What can I do to protect a 100BaseTX circuit from hostile acts PROPAGATING BEYOND THE CONNECTION?
I.e., I want a box that looks like:
| | outside >--[]---> inside | |
such that deliberate/hostile actions taken at "outside" are isolated from "inside" -- even if the box [] is sacrificed in the process (i.e., treat the box as a fuse).
As the connection is transformer coupled, DC won't be a problem (you'll cook the transformer as if a fusible link). I'm guessing that a careful layout ensuring an earth ground ring/plane around the transformer so that the PCB dielectric/air gap breaks down before the transformer would protect from impressed high voltages (?).
Instead of this 100Mb hard line connection, he could use a wifi print server device perhaps, or an actual hard wifi router at that other end, and his regular home wifi within the house.
Without knowing what is piped to at the other end, it is difficult to speak about intrusion event vulnerabilities or solutions.
I have often wondered if a "home made" version of a "wave guide would work.
Bury a foil wrapped 2" PVC pipe, and see if if you can pass a wifi link through it, yet have it segregated from being seen outside.
Might as well run the hard link through it at that point.
If you're talking about things like people trying to send 240 V AC down your Ethernet line, then...
First choice: use fiber, as has already been said. Even if you have to present copper to the "outside", you can get a 1-port media converter that runs on a few watts of low voltage DC. This supply comes from "inside", but it's probably easier to do DIY protection of the low voltage DC supply than it is to do DIY protection of the data lines.
Second choice: if you have to be copper all the way through, things like
formatting link
(which uses diodes and is all packaged up) or
formatting link
(which uses gas tubes and mounts in a chassis) exist.
If you're worried about higher protocol levels, like IP, then the first thing on the "inside" needs to be a router or computer that can check the evil bit on incoming packets.
Yeah, any kind of 'media converter' will accomplish this, or an inexpensive Ethernet hub or switch. If you want to protect against lightning strikes, use a fiber optic media converter. If you want to protect against flooding, maybe pack a lot of dry rice in a conduit pipe so it'll swell on getting moist. It'll be different if you want also to protect from bombs, locusts, neurotoxins, or the Missouri Lutheran synod.
At nearly $1000 per transceiver, I'd say then that we consumers need to come up with a cheap fiber link 'fabric' using the old stuff they do not use any more. It would be fun to have like a 256Mb/s full duplex thingy going. The Linux folks would love it too.
Straight black pipes and IR works between buildings when the weather is clear.
Exactly. Or worse. Imagine someone has access to your equipment closet (but not the *interior* of any equipment). Poking at "exposed ports" (e.g., on a switch), I want to ensure *only* the attacked port fails. The other ports (and the fabric) remain intact until/unless they are, also, individually attacked.
Imagine someone wandering into a random cubicle during lunch hour and "zapping" (whatever that means) the network connection to the corporate switch. You have no idea how much wire lies between the attack and the actual hardware (hence my "access to your equipment closet" condition). So, you can't count on the cable absorbing the attack, etc.
Regardless, you don't want the connection to the corporate *server* to be fried as a consequence (because it happened to be on an adjacent port).
[Instead of thinking about htis as how it "can't happen", think of how you *would* attack a fabric if sufficiently motivated to do so!]
I've already designed this -- as it also has to protect the "traffic". What I need to know is how to ensure any hostility on the "outside" end is isolated from the "inside" end. AS IF the box was a fuse ("protection device").
Yeah, ain't gonna fly at $100 per! :> I need 70 of them.
Likewise. Note that I have an extra degree of freedom that those devices aren't exploiting: namely, I can let the device get *toasted* in such an attack. I wouldn't be happy with that happening but, if it limited the consequences to that device, then that's the best I could hope for.
(e.g., I'm sure one could toast one of these $100 gizmos just as well!)
Yes, I've addressed that. The hardware protection is the harder issue.
