The only difference between an outbound and an inbound connection, and most particularly from an Internet of Shit untrusted, incompetently designed, compromised-on-sight device, is who commits the first SYN.
(Why does it always come back to the original SYN?)
Dan Kaminsky's demonstrated streaming video over DNS. There's NFS-over-SMTP. If there's a transport, you can tunnel over it.
Tools to limit specific internal hosts to specific external nodes might help. No need for any Internet of Shit device to talk randomly to anywhere on the Internet. But from past experience, vendor hosts are bad enough. Particularly if you can't tell from IP or hostname who owns it (datacenters, virtual hosting, AWS).
(Why does it always come back to the original SYN?)
Dan Kaminsky's demonstrated streaming video over DNS. There's NFS-over-SMTP. If there's a transport, you can tunnel over it.
https://www.defcon.org/html/links/dc_press/archives/12/cbr_d...
Tools to limit specific internal hosts to specific external nodes might help. No need for any Internet of Shit device to talk randomly to anywhere on the Internet. But from past experience, vendor hosts are bad enough. Particularly if you can't tell from IP or hostname who owns it (datacenters, virtual hosting, AWS).