What we fail to relate cybersecurity to, is the threat to autonomous computer networks, where a third party physically breaks into a system via its infrastructure devices.
Due to their nature, IP security and surveillance networks put physical network connections in both secure and unsecured locations. Vulnerable positioning provides ample opportunities for the would-be attacker, so due care and attention must be paid to equipment protection.
However, installers must also treat secure sites in exactly the same way. The point of attack could originate from a source fully entitled to be within an area. No chances can be taken.
An Ethernet network comprises both active (needs electrical power to operate) and passive (does not require power) equipment.
Active equipment includes Ethernet switches (we’re focusing on Layer 2 Ethernet switches based on MAC addresses, not Layer 3 devices that can switch on IP or MAC address) and media converters, and the passive, a combination of cables, connectors and management such as cabinets, which might also include additional active equipment, for example environmental conditioning and monitoring systems.
The security threat to the network at this level results from a third party physically connecting to the active network devices, or by removing an edge device from the network and attaching unauthorised equipment in its place.
The connection could be to an optical port, but that would require the third party to have the correct optical interface. So for opportunistic reasons, it tends to be a connection via an electrical interface.
Electrical Ethernet ports are based around an industry standard, so connecting to these is relatively simple and as every laptop today has such a connection, the probable weapon of attack is readily available.
Ethernet switches are available in managed or unmanaged forms, where the managed platform has many more features and allows the user to configure and remotely monitor the device. The unmanaged unit has no such facilities, it simply does the basic job based on its shipped configuration. Media converters tend to be in an unmanaged format only.
Where security is concerned, managed units offer a number of facilities to prevent unauthorised entry to the network, whereas unmanaged forms do not, thus managed Ethernet switches should be used throughout your network.
It tends to be the case that the simplest features offer the best security, and with Ethernet managed switches, that persists. The ability to disable a switch port that’s not being used in the current network configuration, through the management interface, might seem an obvious security feature but it is one that a lot of network operators fail to employ and may not even know exists on their devices.
If the port is not being used, then disable it, so no unwarranted party can plug directly in to your network
The rules, as you can imagine, are straightforward: if the port is not being used, then disable it, so no unwarranted party can plug directly in to your network. If the port needs to be used for legitimate traffic in the future, then simply open it via the management system.
And while we’re talking about the simplest features being the best, the default username and password that every managed Ethernet switch is shipped with, to enable you to gain access, should be changed to a username and password, commensurate with your security policy.
There is no point in applying all this security, if it could be changed by our attacker connecting to the comms port of the switch (serial data comms port that allows local access to management configuration once a correct username and password are entered) and gaining access simply by reading the manual!
Once a link has been established between two active units in the network, a LINK acknowledgement (normally an LED indication) is generated and dropped immediately the link is broken. This simple Layer 1 hardware-based trigger has been utilised by Comnet in their unique Port Guardian feature and can be used to shut a port down on the basis that a loss of link is a potential attack.
The feature can be further expanded to shut down ports in the event that power is lost to the active device – just in case our attacker has the smart idea of switching connections once the switch is powered down. If any units are deployed in unsecured locations, then the port receiving communications from that site should be activated with this feature to counter link breaks in these areas.
Security should be applied to the passive components of the network as well as the active ones. How many times have you walked along the pavement and observed the door of a utilities company street cabinet hanging off, or even the access flap open on a lamppost?
If any part of the network is housed within an enclosure, some form of sensor must be on the door to tell you if it is open or closed
The reason is, that for most cases, the system owner or operator has no idea that the door of their cabinet is open and their system is not secure! If any part of the network is housed within an enclosure, some form of sensor must be on the door to tell you if it is open or closed.
If the door is open and you are not aware of it you provide an easy target for any attacker and, at the same time, allow the elements to damage your enclosed equipment. And remember, it doesn’t just need to be active equipment. If the enclosure simply houses cable management that could be an opportunity to break in to the network. This requirement is an absolute must in unsecured locations!
To guard against attacks, managed Ethernet switches should always be used as the active building blocks of the network as they offer the maximum level of security when configured correctly. Managed units will also provide users with the ability to remotely control and monitor network devices, and will generate automatic warning signals if an issue arises.
Any managed, Ethernet switch must be configured based on the security levels and operational requirements of the site to ensure correct operation.
Those who ignore the basics of network security and opt instead for cheaper, unmanaged devices, are exposing their networks to the risk of hackers. Hackers who can very quickly turn a sophisticated security network to their own advantage.
And with the safety and protection of critical infrastructure, data and communications at stake, are you prepared to take that risk? It seems an irresponsible risk to take.
Enjoy the latest fire and security news, updates and expert opinions sent straight to your inbox with IFSEC Insider's essential weekly newsletters. Subscribe today to make sure you're never left behind by the fast-evolving industry landscape.
Sign up now!
