I have mentioned before that using Ethernet cables instead of Wi-Fi can make your network more secure. However, there are still some things to consider to make sure you do not accidentally undo the benefits of a wired network.

Consider live, publicly-accessible RJ-45 jacks. If the public is supposed to access them, like in a hotel, then you already have them isolated on a guest network, right? But if you need occasional access to your internal networks from public areas, you should put locking covers on the jacks. An example for indoors is the Pass & Seymour WP26L:

For more security, you might add tamper-proof screws, like the Leviton 84000-T:

For outdoors, you might use the Pass & Seymour 4600/460026P:

If you have floor Ethernet jacks, you could use the Leviton 41652:

This is not really a locking cover, since it can be opened with a large coin, but it forces anyone who is going to use it open it, which makes it harder for anyone to connect unnoticed. It also keeps dirt and crud out of your RJ-45 jack, which is a plus.

I should add that I mention specific brands and models not to promote them, but to better show you what I am talking about.

There are some alternatives to these locking covers that I do not consider as good.

The first is an Ethernet switch, like the Electro Standards Laboratories Model 8086 RJ-45 Cat6 Manual A/B Switch, to disconnect the line to the jack when it is not in use.

There are two problems with this approach: these switches are very expensive, especially for Cat6 cables. But more important, how do you make sure the jack is turned off when the jack is no longer needed, when the switch is in another room? With a locking cover, it is clearly visible when it is unlocked so you are less likely to forget.

Another approach is plugs that fill the RJ-45 jack and lock in place. The Azco RJ45 Lock Jack, model AZRJ45JLP, uses a proprietary key:

The RJLOCKDOWN RJ45JLB Jack Lock uses an Allen wrench:

The problem with these is that they are separate pieces that are easy to misplace, and staff might be tempted to leave them out if they will be using the jack again soon.

By the way, none of the locks on these devices are high-security. In fact, for any given device (wall plate, etc.) they are generally all keyed alike. But that is not the point. It is sort of like the old joke about the purpose of locks being to keep honest people honest. If you have exposed RJ-45 jacks, someone can bend over like they are tying their shoe and casually plug in a Raspberry Pi box loaded with hacking software. If the jack is behind a chair, you might not even notice it for a while. But if the person has to unlock the jack with a key, it takes longer, is more visible, and is more likely to be noticed, not just by security, but by passers by, who might notify security that something seems amiss. And the fact that the intruder is carrying the special key makes it harder to profess innocence.

(Addendum 2023-12-30: There is at least one locking outlet box that has a professional-grade lock, the L6000E High Security Electrical Outlet Vault from Selective Security Services:

However, unless you are OK with it sticking several inches out from the wall, you will have a lot of rework to recess it into the wall.)

As an additional detective control, you can run the cables from the jacks into a managed Ethernet switch, and have it send an SNMP “link up” trap to your security department when one of the jacks becomes active.

Something else to consider is permanently connected devices that are publicly accessible, like point-of-sale printers. An RJ-45 plug lock-in device, like the Panduit PSL-DCPLE, will keep anyone from unplugging the cable and inserting a hacking device while no one is looking.

In addition to data security, you must consider lightning protection if your cables run outside, either buried or aerial. The damage the the power from a nearby lightning strike can do if it gets into your network is amazing. You need a lightning arrestor like the L-Com AL-CAT6AHPJW on one or both ends of the outdoor span, depending on its length.

Once you have your data safely confined to your cables, you need to make sure your cables are secure. One place I worked leased the 7th and 8th floors of an office building. The Cat6 cables to the cubicles on the 8th floor ran through holes in the concrete floor, then through the drop ceiling of the 7th floor. Later, they consolidated everyone on the 8th floor and sub-let the 7th, leaving the cables exposed to another company.

How much of a problem this is may depend on how valuable your data is. I am not really comfortable with it, because it would not be all that hard for someone to go up in the ceiling on a weekend and tap into a Cat6 cable.  A device like the Hak5 Plunder Bug would make this easy.

(If they were tapping mid-span, they would have to cut the cable and crimp on RJ-45 connectors, so they could plug into the Plunder Bug. An experienced installer could do this quickly.) If your cables have to go through space that you do not control, I would be a lot more comfortable with conduit and junction boxes with locking covers.


Comments

Leave a Reply

Your email address will not be published. Required fields are marked *