Protecting physical interface?

[Budgeter]

Hi all,

So a friend asked me to setup a network system for his workplace. As of now, I'm intending to go with a pfSense box as a router. Not talking about the network design yet, the real problem is a server room. His business office is in a shared building. There are other companies in that building too. Certainly each company will has their own office, but a server room is completely shared. Basically that server room is available to the public as it contains the endpoints of ethernet cables going to each room.

Technically, we can have something like an electrical box to cover all of our devices, but the cables still need to go out and connect to an ethernet endpoint on the wall which everyone can access. I'm aware that this is bizarre in term of security, but does anyone have a tip on how to mitigate this? Either physically or on pfSense? Well, he has been going on with a simple ISP modem/router combination without any protection since forever, so at worst we can only hope no one will mess with the system.

 

[L&LD]

Locate a switch and other equipment as needed on the secure side of the shared room.

Don't just hope. Make it as physically impossible as you can (that no one can be malicious on their site).

 

[Budgeter]

Locate a switch and other equipment as needed on the secure side of the shared room.

Don't just hope. Make it as physically impossible as you can (that no one can be malicious on their site).

There is no way to do so since a shared room is so small, around 12x4 feet. The only option is locked our equipment into some sort of boxes. I guess that's enough to protect the equipment in this specific scenario. However, the main issue is ethernet endpoint on a wall. Just think of ethernet plate you usually have in your own room, but in this case there are 64 of them I think. Anyway, we will use a portion of them for our office room, but the outsiders can easily unplug a cable and connect whatever they have to that.

I think this resembles a scenario of security cameras. Camera are put outside of house and outsiders can access them physically. However, we can separate the cameras into its own VLAN to mitigate the risk. In our scenario, the internet port are used to connect with internal devices (landline phone, PC, etc), it would be illogical to completely isolate them.

 

[Tech9]

Here is your solution - no one will touch your cables more than once:

 

[L&LD]

The secure side of the shared room is outside that room.

 

[follower]

Hi all,

So a friend asked me to setup a network system for his workplace. As of now, I'm intending to go with a pfSense box as a router. Not talking about the network design yet, the real problem is a server room. His business office is in a shared building. There are other companies in that building too. Certainly each company will has their own office, but a server room is completely shared. Basically that server room is available to the public as it contains the endpoints of ethernet cables going to each room.

Technically, we can have something like an electrical box to cover all of our devices, but the cables still need to go out and connect to an ethernet endpoint on the wall which everyone can access. I'm aware that this is bizarre in term of security, but does anyone have a tip on how to mitigate this? Either physically or on pfSense? Well, he has been going on with a simple ISP modem/router combination without any protection since forever, so at worst we can only hope no one will mess with the system.

There is only one way to do so. Hire a security for 24hours. Maybe two or more? Or moving to the other building?

 

[coxhaus]

You can buy a server rack with locks on the doors. Hopefully it will so heavy that no can carry it out after you put all your equipment in there.

Maybe add a no DHCP network segment so someone cannot plug into the open ethernet plugs and gain access. Use manual IP addresses as that would require them to understand you network structure. Use a L3 switch in your office area for DHCP. Let the servers be static IPs.

 

[follower]

You can buy a server rack with locks on the doors. Hopefully it will so heavy that no can carry it out after you put all your equipment in there.

Maybe add a no DHCP network segment so someone cannot plug into the open ethernet plugs and gain access. Use manual IP addresses as that would require them to understand you network structure. Use a L3 switch in your office area for DHCP. Let the servers be static IPs.

"but the cables still need to go out and connect to an ethernet endpoint on the wall which everyone can access".
He's worrying about wiretapping I think. It's possible so easily. He needs a security for 24hours.

 

[coxhaus]

"but the cables still need to go out and connect to an ethernet endpoint on the wall which everyone can access".
He's worrying about wiretapping I think. It's possible so easily. He needs a security for 24hours.

That is why I said use a no DHCP network segment for the open wall. At least the spy cannot plug in and be handed an IP address. The spy will need to figure out the network structure before he can tap in.

If the open wall can be setup with a point-to-point connection, then it will be hard to monitor the network because there are no available IP addresses to assign to monitor.

 

[sfx2000]

His business office is in a shared building. There are other companies in that building too. Certainly each company will has their own office, but a server room is completely shared

It's not unusual actually...

I'm in a similar situation - and there we have the fiber drop come into the "network room", and we have a single ethernet run over to our suite where we have our edge router and firewall...

The network room/demarc is a shared access room - it is locked, and only the IT folks from the tenant companies have card access to that room, so every access is logged in.

 

[Budgeter]

There is only one way to do so. Hire a security for 24hours. Maybe two or more? Or moving to the other building?

I will ask him about this, I don't think his budget will allow that though. To be honest, I also think these are the only options.

"but the cables still need to go out and connect to an ethernet endpoint on the wall which everyone can access".
He's worrying about wiretapping I think. It's possible so easily. He needs a security for 24hours.

Indeed, the problem is mainly wiretapping. I mean, I'm aware how bad the situation is, but it is what it is. There is a reason why back-end related position tends to have strict security clearance requirement.

It's not unusual actually...

I'm in a similar situation - and there we have the fiber drop come into the "network room", and we have a single ethernet run over to our suite where we have our edge router and firewall...

The network room/demarc is a shared access room - it is locked, and only the IT folks from the tenant companies have card access to that room, so every access is logged in.

