Locking Down Network Connections Guide

By John Scanlan, Published Apr 23, 2019, 10:35am EDT

Accidents and inside attacks are risks when network connections are not locked down. Security and video surveillance systems should be protected against such attacks and can be done with relatively low-cost means.

free image

Inside this guide, IPVM explains how they work and what the tradeoffs are. To do so, IPVM bought and tested these locking devices. 

We include 3 video demonstrations, reviewing the methods, demonstrating how they are used, and give our recommendations.

Why **** ****

***** *** ******* ********** to ******* **** ******* on ************ ***********, *** example:

  • **** *** ******* ********* / ******* ********** *********** from ***** ******
  • ******* ***** / ********** devices **** ********** ** the ************ *******
  • **** *** **** ******** NVRs *** ******* ******** Ethernet *****, ** **** point ** ***** *** anyone **** ****** ** network *****
  • ****** ****** *** ** in ****** ********** *********, such ** ********** ** a "*******" **** ** a ******* ** **** simply ******* **** * bullet ** *** ****** cable ****, ********* ** tools *** *************

Summary / ********

***** *** *********** ***** common ***** ** **** and ***** ***** ********** to ** ***** *** security *******.

******* ***** ***** *** **** ** **** the ***** ***** ** the **** ****. **** slide **** *** ******* plug ** * ***** cable, ******** *** ******* tab, ** ** *** not ** ********* ** remove *** *****. **** locks ********** ******* *** entire *** ** ******* potential ********* ** ********, while ****** ***** ** exposed, *** ********** ** break ** ********* ****** most ** *** *** engaged ** *** ****, so *** ***** *** still *** ** *******.

**** **** ***** *** **** ** ******* access ** ***** *****. They *** **** ****** ports **** ** ******** or ***** ***** *****, extending * *** **** the **** ******* ** a ***** ***** *** locked ** ***** **** a *********** ***. **** are ********* *** *******, to ******* ********* **** gripping *** **** **** tools, **** ** ******, to ******* ** ****** it.

*** ****/***** *****: *** ***** ***** *** used ** **** **** USB ****** **** *** USB **** *.*. ******* a ***** **** ***** disconnected **** ** ***. They *** ********* ***** component ******* **** *** piece ******* **** *** 

*** **** ********* *** cable, **** ******* **** wraps *** ***** ******** both **** *****, *** USB *****, *** *** device. **** *** ****** use *** **** ** cut ** **** *** cable.

Vote / ****

Manufacturer *******

******** ************* ******* ***** cable *** **** *****, of ******* ******, ********* *******,***** ***,** ********, **********.

***** ******* ***** ****** in *****, **** ~$* USD *** *** ****** cost ** ~$** *** serialized ******* ******.

***-********** ****** ******** **** locking ********** *** **** available [**** ** ****** available].

Securing ***** ******

******* ***** ***** ******* a ********* **** *********** being *********** ** ************ disconnected. ***** ***** ***** the ******* *** ** it *** *** ** depressed ** ******* *** cable **** *** ****/****.

***** *** **** ********* in ***** ***** ****** may *** ****:

  • ***** *****:***** ***** ***** ****** will *** **** **** most ****** ***** ***** if *** **** **** be ******* *******, ** the *****/****** ******** ** manufacturers ****** ****** *** the ******* ****** ****** it.
  • ****** ***** ******:****** **** ****** ****** boots *** ***** *** lock **** ***** ********, forcing *** **** ** be ******* ** ******* to **** *** *****.
  • ****** ****** ********:*******, ***** *** ****** not *** ****** ****, bullet, ** ***** ****** housings, *** ** ***** constraints. *** *** **** in **** ***** ***** a ****** ****** *** be ******* **** *** dome *** ********, *** this **** ********** ************ time.

** *** ***** ***** we *********** *** ************ and *** ** * patch ***** **** *** these ******.

Securing ****** *****

***** ***** ***** ***** secure ****** ** ***, unused ***** *** **** be *******. *** ***** below ***** ** ******* of ***** ***** ******* plugs, ***** *** **** to ****** ****** ******** ports, *.*., ****, ********, mispans, **** *****, ***** panels, ** *** ***** female **** **********.

************, ***** *** **** port ***** ***** *** single ***. *** *******, the ******* **** **** (developed ** ************ **** the ** ******** ******** Agency) ***** **** *** port *** **** ** destroyed ** ****** **. Additionally, **** **** *** a ******* ****** ******, which *** ** *******, making ** ******* ** a **** *** **** removed ** ********. ** tested *** ******* *** RJ45 **** ***** ***** below.

 PadJack SVE RJ45 Port Locks

** *** ***** ***** we *********** *** *** RJ45 **** ****, *** it ** *********, *** destroyed **** *******:

Securing *** ******

*******, ************ ****** *** also ** ******** ** connecting ******** ** * device *** *** *****. To ******** **** ****** USB **** ***** *** cable ***** *** ** used, ****** ** **** down ** ****** **** or ** ******* ** in-use ***** **** ***** removed.

