The difference in my cloistered LAN case is that the isolation was complete. There was no way outside the lab from the cloistered network. There was no router—only a switch. The devices all used fixed IPs and there was port security based on MAC address. So if your device wasn‘t registered on the switch as soon as you plugged in that port would be blocked.

Since the instruments were all assigned fixed IPs in a network I was guaranteed by our OIT (Office of Information Technology) would never be routed (172.16.16.0/24)*, plugging an instrument into a campus jack wouldn’t make it work on the Internet.

*Each lab had this network in it. While given my druthers I’d rather have had a bit or two more just in case (who knows? Massive array of RPis? Something I can’t even think of?) in practice, while I was there, we never ran out of addresses on a lab LAN.

I should add, the methods I used were based on what as available, they were by no means watertight in the face of a concerted effort to bypass them. But, they were rate-limiting and monitoring (SNMP from the switches) would likely have detected shenanigans eliciting a reaction before too much damage could be done, and in terms of the casual user they would be effectively watertight against the meager pressure they’d be able to apply.

 

The difference in my cloistered LAN case is that the isolation was complete. There was no way outside the lab from the cloistered network. There was no router—only a switch. The devices all used fixed IPs and there was port security based on MAC address. So if your device wasn‘t registered on the switch as soon as you plugged in that port would be blocked.

Since the instruments were all assigned fixed IPs in a network I was guaranteed by our OIT (Office of Information Technology) would never be routed (172.16.16.0/24)*, plugging an instrument into a campus jack wouldn’t make it work on the Internet.

*Each lab had this network in it. While given my druthers I’d rather have had a bit or two more just in case (who knows? Massive array of RPis? Something I can’t even think of?) in practice, while I was there, we never ran out of addresses on a lab LAN.

Basically the same. The DMZ DHCP server only gives up fixed IP addresses to the selected Mac addresses for the isolated non routed network machines. No packets are routed between networks at the networking level. Secure proxy client/server applications are used with user level authentication for DMZ host sand-box logins for users.

Is it hackable? Sure, everything is when using hammers and blow torches on people but it will stop generic windows target attacks from crossings the DMZ unless the attack is directly hacking the Linux server. The Linux server has it's own protection for those sorts of attacks.