1. The room is not locked, anyone can access it. There is not even a security cam.
2. Unfortunately, he has many office rooms in that building, on different floors (e.g: Employee room, Front desk room, guest room, etc). I don't think it is possible to wire from 1 central room to another as he's just a renter there. Hence the need of ethernet endpoints in server room so the wire can go to other places.

That is why I said use a no DHCP network segment for the open wall. At least the spy cannot plug in and be handed an IP address. The spy will need to figure out the network structure before he can tap in.

If the open wall can be setup with a point-to-point connection, then it will be hard to monitor the network because there are no available IP addresses to assign to monitor.

You can buy a server rack with locks on the doors. Hopefully it will so heavy that no can carry it out after you put all your equipment in there.

Maybe add a no DHCP network segment so someone cannot plug into the open ethernet plugs and gain access. Use manual IP addresses as that would require them to understand you network structure. Use a L3 switch in your office area for DHCP. Let the servers be static IPs.

Yes, a server rack, or an electrical box for smaller equipment. I also think that's enough to protect the equipment.
So what you mean is security via obscurity? Let say in case a threat actor connect his equipment to the wall, and a company PC is on the other end, isn't a simple IP scan enough to get into that PC?

Here is a visualization of the current situation if it helps.

 

[ColinTaylor]

TBH this doesn't sound like a server room, it sounds more like a comm's room. In other words, it contains networking equipment not servers. Either way at a bear minimum the room should be lockable.

If as you say the network connections go to sockets on the wall there's nothing to stop anyone putting a device between that and the switch. Fancy racks or boxes won't help at all.

I don't think @coxhaus' solution would work because it was assuming the client devices were all in one location and the managed switch could be put there as well. As there are multiple rooms that won't work.

At the end of the day, unless your friend's business is a high value target for clandestine espionage a MITM attack is a just a fantasy scenario. What's more likely is unqualified people wandering into the room a randomly unplugging/re-plugging cables because "the internet's down". Again, the room should be lockable with only "trusted people" allowed access. So save the money you would spend on a rack and use it to install a door lock.

 

[sfx2000]

Again, the room should be lockable with only "trusted people" allowed access. So save the money you would spend on a rack and use it to install a door lock.

Exactly - that is how we resolved the issue with the comms room.

 

[dosborne]

Remington, Browning, Mossberg and others all make great devices for physically securing your network.

Unfortunately, unless you get a secured location for a private drop, you will be at the mercy of your neighbours, intentionally or otherwise.

 

[follower]

That is why I said use a no DHCP network segment for the open wall. At least the spy cannot plug in and be handed an IP address. The spy will need to figure out the network structure before he can tap in.

If the open wall can be setup with a point-to-point connection, then it will be hard to monitor the network because there are no available IP addresses to assign to monitor.

It doesn't matter. We don't need to plug anything. We can connect some devices to the cable directly. And then? Packet sniffing.

 

[follower]

I will ask him about this, I don't think his budget will allow that though. To be honest, I also think these are the only options.


Indeed, the problem is mainly wiretapping. I mean, I'm aware how bad the situation is, but it is what it is. There is a reason why back-end related position tends to have strict security clearance requirement.


1. The room is not locked, anyone can access it. There is not even a security cam.
2. Unfortunately, he has many office rooms in that building, on different floors (e.g: Employee room, Front desk room, guest room, etc). I don't think it is possible to wire from 1 central room to another as he's just a renter there. Hence the need of ethernet endpoints in server room so the wire can go to other places.



Yes, a server rack, or an electrical box for smaller equipment. I also think that's enough to protect the equipment.
So what you mean is security via obscurity? Let say in case a threat actor connect his equipment to the wall, and a company PC is on the other end, isn't a simple IP scan enough to get into that PC?

Here is a visualization of the current situation if it helps.
View attachment 34889

Yes. Anyone can wiretap(MITM, packet sniffing) so easily. IP Scan is not a big problem. But Packet Sniffing is the problem. We can get IP Address with packet sniffing too. So what is possible?

MITM
Sniffing
SNI sniffing
Packet Injection
Session Hijacking
SSL stripping
...

HTTPS and SSL are nothing under that situation. SSL Certificate is no longer safe.

 

[fsardone]

Couple of considerations:
1. Without physical security there cannot be any data security
2. Hardening needs to go with threat assessment
3. Absolute security is an illusion

So what are you protecting and how much is it worth? How much are you willing to invest in security? What is your risk tolerance?

If you do not answer these questions you cannot solve this issue.
In your configuration you could go with a (secured in a locked cabinet) switch with port security (single MAC address allowed on each port) which would (reasonably) prevent rogue equipment to access your network but you are still exposed to sniffing (you just need a hub not a switch and a computer wih Ethernet interface in promiscuous mode and wireshark installed).

or
you could rewire in you assigned space the switching equipment and the router in the comm room. Using a decent switch only traffic directed to the Internet would hit the router and therefore at risk of being sniffed. Alternative 1 add double nat and an additional router in your space option two also add a VPN provider so all the traffic goes out to you VPN provider encrypted

or
you could rewire in your assigned space and ask TELCo to terminate in that space and (possibly) also use the VPN provider.

No Pain No Gain .... and no silver bullet.

Cheers

Fabio

 

[coxhaus]

I don't think @coxhaus' solution would work because it was assuming the client devices were all in one location and the managed switch could be put there as well. As there are multiple rooms that won't work.

This would handle it fine. It just needs to follow the cabling and fiber for switch placement. I am not making any assumptions but I am not being definite as I have don't really know the layout. I did this for many years. I know how to do it.