[Tfug] "Opening" a physical ethernet connection

Bexley Hall bexley401 at yahoo.com
Wed May 1 21:05:32 MST 2013 

Hi Christopher,

On 5/1/2013 8:20 PM, Christopher Robbins wrote:
>>> Ideally, I want to be able to "unplug" a "physical ethernet
>>> connection" (i.e., a *cable*).  This prevents the service(s)
>>> available on that connection from being accessed *and*
>>> protects the fabric from "assault" (e.g., someone taking a
>>> line cord and connecting it to the pins of the connector
>>> thereby frying a port in an *expensive* switch).
>>
>> What about routing your connection through a cheap switch[1], and
 >> power it via a wall switch.  Turn off the wall switch, the cheap
>> switch looses power and cannot talk to the rest of the network.
>> This only partially protects against your physical assault.  If
>> someone did plug mains power into the RJ45, then you'd be out a $20
>> switch, but not your fancier many-port managed switch on the other side.
>
> I may be a little late to the party...This sounds like an ideal solution.

Yes, I was just hoping for a "two port switch" (bridge) designed
basically for this purpose.  I.e., if it is implemented robustly
(read:  bug free) it could remain powered *on* but simply refuse
to pass packets while a control input is "off", etc.  I.e., like
a "managed 2 port switch" that can be commanded to pass/inhibit
based on a signal supplied on a "pin"/control connector (so you
don't have to send a packet to it to get it to "inhibit")

I suggested "yank the power" as this is relatively easy to control
*and* the switch is supposed to be well-behaved in that unpowered state.

> Use cheap switches as an access layer, and shut the switches off as
> necessary.  Do ports have to be unplugged via an on/off switch, or
> is it okay if the connection is actually unplugged?

If unplugging is an option, then you (i.e., I) could just unplug the
cable from the main switch and not need any such mechanism  :-/
The means by which the port is isolated needs to be "securable".
If an adversary can simply plug/unplug the cable/device/"protector"
in and subvert its function then you haven't gained anything.

Ideally, you would locate the(se) device(s) someplace secure so
the user/adversary is forced to deal with the interface that it
wants to expose (while hiding the interface that it wants to
*protect*!).

I'll have to see if I can reduce the cost of my "port module"
on the switch (actually a very large router) and fabricate it
in such a way that these are "disposable"... that way there are
no outboard devices to maintain, cable, configure, etc.  It also
means every port gets this same capability "for free".

More information about the tfug mailing list