It’s an ethernet wire that’s going to be exiting my house and running to a camera in a publicly accessible space. An attacker could disconnect the camera, connect a laptop and access my network. How could I protect against that (other than a physical lock)? I basically want to lock down that cable to the point where nothing works on it unless it’s the intended camera. If this was wireless, I’d just use MAC filtering, but I don’t see an equivalent for wired connections.
Is this connecting to a managed switch? If so, you need to see if it supports port security. That way you can lock the port to the MAC of the camera.
As others have suggested you can do port based MAC filtering on some switches. There are also physical cable locks that I’ve played around with from Panduit (and other vendors), but they won’t prevent someone determined to disconnect it, but a good deterrence. Some switches also have security settings where if a port status goes down it will keep the port offline, so if someone disconnected the camera they would be plugging into a dead wire.
Didn’t we do this last night? ugh.
Yes, but no good replies so I figured I’d simplify the question greatly, and now we’re getting somewhere 😁
Tap or span off the switch into a packet analyzer like silk… you only really need the header info. Take a sample of the traffic the camera will be pushing… ports amount of data destination MAC/IP.
Find a SOAR or automation platform that works for you. Set it up to search the SPAN/TAP data off the switch in the analyzer… and the moment that camera starts sending something that ISN’T baseline traffic… shut the port down on the switch and send you an email about it.
Most extreme way I can think of…. Using a good router like PFSense or OpnSense you make a VLAN for the camera only. Create a firewall rule allowing only that camera to access the other network via specific needed ports only. Even if they spoofed the MAC they would also need to route traffic through the associated ports as well and would take a while for anyone mother then an expert to figure out wtf is going on.
That would require me to know which ports and IPs the camera system uses. I couldn’t find that in the documentation, is there any way I can find out myself? Packet sniffing for instance?
Super glue?
Dumb POE so whatever gets plugged in gets 48v with no negotiation.
Haha nice one. Pity the camera system might get fried too 🤣
VLAN (assuming the camera is plugged to your LAN infrastructure) + a firewall (to block the MAC + every kind of traffic except the one expected from the camera; down to the IP + PORT + Protocol)
You might need a router running openwrt (and using DSA) for this, but put that ethernet port on its own vlan and isolate it and lock it down with firewall rules.
Well, what is the risk here exactly?
Are you worried about them accessing your network resources? If so - why are they open slather anyway - you really should be using strong authentication methods on networked equipment.
If you’re worried about them sniffing your network - just how long do you think someone is going to spend sitting outside your house with a laptop to do so?
You could setup some sort of monitoring device so that if the camera goes offline you get notified.
Doesn’t your camera give motion alerts?
It’s actually a DVR connected to 6 cameras, but the DVR physically resides in a neighbor’s garage (long story). I’m concerned someone in the neighbor’s garage could potentially disconnect the cable, plug in an unmanaged switch and put the DVR in the switch, then use my internet connection for potentially illegal activity - so I want to make sure that only the DVR can actually access my network from the wire and absolutely nothing else.
Whitelist against the mac id? Sounds like a lot of work though, adding new devices etc.
Right. That’s different, it originally read as if the port was hanging off the side of your house.
What you need is a managed switch, firewall and vlans. Segregate the NVR and Cameras to a separate network, the port to the camera in the garage on the switch gets configured to the secured VLAN. Even if an unmanaged switch connects it’ll be stuck in that vlan. A good switch will also detect that switch connection and shut it down.
And then only allow specific devices on your “internet” vlan contact the NVR. This will stop anyone connecting to that port and accessing other parts of the network.
Thanks, I think I understand now. Any idea of the cheapest kind of switch that will do this?
Switch - look at a second hand Cisco 3560e or x. You could even go one of the C3560CG-8PC 8 port switches if you can’t go a full rack mount option.
Router / firewall you could use a second hand mikrotik 750 or 951
Maybe look into a lockable network cabinet that you could put the DVR in. This would add a layer of physical security instead of diving into network security. For added security, run the network cable in conduit to prevent someone from cutting the cable outside the cabinet.
Mac Address filtering works on wired too. If the switch supports it this is the easiest thing to do. But you may have to set a vlan and then only allow that mac on that vlan. Disable DHCP too if you can.
How would devices connect if DHCP is disabled? Sorry still new to this.
802.1x
1.) Ensure the camera is securely installed and the ethernet port is not exposed. Use tamper/security screws.
2A.) Enable MAC address filtering on your switch… but if someone is doing all this work they’re going to know to spoof the camera’s MAC address.
2B.) Setup 802.1x authentication if your camera(s)support it, this is more work but more work.
3.) Segment external cameras to their own vlan and use ACLs to restrict access.
4.) Monitor your network! Setup monitoring to see new devices are joining, switchport/camera going offline randomly. Then ensure all of these events go somewhere of your choice.
5.) Monitor you camera! You should definitely be getting alerts for motion if someone is close enough to disconnect the camera(s). Also you should have cameras watching each other’s back in terms of coverage.
Mac filtering is not real security. It is very easy to bypass it that filtering macs is almost as secure as not doing it. Your best options are :
- placing the connection port in a hard to reach location
- place that port in a isolated vlan coupled with some firewall rules so that all the outgoing connections are dropped
- if your switch can, play with ACL’s to further lock it down
- if you really want to get serious about port security, you will need a RADIUS server. But most of the ip cameras won’t be compatible…
You want to get an IP camera and a switch/router/firewall that supports 802.1x - Port Authentication, along with a VLAN for segregation and MAC filtering because more is better.
With 802.1x the camera has to authenticate / re authenticate using EAP for the port to remain active. If someone rips off the camera and figures out its MAC address to spoof it’s still not going to pass the EAP challenge.
Mac address filter?