Fr Robert Ballecer, SJ when you talked about your home network you said everything starts on it...

[G+_John Mink]

Fr. Robert Ballecer, SJ when you talked about your home network you said everything starts on it's own vlan with only itself & the internet & only merges when necessary.

 

How would that work for something like a NAS, which I really don't EVER want talking to the internet?

 

I'm thinking specifically about a NAS, where the only thing my NAS does it host files for other machines.  Every request comes from another machine on the network.

 

So actually "if this machine (the NAS) ever attempts to connect to any external device - block it" would actually be an EXCELLENT rule...but I don't see how it fits in with your model (though I'm sure there's a way).

[G+_Travis Hershberger]

Keep in mind that his "home" network is probably setup this way to protect the network from virus/malware getting in.  It'd be interesting to have a walk through on setting something like that up!

 

On any sort of normal home network I'd just give the NAS a dedicated IP address and add a block for that IP address at the router.

[G+_Jonathan Schober]

A VERY simple way would be to set the "Default Gateway"/"Router" to null/nothing/empty

[G+_Timothy Waters]

Use a pfsense box and setup some vlans. Specify that said NAS is on a plan with all ports blocked to the net.

[G+_John Mink]

Travis Hershberger I assure you, Padre doesn't have "any sort of normal home network" :p

 

Also, he said one of the major benefits of his setup is that his devices are isolated when they get pwned.  Or devices he lets onto his network (cause really, how can you NOT let grammy onto your WiFi, even if she doesn't have the best network security practices.

 

Jonathan Schober maybe, but would that interfere in some way with it merging vlans?

 

Also, what happens when it merges with a vlan which DOES have an exit/whatnot?

 

Timothy Waters yup, I was just wondering how Padre was doing it with his crazy setup!

[G+_Travis Hershberger]

John Mink Yeah, most corporate networks aren't setup like that.  Of course they have a lot more control over what get used within the network, makes for a big difference in security models.

[G+_John Mink]

Travis Hershberger not sure about the internals of corporate networks but I expect they are setup on like this at some point.  After all, this equipment isn't designed for home users.  So certainly corporations don't have it between each computer, but maybe between divisions/sectors (or physical buildings)...or maybe just internal vs external?

 

But also, even without the BYOD movement...people have NEVER been good at following IT instructions of "don't use your personal devices"

 

And most importantly, I'm still not understanding how a device which should never leave the network works on a network where the ONLY thing this device sees is the exit >_>

[G+_Bob Buell]

The description of this network in show 112 is pretty amazing.  I wish I could afford this type of equipment.... and figure out how to DO it.

[G+_John Mink]

Bob Buell and the tech is only getting better!