[colug-432] Centos7, firewalld, Arduino ide to support over the air updates on esp8266

Sat Feb 4 16:08:23 EST 2017

On February 4, 2017 at 13:08:58, Vince Herried (vherried at gmail.com) wrote:

Is this a mistake opening up all the ports on all my LAN?

That sort of depends. There's obviously a valid school of thought that says
to lock down your network, including the LAN, and only allow that traffic
which is necessary. I think that probably for the most part makes the most
sense in a datacenter, or other commercial space like if you're running a
"public" wifi network.

In a datacenter, you want to isolate different functions (HR,
customer-facing EC site), different tiers (web, database), and different
applications from each other. It significantly reduces the risk of a
compromise in one area spreading easily to another.

At home, put a solid firewall like pfSense on the edge and you should be
fine. There are a few who might say that I'm completely naive or that I
just hate Microsoft because they're so awesome, or that I'm stupid -- but
if you're running a bunch of Windows systems in your house, I might lean
more toward the possibility of a LAN firewall. With macOS and Linux
systems, I'm not as worried about it. They are not perfect, but are
inherently more secure by design than Windows.

When I run Windows VMs on my Macs, I turn off as much of the shared desktop
crap in VMWare/Parallels as I can get away with - including all the file
sharing. I don't trust Windows enough to allow it access to my host files.
I also don't leave Windows VMs running.

To get back to your question: if people on my LAN are running Windows
systems, I'm going to think much harder about ensuring that the other
systems on my network have firewalls enabled. Sometimes I'm playing around
with mysql or redis, or am developing a webapp that I haven't secured yet,
or running other things that listen for traffic on the LAN. There's just
too much drive-by garbage that can happen on a Windows system without the
user even knowing that makes me wary of risking it.

Sidenote: I've also used host-based firewall rules to stop stuff like
Rubymine from broadcasting onto the LAN that it's running. If I happen to
have RM open on another host, it complains that I'm breaking the license
and must shut the application down.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.colug.net/pipermail/colug-432/attachments/20170204/2d8b4459/attachment.html 