Is it safe?
November 13, 2012 9:45 AM Subscribe
Yesterday I added a network print server device to my home network. How can I know that it is secure? Can I firewall it to prevent it from sending anything out to the internet? A few more details inside.
I bought this no-brand print server device and hooked it up yesterday. It's working fine. I have no particular reason to distrust it, but OTOH, I'm not sure I should blindly trust it either. I think it can see all the activity on my home network if it chose to do so (router experts can correct me here if I'm wrong). If so, it could be potentially be harvesting passwords or cookies, etc. and sending them out somewhere on the internet.
I'm on a DSL connection and have a fairly crappy old westell modem/router with a custom UI added by my ISP. I don't think the modem has detailed controls that would allow me to firewall off this device from the internet. If it was doing something evil, it could probably forge packets anyway that would get past the firewall.
This is all most likely just excess paranoia and it's probably fine. But are there any steps I could take to be sure? Perhaps in the future I should think twice about buying no-name IP devices. Thanks in advance.
I bought this no-brand print server device and hooked it up yesterday. It's working fine. I have no particular reason to distrust it, but OTOH, I'm not sure I should blindly trust it either. I think it can see all the activity on my home network if it chose to do so (router experts can correct me here if I'm wrong). If so, it could be potentially be harvesting passwords or cookies, etc. and sending them out somewhere on the internet.
I'm on a DSL connection and have a fairly crappy old westell modem/router with a custom UI added by my ISP. I don't think the modem has detailed controls that would allow me to firewall off this device from the internet. If it was doing something evil, it could probably forge packets anyway that would get past the firewall.
This is all most likely just excess paranoia and it's probably fine. But are there any steps I could take to be sure? Perhaps in the future I should think twice about buying no-name IP devices. Thanks in advance.
There's a greater than 99% probability that your print server is not spying on you.
However, you have a few options. You can monitor its network usage with a packet sniffer like Wireshark. The second thing is to buy a smart switch that lets you make sure no internet-bound traffic from your computer flows past the printer server.
But—really—there's probably nothing to worry about.
posted by paulg at 10:04 AM on November 13, 2012
However, you have a few options. You can monitor its network usage with a packet sniffer like Wireshark. The second thing is to buy a smart switch that lets you make sure no internet-bound traffic from your computer flows past the printer server.
But—really—there's probably nothing to worry about.
posted by paulg at 10:04 AM on November 13, 2012
Response by poster: Thanks for your answers. I agree that is is almost certainly fine. I was a little disturbed when I looked at it and found that there is not a single bit of branding on the device or in its manual, which got me wondering about security. But don't worry, I'm not sweating bullets about it. I was just wondering if there was some step I could take that I had not thought of.
posted by DarkForest at 10:16 AM on November 13, 2012
posted by DarkForest at 10:16 AM on November 13, 2012
Best answer: Is this device connected to an ethernet switch? Switches intelligently direct traffic based on where it's going/coming from and severely limit the extent to which traffic can be "seen", i.e. the print server, by virtue of it just being connected to your LAN, doesn't automatically get to see all the traffic traveling across your LAN. It's not like the days of ethernet hubs when the entire network was effectively a party line that anyone could listen in on.
That being said, to further segregate your LAN, you could set up a Virtual LAN with a different IP subnet to completely partition off untrusted devices. I've done this with OpenWRT and a cast off Linksys WRT54g. I have two VLANs each with a different IP subnet and a few firewall rules to govern how traffic can pass from one part of the network to the other.
posted by RonButNotStupid at 10:26 AM on November 13, 2012
That being said, to further segregate your LAN, you could set up a Virtual LAN with a different IP subnet to completely partition off untrusted devices. I've done this with OpenWRT and a cast off Linksys WRT54g. I have two VLANs each with a different IP subnet and a few firewall rules to govern how traffic can pass from one part of the network to the other.
posted by RonButNotStupid at 10:26 AM on November 13, 2012
Response by poster: You're right. I was thinking of it more like a hub than a switch. I can check to see if traffic is not being sent on all links. If not, then there's no problem. Thanks!
posted by DarkForest at 11:03 AM on November 13, 2012
posted by DarkForest at 11:03 AM on November 13, 2012
« Older How can I make excel break multiple rows into new... | US bank recommendation for Canadians recently... Newer »
This thread is closed to new comments.
If it was truly something evil, then you can't do much to stop it. But if you're so paranoid, why is it even on your network? You could set up seperate vlans and segregate it from the rest of the network, but then you will need to upgrade your network hardware.
Also, you could set up a packet sniffer or transparent proxy between it and the internet, and monitor the traffic coming from the device.
posted by defcom1 at 10:00 AM on November 13, 2012