** ******* * *** device **** ***** ******* or ***** ******* * USB **** *** ** used ** ****** *******, which *********** ******** ** a **** ***** ** plastic *** *********. ** the ***** ***** ** demonstrate ******** * ***** to ** *** ***** a******* *** ***** ****.

** ******** ** ********* devices **** ** ******** and ****, ****, *******, and ******* ******* **** likely **** * *** port ** ***** **** are *** ** ***. USB **** ***** ** port ******** *** ** used ** ******* ****** to *** **** *****, in * ******* *** that **** ******* ***** work.  ***** ***** ** a **** **** ** inserted **** * ****** USB ****, ****** ************ to ***** ******* *** key.  **** ***** ***** with ******** **** *** be **** ** ***** a **** ** *** ports **** *** ****.

USB Port Lock

Proprietary ******* *****: ****** ********, ***** ***********

***** ***** ******* *********** tools *** ********* ** security ** * *******. Some ***** *** ******** allen ** **** ****, or **** ***** **** blade ************, *** ** which *** **** ** come **, *** **** provide **** * ******* level ** ********. ***** may ***** ** ** use **** ********** ******* is * ****** ******* than ********.

*********** ******* ***** *** potentially * ******** ** using ***** *****. *** technicians *** *** ******* or ******* * ****** must ***** * **** with ****, ** **** will **** ** *** of ******** *** *****.

* **** *** ** left **** ******* ** site, ** ****, ** a **********, *** **** opens ** *** ****** to *********. *********** ***** are *********** ** **** and ******** **** **** the ***** ** ** additional ******.

No ***** *** ********** *********

* ***** ********** ******** will **** * *** to ****** ***** *****, though **** ******* * level ** ********** ******* less ************* ******* ** accidental *******. ** *** lock *****'* *** *********** tools, ** ** ****** enough ** ****** *** what ** ****** ** unlock **.

**** ** ** **** use *********** *****, ********, cutting ****, ** ******** may ***** ****** *** lock ********** *******, ****** will ******* **** ********** motions *** **** *********** tools. ** **** *** be ** **** ** ordering *** ******* ****. If *** **** *****, those ***** ******* ** gain ****** ** * given ***** *** **** a *** ** ****** cut ** *** **-********* it, ***** **** ** undetected ** **** ********.

*** ***** *******, ***** locks *** ***** *** recommended ** **** *** layer ** ******** ** provide * ******* ** deterrence *** *****.

******* Security *********

** ** ********* ** go ****** **** ******** security.  *** **** *********** on ******** ******** ****** check *** ***** ******* reports:

Comments (9)

Another good defense-in-depth approach is to setup SNMP monitoring on your managed switches to report any time a port comes up. This can help detect rogue devices plugged into the network, as well as devices that might be flapping. It obviously should be disabled for ports that are connected to devices like office PCs, or other equipment that is expected to power cycle a lot, but these are generally not the ports you are worried about for rogue devices, as they are already out in the open.

Agree: 1
Disagree
Informative
Unhelpful
Funny

setup SNMP monitoring on your managed switches to report any time a port comes up

On the other hand: ADI More Bad Advice: Network Switches

Agree
Disagree
Informative
Unhelpful
Funny

Well, if you're relying on ADI for any kind of general advice, you are probably far from the level of worrying about (or being aware of) things like advanced port security mechanisms.

BTW, great post on the ADI Advice.

Agree
Disagree
Informative
Unhelpful
Funny: 2

Thanks U1, and for those interested in more information on SNMP for Video Surveillance, we have a report here.

Agree
Disagree
Informative
Unhelpful
Funny

The USB cable lock would have been great years ago when some software platforms required a USB dongle. Hey it looks like a thumb drive so it must be a thumb drive. Doh!

Agree: 2
Disagree
Informative: 1
Unhelpful
Funny: 2

We just used these for the first time and they were fine for the intended use.

Platinum Tools Lockable Boot

Agree
Disagree
Informative: 1
Unhelpful
Funny

Physically securing unused switch ports is a good start, but locking the ports electronically is more likely to block access. Using a black hole VLAN or simply disabling ports is what we prefer to do. This system alone won’t prevent people from unplugging existing patches, but it will prevent access on unused ports.  

Agree: 2
Disagree
Informative: 1
Unhelpful
Funny

Jon - good points and agreed, this should be part of a larger plan and why we added the 'Layered Security Important' section. In the networking course we review and demonstrate disabling unused switchports as well as PoE. I may have to add black hole vlans.

Have you had any issues with techs struggling to complete add / move / change / work because of the a null route?

Agree
Disagree
Informative
Unhelpful
Funny

No issues for us to date. Using UBNT Unifi switches makes this really easy. We can check switch configurations quickly with our iPhone. Make changes if needed too. 

Agree
Disagree
Informative: 3
Unhelpful
Funny
Read this IPVM report for free.

This article is part of IPVM's 6,956 reports, 927 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports