Wow, I would argue that having your 3D printers on your Ethernet is not by default “fine”. You never know what’s in the firmware. Any device could have rogue code in it and be used as a base for attacking other devices on your network. Theoretically, at least. Sorry, this is what I do for my day job
That same paranoia could extend to absolutely any USB device, since it is trivial to embed an extra USB chip in the plug casing alone, and have that serve up malicious code.
At the end of the day, you have to trust your vendors, or run virtual machines and packet sniffers on absolutely everything.
Actually, that’s why many hospitals disable the USB port, perhaps allowing only specific devices…
Truly, the IoT explosion has created a completely different attack front.
I never thought a fridge, smart bulb, baby cam, security system and/or even a wifi firewall router would need to monitored because manufacturers had not thought about uninvited “guests” would ever try and do something with their product.
It is nice that those things can be isolated, but when companies hardcode access passwords or use developers who create the internal shortcuts on their products which get incorporated vast variety of networked home products, it just makes your head drop and want you to cry in your drink.
Easy of use versus risk exposure is always a nasty balancing act. That is why I get to do what I do.
Pour yourself a cold one, raise your glass and “Cheers” to you
Sigh. I do this too for a living. I am the chief information architect and worry about this stuff too for my job. It’s “fine” in the sense that they generally don’t complain when me and my group hook Ethernet based devices to our network (we are one of the software dev teams after all) since they know what/where/who based on physical location and can shut the port off if they are suspicious. Also we are on a vLan away from other systems and connect to the rest of the network via the core switch after undergoing deep packet inspection (I actually requested that since we occasionally need to test deep segmentation events so wanted to be able to screw up our network in an isolated fashion)
We actually disable all USB on all the hospital machines (now folks’ machines in their offices are open) but at least we know who/where.
With the latest 2 USB port attacks Snagging creds from locked machines and PoisonTap, I am amazed that hospitals and businesses have not hot glued all USB ports closed.
In part, I like the lack of cable connectivity to the GF to at least allow network control and isolation from a security focused platform. Also, not having to deal with USB (Universal pain in the b*tt … I mean Universal Serial Bus) idiosyncrasies that occur because of 1.0, 1.1, 2.0, 3.0 and 3.1 implementations and manufacturing variations, limits what could possibly be wrong when issues arise.
Many have. In my company I’ve deployed two different methods of controlling USB devices. One completely disables USB, the other allows specific allowed devices specified by any combination of things (brand, model, even serial number if I just wanted to allow 1 specific device).
There are excellent ethernet focused port isolation techniques, and we use them. Easier in some ways to isolate ports (you can physically shut them off) while simple DDOS style attacks (i.e. jamming) is trivial with wifi. Also the performance difference is so great (I realize for the GF that is irrelevant) plus the whole protocol/login creds/etc insanity. Since we have a fairly rapid password change policy, and of course if you forget some wifi enabled device it tries to log in when the DHCP lease expires and then after 3 retries causes your account to lock. Ugh…
AAAUUUGGHHH… I hate account lock policies that get tripped by automated processes or devices that are just trying to connect and trip the security lockdowns. Even worse when you have multiple devices that start a round robin lockout because you can’t get them all changed at the same time.
Worse yet, the quick series of multiple lockouts causes an elevation of security response that which requires senior security administrator resolution.
This, even for non-automated devices. The same “convenience” that lets you share stuff seamlessly among phones, tablets, desktops and whatever else means that if you ever forget/lose a credential you’d better have all your devices in the same places when you do the recovery. (Or else rely on some not-so-safe out of band transport mechanism)
Which is a product of compression. what happens when you lift the boot? deprinting?