> Sure. but this is a Network Attached Storage product, and the user explicitly chose to use network functions (domains, http), it's not the same category of issue.
Is it fair to say that you're saying that it should be considered normal to expect that network-attached devices (designed and sold by reliable, aboveboard companies) connected to (V)LANs with no Internet access will be configured to use computers that use their management interfaces (whether GUI, CLI, or API) as "jumpboxes" to attempt to phone home with information about their configuration and other such "telemetry"?
Do carefully note what I'm asking: whether it should be considered normal to do this, rather than considering it to be somewhat outrageous. It's obviously possible to do this in the same way that it's obviously possible to do things like scratch the paint on a line of cars parked on the street, or adulterate food and medicine.
If you are using a storage device with a Layer 3 interface, you have already signed off that you aren't too concerned with the connection being airgapped. Otherwise you would have used a Layer 1 protocol, or hell, even a layer 2.
You are giving the thing an IP address and IP capabilities? It's like signing one of those lengthy disclaimers that you might die and won't sue anyone for side effects.
Not saying it needs to happen, but you can't be surprised if it does.
> If you are using a storage device with a Layer 3 interface, you have already signed off that you aren't too concerned with the connection being airgapped.
I'll proceed as if you're ignorant, rather than looking for a (pretty weak-ass) fight. (I'm always (unjustifiably) surprised that folks are unaware of the capabilities of Mikrotik kit.)
There's a world of difference between a bottom-of-the-barrel SOHO LAN where your only host isolation mechanism is to pray that the host in question never bypasses your firewall rules by changing their IP or MAC address, and a just slightly better one where your switch ports mark host traffic [0] and the edge router uses those infrastructure-controlled marks (rather than IP and MAC address, which are controlled by the host you're trying to isolate) to know what networks that host's traffic is permitted to travel across.
This marking technique is called VLAN tagging and has been around since at least 1998. Routers and switches that are capable of using VLAN tagging are inexpensive; from Newegg you can get a Mikrotik RB2060GSP six-port switch for ~65USD and a Mikrotik hEX router (which is also a four-port switch) for ~70USD.
This notion that you have about IP network security has been out of date for more than than a quarter century. Now that you're aware of what's possible, hopefully you'll go have some fun with the kit that Mikrotik is producing; it's good stuff.
[0] ...and -to prevent forgeries- drop traffic that the host already marked...
Is it fair to say that you're saying that it should be considered normal to expect that network-attached devices (designed and sold by reliable, aboveboard companies) connected to (V)LANs with no Internet access will be configured to use computers that use their management interfaces (whether GUI, CLI, or API) as "jumpboxes" to attempt to phone home with information about their configuration and other such "telemetry"?
Do carefully note what I'm asking: whether it should be considered normal to do this, rather than considering it to be somewhat outrageous. It's obviously possible to do this in the same way that it's obviously possible to do things like scratch the paint on a line of cars parked on the street, or adulterate food and medicine.