Ideas to secure network from network music player

Marci

@bmeeks Thanks for your comments.
Since I need to control the player with my or my wife's smartphone and it also needs to access my local DLNA server I probably cannot put it in a separate VLAN.
For other measures I guess I could check the DNS requests and block some if I feel they do not make sense.

JKnott

@bmeeks said in Ideas to secure network from network music player:

One problem you will have when putting the device on its own separate VLAN or subnet is that devices on your regular LAN will most likely be unable to see the music player or connect with it.

He could block the player's IP from accessing the Internet. Static map the IP, so it won't change.

bmeeks

@JKnott said in Ideas to secure network from network music player:

He could block the player's IP from accessing the Internet.

Yes, but my gut feeling is that the device is going to need to phone home in some manner or otherwise get to the web for its basic funcionality to work. If nothing else, maybe for firmware updates or some authentication mechanism.

It seems just about everything these days just automatically assumes it can see and communicate with the web at will. Heck, even pfSense itself can't operate smoothly without a ready Internet connection. Try running it in an air-gapped situation and you will immediately see how unpleasant that can be . I would not be surprised for the OP's music device to be similarly inclined.

I managed both air-gapped and data diode protected digital assets in nuclear power plants for a few years. It provides great cyber security, but man oh man is it a royal pain to do software updates, activate software licenses, and perform similar tasks. And more and more vendors these days just assume the Internet is there and a connection available, and they make their software dependent on that always-on connection. They look at you like you've lost your mind when you ask them how to do tasks with no Internet connection present.

Marci

@bmeeks said in Ideas to secure network from network music player:

@JKnott said in Ideas to secure network from network music player:

He could block the player's IP from accessing the Internet.

Yes, but my gut feeling is that the device is going to need to phone home in some manner or otherwise get to the web for its basic functionality to work.

I definitively need internet access on the device, besides general functionality I am listening to internet radio on it.

I will monitor DNS requests with Pi-hole, there is at least a chance to pick something up which might be not right.

stephenw10

You might be able to make it work across subnets using pimd but it can be very variable between devices, protocols etc.

Rene 0

@bmeeks

If you would like to experiment with data diodes i created a beginners workshop.
There is a simple example streaming audio/video via rstp using vlc. From you you could create your own more advanced setup.
https://github.com/vrolijk/osdd

Marci

@Rene-0 Thanks for the idea. I will take a look into that topic.

terryzb

@stephenw10
I'm curious why the recommendation for pimd and not also avahi?

stephenw10

Avahi does nothing for DLNA as far as I know. That's what most of these services are trying to use.

johnpoz

@stephenw10 yeah avahi per their own website

"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite"

I wouldn't have any use for DLNA discovery.. Which would be SSDP on port 1900 pretty sure..