Can an RJ45 port on the exterior of a building be used maliciously if DHCP is off, and MAC address filtering is on?
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Can an RJ45 port on the exterior of a building be used maliciously if DHCP is off, and MAC address filtering is on?
Here is some background on this peculiar question.
I'm researching Access Controls, and very intrigued by the idea of using 100% POE powered/connected badge readers, strikers, locks, motion sensors etc. The vibe I get from the access control community is these are probably fine to use indoors, but not on the exterior of the building as someone "could just pry open the box" and then they'd have access to an RJ45 port or ethernet cable which they could use to launch attacks.
So I've been scratching my head how to deal with this concern. My thinking was that if I turned off DHCP, and only permitted specific devices with known mac addresses (managed switch/router) to communicate and then only permitting them to communicate with the central server this particular vector would be nullified. But then I started thinking there are other ways to send attacks on ethernet that don't involve IP right? IPX/SPX, NULL, ARP, SYN? These are all different network communication protocols right?
Firstly, I'd say that you not only have to be secure, but convince less knowledgable superiors that you are.
An input is only a danger if anyone is listening to it. So if you
Run ifconfig ethX down on each interface, or
Physically disconnect such devices
They won't present a danger. Your worst case scenario would probably be some script kiddie with his laptop plugging in. You won't convince anyone that you're secure without enforcing one of the above in a foolproof fashion. I'd regard a live functional nic as a large security hole. Why hand someone a stick to beat you with?
Here is some background on this peculiar question.
How would you handle this situation?
Pretty common situation.
Use DAI and wired dot1x where users that cannot auth are blocked (or placed into a special purpose vlan).
Note that some valid devices will be so old they will not be able to do any dot1x auth.
Yet, if you have special purposes devices for BMS traffic, IP Cameras, etc perhaps create VRFs if you can.
There is also another scenario where you can go with DAI and pvlans.
Haven't done this one but it should be feasible.
Vlans definitely with only the devices. Then you connect them on a separate leg of a layer 2 firewall, with specific rules to only allow connections to the server. We do this for like video/av stuff and cameras as well as door locks. So the answer is don't put that network on your network, either physically or logically.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.