Locking Down Network Connections

Cameras and access control panels are gateways for hackers. Locating these devices throughout a building gives attackers multiple points of entry, many without any form of physical or network security. However, physical connections to the network may be secured with RJ45 locks. In this note, we look at these products, differing styles, and what sort of protection they may provide to a security network installation.

Overview

RJ45 locks are available for both patch cables and empty ports, operating on the same principle, but with some differences:

• Patch cable locks slide over the cable and connector, extending beneath the modular plug's release tab. When engaged, the tab cannot be pushed down to remove the cable, without first disengaging the lock. Some locks completely obscure the entire tab to prevent potential tampering or breakage. Others leave it exposed, but attempting to break it typically leaves most of the tab engaged in the port, so the cable may still not be removed.
• Locking plugs fit into unused RJ45 ports, whether on a wall plate, patch panel, or switch. When engaged, a small tab extends to lock the plug into place. Plugs are typically low-profile, to deter potential attackers from gripping the plug with tools, such as pliers or vise-grips to remove it.

Multiple manufacturers provide patch cable and port locks, of varying styles, including Panduit, Black Box, AMP, and RJ Lockdown. Pre-terminated patch cables equipped with locking connectors are also available. Both plug and port locks sell for a about $3-5 USB online, typically sold in bags of 10 or 25.

This zoomed image illustrates typical cable locks and locking plugs (Black Box shown), and their individual parts:

Removal Tools

Locks which require proprietary tools are preferred if security is a concern. Some locks use standard allen or Torx bits, or even small flat blade screwdrivers, all of which are easy to come by, and thus provide only a nominal level of security. These may still be of use when security is not the main concern, but accidental removal is still a worry.

Proprietary removal tools are potentially a downside to using these locks. All technicians who may install or service a system must carry a tool with them, or have no way of removing the locks. A tool may be left with someone on site, as well, as a precaution, but this opens up the system to tampering. Over time, however, techs see the tool as another part of their toolbag, and this becomes less of an issue. Replacement tools are inexpensive or free, and normally ship with the locks at no additional charge.

This image shows one type of proprietary lock installation/removal tool, in this case Panduit:

Should You Use This?

Given their low cost, RJ45 locks are a reasonable investment in most applications. Even if security is not a concern, they may be used to prevent accidental disconnection of cameras, servers, and other devices. In installations which share a network with other services, this may be especially useful, as users may simply unplug a critical cable, mistaking it for another device.

A truly determined attacker will find a way to defeat these locks, though they provide a level of deterrence against less sophisticated vandals or accidental removal. If the lock doesn't use proprietary tools, it is simple enough to figure out what is needed to unlock it. Even if it does use proprietary means, breaking, cutting away, or drilling may still remove the lock relatively quickly, though will require more noticeable motions and less concealable tools. If all else fails, those truly seeking to gain access to a given cable may find a way to simply cut it and re-terminate it, which will go undetected on most networks. For these reasons, cable locks and plugs are recommended as only one layer of security to provide a modicum of deterrence and delay.