4

I recently had my home wired for gigabit ethernet, which is awesome, but left me with a short ethernet run that is actually outside the walls of my house. How can I secure this link against someone splicing in? Ideally I'd like to attach something to each end of the cat6 run that encrypts traffic in a way that is transparent to the other devices on the network, but am interested in software solutions as well (as long as they perform well and aren't too onerous to set up).

Drew Shafer
  • 143
  • 1
  • 6
  • Product recommendations are off topic here, unfortunately - they tend to go out of date very quickly. – Matthew Jun 06 '17 at 15:16
  • 2
    Even if not a product recommendation, I could use some help with the vocabulary I need to inquire about this effectively. I don't even know what to google for at this point. – Drew Shafer Jun 06 '17 at 15:19
  • I'll edit the question to avoid asking for product recommendations – Drew Shafer Jun 06 '17 at 15:19
  • Firstly, it might be cheaper to just box the cable in with something as secure as needed to mitigate the potential threat you feel you face... But failing that how about a router at each end of the cable run with a IPSec tunnel setup? – ISMSDEV Jun 06 '17 at 16:17
  • @DrewShafer Thank you - that's much better. Questions of "how can I do x?" are generally more helpful for longer and to more people than ones of "what products let me do X?", so the edited question is more likely to get useful answers – Matthew Jun 06 '17 at 16:35

5 Answers5

5

Once in a while, when entering or leaving the house, look to see if anyone has spliced into the cable. If the cable looks OK, you're good.

This has no set-up requirements at all, and zero impact on your network speed.

Simon B
  • 884
  • 5
  • 7
4

There are two possible options to consider: Layer 2 (data-link) encryption and Layer 3 (network or IPsec) encryption. Unfortunately both are probably more expensive or complicated than you want to get into. However, the wire that runs between you and your internet service provider (or even further downstream) is just as if not more susceptible to splicing. What this means is that the only way to be really secure is to use strong end-to-end encryption whenever you need to do something sensitive, and that encrypting traffic over that one little link of your local network is probably not going to make you any safer. End-to-end encryption will encrypt the sensitive traffic on your device, and it's not decrypted until it reaches the destination device, thus preventing most practical packet sniffing attacks.

Remember that costly security only makes sense when it protects something of equal or greater value. I would suggest the following alternatives:

  1. Physical security, such as putting your external cable inside an armored conduit.
  2. Make sure you use HTTPS for anything sensitive on the web. Even if these packets are sniffed on your network they will already be encrypted. This encrypts data between your machine and the destination web server.
  3. Use end-to-end encryption whenever offered. In contrast to HTTPS, end-to-end encryption will keep data encrypted past the destination web server up to the point where the data is actually used.
  4. Use encrypted wifi with a strong password whenever you're dealing with something sensitive. This encrypts all data between your machine and your wifi access point.

A Layer 2 solution most closely resembles what you asked for in the question. These devices are sometimes called "bump in the wire" devices specifically because you attach them to either end of a physical cable and all encryption happens transparently and without the knowledge of any other device on the network. Unfortunately at this time these solutions are extremely expensive- they are "call for price" expensive. Some quick googling suggests that these devices start at a few thousand dollars and quickly go into the few tens of thousands of dollars range. They provide high security, authentication, and can operate at 10gig/100gig speeds.

Searching for "layer 2 encryption" or "bump in the wire encryption" or "MACsec" will get you more information about these devices.

Layer 3 encryption is network-based encryption typically using IPsec. Here, each host on your network authenticates and/or encrypts communications with each other host on your network. If you had an IPsec enabled router/switch and a sufficiently smart device on the other end you might be able to set up IPsec so that it only functions over that one wire. It would also be possible to encrypt all data on your local network (behind your router). Beware that IPsec in general generates a lot of processing and bandwidth overhead.

David
  • 1,386
  • 8
  • 8
  • Why do you think those devices are so expensive? – flarn2006 Jul 17 '19 at 20:06
  • @flarn2006 My guess is because the market for such devices is very small. There are lots of easier and better alternatives, such as all those discussed in this thread. These kinds of devices are only useful when you can't move your wire someplace safer and you can't fix your networked security. Suppose you've got an old embedded system that doesn't support IPsec and you can't replace the system and you can't move the system. – David Jul 21 '19 at 18:53
2

What you basically set up is two disparate sites. Assuming you ran a cable from your house to a detached garage, it doesn't matter if your garage is 100 feet away or located in rural Guangzhou, for the sake of security you consider it as two separate sites.

To those ends, what you need is a site-to-site VPN setup, similar to any corporate LAN whose offices are spread across a geographic area or the globe. (Some SOHO routers will facilitate this for you, but that's venturing into product recommendation territory.)

Anything that leaves your house is encrypted, goes over the external wire, and is decrypted on the receiving end. Set up properly everything functions as a unified LAN and the fact that half the network is on the other side of the yard is transparent to all of your nodes.

Ivan
  • 6,288
  • 3
  • 18
  • 22
0

Layer 2 bridging over a VPN would work. But it will be onerous:

https://docs.openvpn.net/how-to-tutorialsguides/virtual-platforms/site-to-site-layer-2-bridging-using-openvpn-access-server/

Working at layer 2 would be the most transparent to the machines on your network.

Prosumer class devices will likely do Layer 3 VPNs which means dealing with different subnets, broadcast domains etc. They'll be easier, but not as transparent.

I would be surprised if you found a cheap, simple, transparent solution which could provide gigabit speeds.

Installing a camera, replacing the external run with armored cable or fibre would be faster and probably less trouble.

In terms of risk, unless you're working in an embassy, or your ethernet cable straddles the streets of a Brazilian favela, I would be impressed if somebody was so interested to intercept your LAN traffic.

mgjk
  • 7,535
  • 2
  • 20
  • 34
0

This seems like overkill. What goes over this cable that is really sensitive enough for someone to physically access your ethernet cable? Sensitive internet traffic will go over https. Since you probably have a switch it's only traffic between devices in the two areas that will go over that cable, not all traffic.

Are your computers, servers and devices secured so people can't browse file shares or access resources? Is everything fully patched? If not that's probably the first area to consider.

Practical efforts might include:

  • Put the cable inside a plastic or metal conduit, physically secure it
  • Use security cameras to monitor the area
  • Check the cable occasionally
Tim
  • 245
  • 1
  • 7
  • 1
    Indeed, if they are so close they can splice your cable, they can also peek through your windows and listen by lifting the flap on your letter box... – djsmiley2kStaysInside Jun 07 '17 at 15:53