The bigger concern is that infections can spread. Even if the printer isn’t accessible via WAN, something on the network will be. So if something else gets infected, it will be able to spread to the printer via LAN. Unless it’s the only thing on the network, LAN-only won’t fully protect it from infection.
And once it’s infected, you have a rogue device on your network. It can use things like UPnP to access the WAN, turning it into a node for someone’s botnet.
Set some firewall rules. The printer doesn’t need to be able to make any outbound connections. It only needs inbound connections on a few ports to work.
I feel like you glossed over the “you have a rogue device on your network” side of things. Even if it can’t reach the internet directly, it will still quietly sit there and try to infect every other device on your network.
If you’re not in the habit of updating your firmware, (and in this case, you’re actively defeating firmware updates), that infection can quickly snowball.
Isn’t the concern that if you infect a printer locally, you can use that to “pivot” to another device on that network that IS connected to the internet?
I don’t really understand your snippet. But yeah i think the issue with IoT devices having connection to any other network device at all is that if they have a security hole that can be exploited through a malicious USB drive or BT or any other compromised device it can connect to, that it can act maliciously in a number of ways. The only true security for devices that can’t get patched is a complete air gap for any connected devices.
Printers only need a LAN connection. There is no need to give them internet access.
The bigger concern is that infections can spread. Even if the printer isn’t accessible via WAN, something on the network will be. So if something else gets infected, it will be able to spread to the printer via LAN. Unless it’s the only thing on the network, LAN-only won’t fully protect it from infection.
And once it’s infected, you have a rogue device on your network. It can use things like UPnP to access the WAN, turning it into a node for someone’s botnet.
Set some firewall rules. The printer doesn’t need to be able to make any outbound connections. It only needs inbound connections on a few ports to work.
I feel like you glossed over the “you have a rogue device on your network” side of things. Even if it can’t reach the internet directly, it will still quietly sit there and try to infect every other device on your network.
If you’re not in the habit of updating your firmware, (and in this case, you’re actively defeating firmware updates), that infection can quickly snowball.
Isn’t the concern that if you infect a printer locally, you can use that to “pivot” to another device on that network that IS connected to the internet?
I see your point, I hadn’t thought about it this way. I think what you’re suggesting is this:
I don’t really understand your snippet. But yeah i think the issue with IoT devices having connection to any other network device at all is that if they have a security hole that can be exploited through a malicious USB drive or BT or any other compromised device it can connect to, that it can act maliciously in a number of ways. The only true security for devices that can’t get patched is a complete air gap for any connected devices.