Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Network cables as security devices

From: "Bruce K. Marshall" <bkmarsh () feist com>
Date: Wed, 19 Aug 1998 16:16:27 -0500
I'm not sure that it has been mentioned on this list, but on several
occasions I have followed discussions where secure logging systems, IDS,
services, etc. needed additional security.  One piece of advice often
appears to be cutting the "transmit" wires in the network cable.

    At first glance it sounds logical and like a decent idea, especially if
your system doesn't need to respond to the data that is being sent to it. 
However, upon actually trying this I met with utter failure.

    When dealing with normal twisted pair Ethernet cable you can usually
refer to EIA/TIA 568B as the wiring guide.  This standard states that you
utilize pairs 2 & 3 (the orange and green pairs) with pair 2 using RJ45
plug pins 1&2 and pair 3 using RJ45 plug pins 3&6.  Here is a rough ASCII
diagram (which probably won't show up correctly for half of you):

          1 2 3 4 5 6 7 8
        [ | | | | | | | | ]
        | T R T R T R T R |
         |               |
          ------___------

    The "T"'s and "R"'s represent tip and ring -- or transmit and receive
-- on the cable, so you could assume that by disconnecting pins 1 and 3 you
would only eliminate any unwanted transmissions by your system.

    In practice, this terminates all network traffic and not just
transmissions.  Disconnecting any one of the four wires results in no
connection at all to the machine.

    I assume that this is because of the link integrity check used for
Ethernet connections.  But my real question is whether anyone has actually
been able to get around this requirement.

    As a by-product of this exercise I believe I managed to create the
cheapest hardware based firewall in the industry.  For approximately $8 US
I purchased a toggle switch, two RJ45 jacks and a small project box that
allows you to turn on and off the network connection to a device of
segment.  Anyone who can't afford such luxuries will have to keep plugging
and unplugging cables. :)

    Thanks for the feedback.

-- 
Bruce K. Marshall, CISSP - bkmarsh () feist com - Feist Communications
      2424 S. St. Francis - Wichita, KS 67216 - 316-264-2248

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Previous By Date Next
Previous By Thread Next

Current thread: