[aprssig] Turn-key IGate

Scott Miller scott at opentrac.org
Sun Mar 27 14:18:50 CDT 2016


>> it doesn't even need to respond to pings.
> *sigh*
>
> obscurity != security
>
> MAYBE this could be considered part of defense in depth, but IMO you're just shooting yourself in the foot by removing a useful troubleshooting tool and slowing down only the slowest of the script kiddies.
I'm not saying ignoring pings is a security measure - I'm saying that 
it's hard to hack a device when it doesn't respond to any incoming 
traffic at all.  The very first thing you should do when securing any 
network-connected system is to disable all unused services.

> Yeah but if you know about port knocking you also know that stuff has to be patched regularly and my warning wasn't for you. :)
Only the things that are running need to be patched.  For an IGate 
appliance that can be a very small list.  Anyone with the technical 
proficiency to manage a Linux device via SSH should also be able to 
manage some basic firewall settings.  If not, they can use a 
pre-configured system that's completely firewalled except for outbound 
APRS IS traffic.

> In my limited-but-more-than-many-folks experience with embedded devices, attacks (or even scans) that have any effect tend to knock them offline, being a DoS even if unintentional. Connection handling has to be pretty robust.
>
> I recently put a couple of <name of embedded device censored> online to see if they have any problems. They're exposed to the world with minimal filtering.
>
> The Internet is an unfriendly place. It's certainly no place for appliances.
Plenty of Internet-connected devices are absolute crap.  The designers 
don't know or don't care about security.  That doesn't mean you can't 
make a secure appliance, particularly when it has a very limited set of 
things it needs to do.  I spent years working on network security for a 
military base with more than 130,000 IP addresses that made a very large 
target for all manner of attacks. I have much more confidence in my 
ability to construct a secure single-purpose embedded appliance than in 
a PC running any general-purpose desktop operating system no matter how 
well patched and behind an off-the-shelf firewall.

Scott
N1VG


More information about the aprssig mailing list