Can an RJ45 port on the exterior of a building be used maliciously if DHCP is off, and MAC address filtering is on?
 

Here is some background on this peculiar question.

I'm researching Access Controls, and very intrigued by the idea of using 100% POE powered/connected badge readers, strikers, locks, motion sensors etc. The vibe I get from the access control community is these are probably fine to use indoors, but not on the exterior of the building as someone "could just pry open the box" and then they'd have access to an RJ45 port or ethernet cable which they could use to launch attacks.

So I've been scratching my head how to deal with this concern. My thinking was that if I turned off DHCP, and only permitted specific devices with known mac addresses (managed switch/router) to communicate and then only permitting them to communicate with the central server this particular vector would be nullified. But then I started thinking there are other ways to send attacks on ethernet that don't involve IP right? IPX/SPX, NULL, ARP, SYN? These are all different network communication protocols right?

How would you handle this situation?

Firstly, I'd say that you not only have to be secure, but convince less knowledgable superiors that you are.

An input is only a danger if anyone is listening to it. So if you

1. Run ifconfig ethX down on each interface, or
2. Physically disconnect such devices

They won't present a danger. Your worst case scenario would probably be some script kiddie with his laptop plugging in. You won't convince anyone that you're secure without enforcing one of the above in a foolproof fashion. I'd regard a live functional nic as a large security hole. Why hand someone a stick to beat you with?

Pretty common situation.
Use DAI and wired dot1x where users that cannot auth are blocked (or placed into a special purpose vlan).
Note that some valid devices will be so old they will not be able to do any dot1x auth.
Yet, if you have special purposes devices for BMS traffic, IP Cameras, etc perhaps create VRFs if you can.

There is also another scenario where you can go with DAI and pvlans.
Haven't done this one but it should be feasible.

Vlans definitely with only the devices. Then you connect them on a separate leg of a layer 2 firewall, with specific rules to only allow connections to the server. We do this for like video/av stuff and cameras as well as door locks. So the answer is don't put that network on your network, either physically or logically.