should be in some central registry or a standardized URL system, so a home firewall could, once it recognizes a certain IoT device, grab a profile and run with it.

    Of course, a lot of IoT makers would just put in that the device takes incoming/outgoing traffic from anything and everything, but hopefully there might be come makers who give a shit enough about security to put in limits of what their devices can and do not try communicating with.

    This way, a firewall, once it registers a device can automatically apply a profile and call it done. Of course, there are security issues, but this is a giant step forward, compared to letting the device have unfettered access in and out.

    1. Re:Ideally a manifest/profile from IoT makers... by MobyDisk · · Score: 5, Insightful

      I love that idea! It's like FDA labeling laws, but for electronics. It would be totally cheap for the manufacturer to do, and it would make it totally transparent as to which devices are total crap. And if they lie, they could be liable for it at LEAST under false advertising laws. Now that you say this -- why the heck haven't we done this before? It seems so simple and obvious.

      This device communicates on the following protocols:
      IP address | Protocol | Destination
      .
      .
      .

  2. some rules by drinkypoo · · Score: 5, Insightful

    All you really need is... some rules.

    If you have an openwrt, dd-wrt or similar router, you can definitely block whatever traffic you want without new hardware.

    You can whitelist devices by IP or MAC and not permit anything else to generate egress traffic, which won't prevent against devices smart enough to spoof your IP and MAC sending data but which will defeat the casual attacks.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    1. Re:some rules by grahamsz · · Score: 5, Insightful

      I've corralled mine into a dhcp space, but it might be safer just to set up a whole separate wifi network for them, would make it easier to monitor.

      Still it's trickier for things like the chromecast or airplay-type devices, because they both interact with phones and laptops on the local network and need to connect directly to streaming sources on the internet.

  3. How is this different from any firewall by Paul+Carver · · Score: 5, Insightful

    I'm pretty sure that this "smart firewall" is more commonly known as a "firewall". Any firewall that can't block traffic can't legitimately be called a firewall at all.