I guess I'm not really sure what you're advocating.
These measures sound good for you, but what percentage of HN readers can do that? How many threats does it eliminate in practice beyond what you'd get from basic VPN + firewall?
There's always additional security measures you can take, but the costs go up and the marginal benefits go down.
It's a bit like saying it's not sufficient for other HN users to deadbolt their doors because it's weaker than the armed guards that patrol your property 24/7.
Well what are you advocating? It seems like you are suggesting that device security isn't important because it is hard to do and a firewall will solve most problems.
But at the same time we are looking at a vulnerability that works through a firewall.
I am just suggesting that even in a presence of a firewall we should expect appliances to be secure on a hostile network. That is the standard we should hold vendors to. Much like Android, iOS, Windows and macOS hold themselves to this standard.
I'm also not saying that you should test this standard, defence in depth is very valuable. But I don't think saying "it is hard and a firewall solves many issues" is a good reason to forgive these vendors for shit security.
>Well what are you advocating? It seems like you are suggesting that device security isn't important because it is hard to do and a firewall will solve most problems.
I'm advocating firewall with no inbound traffic + VPN for remote access. It mitigates most of the risk of devices on your network having security vulnerabilities.
My original comment in this thread was that it's more important to firewall + VPN your network than it is to pick a network appliance with a good security record.
I agree that there certainly are additional precautions you can take, but I think firewall + VPN defends against most practical attacks the average HN user would encounter.
Firewall + VPN is something a large proportion of HN (40%?) is capable of doing with about an hour of effort. I think it's a pretty small segment of HN that's even capable of the precautions you're talking about (separate VLANs, custom certificates, hardening every host), and it would take person-days of effort to replicate.
>But I don't think saying "it is hard and a firewall solves many issues" is a good reason to forgive these vendors for shit security.
I don't forgive vendors for shit security. I agree with you that we should hold vendors accountable. RCE on an unauthenticated GET request is absurdly incompetent and irresponsible, and D-Link deserves punishment. That said, I'm not in a position to influence D-Link, but I am in a position to help users protect themselves if appliances on their network have mistakes like this.
These measures sound good for you, but what percentage of HN readers can do that? How many threats does it eliminate in practice beyond what you'd get from basic VPN + firewall?
There's always additional security measures you can take, but the costs go up and the marginal benefits go down.
It's a bit like saying it's not sufficient for other HN users to deadbolt their doors because it's weaker than the armed guards that patrol your property 24/7.