--
| James E.Thompson | mens |
| Analog Innovations | et |
| Analog/Mixed-Signal ASIC's and Discrete Systems | manus |
| San Tan Valley, AZ 85142 Skype: skypeanalog | |
| Voice:(480)460-2350 Fax: Available upon request | Brass Rat |
| E-mail Icon at http://www.analog-innovations.com | 1962 |
I love to cook with wine. Sometimes I even put it in the food.
Note that the device transceiver module has a 2km limit, but that fiber is only 2m (6 feet).
The fiber links are not cheap either, but wow... nice find... I did not know they were doing what I said already. Only stands to reason that they would be though.
The price is amazing compared to what I have seen in the pro telecomm industry.
Maybe put a cheap ass switch in the path. only using two ports, for every port in the main switch. I've seen decent switches go for $15 at Fry's. Dlink.
The alternative would be to hire employees who aren't douche bags.
+---> +5 V | +-------+ |protect| +-------+ +---> +5 V | | +-----+ +-----+ bad guy---copper---] MC1 [---fiber---] MC2 [---copper---good guy +-----+ +-----+
The "outside" media converter - MC1 - is the fuse. You don't care if MC1 pops if the bad guy does something bad. Also, whatever you put in the "protect" box (an actual fuse, gas tube, varistor, tranzorb, whatever) might also pop. The fiber should stay good, as should MC2.
A simple media converter goes for $70, per a quick Google. This is better than $100. :) You can probably get a discount since you'll need 140 of them.
At some point it might be cheaper to buy a fiber switch and run fiber to the PCs, printers, etc. You'll need a couple of media converters for things like printers that can't take a fiber Ethernet card. At that point, all you have to worry about is if the bad guy has a really good laser that he could fire into the fiber.
I think the telecom guys are willing to let protectors like that get toasted as well. That's why you can get that common chassis with slots for protectors - easy to remove and replace one if it fails. (This design goes all the way back to POTS and maybe to telegraph.) If I had to guess, I'd say those protectors are designed to live through a power cross to 120 V or 240 V AC, but to die (open circuit) with a power cross to anything higher, or a nearby lightning strike.
Um... OK.
It would be interesting to know what kind of environment you are deploying this into, if you have to worry about people shooting 240 V AC up your Ethernet ports.
Sigh. You've just described the problem faced by all skool networks. How to stop worms, viruses, malware, port scans, defective hardware, etc from trashing the network. You can see it in action at any RESNET equipped college campus.
Ingredients to secure a campus LAN:
Managed switch with port isolation. User facing ports do not see each other. Admin can turn on/off any port as required.
RADIUS server for wireless and Kerberos based single sign on. Extra credit for 802.1x port based authentication.
Logging and monitoring software to alert the admins that something is wrong. I like Nagios with SNMP.
ARPwatch to alert admin when a new device appears. This is generally useless because MAC addresses are easily spoofed. However it does amazingly well at detecting clueless and casual hackers.
Registering the MAC addresses of user owned routers, which are to be setup as wireless access points, not wireless routers (which hide the connected MAC addresses).
Inspection policy of connected hardware.
Some kind of IDS (intrusion detection system) sniffing the gateway traffic.
On the other foot, if you just want to make life miserable for intruders, wire you network using USB, RJ11, or other 4 pin connectors, instead of RJ45. If someone tries to plug something in, the connector won't fit.
If you just want entertainment value, a small piece of spring steel can be inserted in the RJ45 jack, so that the plug goes in, but doesn't come out. That won't stop anyone from attacking your network, but does provide a souvenir of the attempt.
--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
There are several PCI Express network cards with a connector for a SFP module. There are SFP modules for practically any wavelength and for single or multimode fibers. Just plug in the appropriate SFP.
Of course, there is still the possibility that the SFP is removed and
230 Vac is connected to the connector on the network card. If you have such fear in your company, I guess that there are more serious problems that first needs to dealt with :-)
ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.