this post was submitted on 24 Jul 2024
11 points (92.3% liked)

networking

2824 readers
7 users here now

Community for discussing enterprise networks and the ensuing chaos that comes after inheriting or building one.

founded 1 year ago
MODERATORS
 

If you have an outdoor Ethernet port—in my case with a WiFi AP connected—how can you go about protecting your network from somebody jacking in?

Is there a way to bind that port to only an approved device? I figured a firewall rule to only allow traffic to and from the WiFi AP IP address, but would that also prevent traffic from reaching any wireless clients connected to the AP?

Edit: For more context, my router is a Ubiquiti UDM and the AP is also Unifi AP

top 12 comments
sorted by: hot top controversial new old
[–] [email protected] 12 points 4 months ago (1 children)

MAC filtering, but if the MAC address is visible from the outside AP it's pretty much useless. Radius would help.

[–] [email protected] 5 points 4 months ago

Yeah since the unit is easily accessible I imagine they could just read the MAC address off the sticker and spoof it.

[–] [email protected] 11 points 4 months ago (1 children)

https://en.m.wikipedia.org/wiki/IEEE_802.1X

The standard directly addresses an attack technique called Hardware Addition where an attacker posing as a guest, customer or staff smuggles a hacking device into the building that they then plug into the network giving them full access.

[–] sugar_in_your_tea 2 points 3 months ago

Yup, I had to implement this for a customer once, and while it was a paid, it does require authentication before getting access to the network.

[–] [email protected] 8 points 4 months ago

You could probably do an automation with home assistant to disable the report if the device gets unplugged, notify you about it, then require to you approve / re-enable the port.

This of course would require the service to be running, but combined with MAC filtering and placing it on an untrusted VLAN that's probably the best you could do.

[–] [email protected] 8 points 4 months ago (2 children)
[–] [email protected] 3 points 4 months ago

Low tech and cheap, best option unless you can Mac bind on your switch natively.

[–] [email protected] 3 points 3 months ago (1 children)

But can't that be defeated with a $5.00 wrench? [https://xkcd.com/538/]

[–] [email protected] 2 points 3 months ago

If people are breaking into your stuff, don't put it outside at all.

[–] [email protected] 3 points 4 months ago* (last edited 4 months ago) (1 children)

There are ways to try to identify the device connecting to the network. But that doesn't prevent a third party from spoofing an appropriately authenticated device and monitoring and collecting traffic as well as injecting traffic. It just raises the difficulty

Over networks, or access points, that are intrinsically unsafe, the current gold standard is to require clients transiting those networks to then use a VPN. So internal Wi-Fi, with access only to a wire guard server, and your wireless clients connect to the wire guard server.

Even if a malicious actor takes over the access point, or compromises the ethernet cable itself, the traffic will be encrypted, and only authenticated clients will be able to actually access your infrastructure.

So you would enforce a VLAN onto the port that the access point has access to, and then that VLAN can only access the UDM wireguard server.

[–] [email protected] 2 points 4 months ago

Some devices will let you specify a list of allowed MAC addresses per port. I believe ubiquity does allow this.

Some devices will have a whole port security protocol, if they see a Mac address that hasn't been authenticated, the port is put into violation requiring an admin to physically validate it after visiting the port to make sure nothing nefarious happened. I do not believe ubiquiti has this

[–] [email protected] 2 points 3 months ago

Lock the Mac with port security