[aprssig] Turn-key IGate

Jason KG4WSV kg4wsv at gmail.com
Fri Mar 25 19:15:44 CDT 2016



> On Mar 25, 2016, at 12:37 PM, Scott Miller via aprssig <aprssig at tapr.org> wrote:
> 
> With proper care in its setup, it's certainly possible to keep it secure.  

And that's key: proper care and feeding. There's no such thing as an Internet appliance that can be simply taken out of the box and plumbed to the inter-tubes with no configuration and maintenance. 

> it doesn't even need to respond to pings.

*sigh*

obscurity != security

MAYBE this could be considered part of defense in depth, but IMO you're just shooting yourself in the foot by removing a useful troubleshooting tool and slowing down only the slowest of the script kiddies. 


>  If you need SSH access you can lock it down to specific source IP addresses or you can use port knocking to only open the port on demand.

Yeah but if you know about port knocking you also know that stuff has to be patched regularly and my warning wasn't for you. :)

> 
> My next tracker/TNC will be an IGate, too,

In my limited-but-more-than-many-folks experience with embedded devices, attacks (or even scans) that have any effect tend to knock them offline, being a DoS even if unintentional. Connection handling has to be pretty robust. 

I recently put a couple of <name of embedded device censored> online to see if they have any problems. They're exposed to the world with minimal filtering. 

The Internet is an unfriendly place. It's certainly no place for appliances. 

-Jason
kg4wsv



More information about the aprssig mailing list