5

Our company is moving to another facility which has no LAN cabling, therefore we are considering using ethernet over power.

We would like to avoid our data being transmitted out of this facility and also that only authorized people logically "join" the network.

  • Preventive Measure: How can I ensure the data transmission remains within the facility?
  • Control Measure: Which technology should I consider to avoid unauthorized people to join the network?
Incnis Mrsi
  • 103
  • 2
Malo Polsky
  • 105
  • 2
  • 6
  • 1
    possible duplicate of [Preventing Ethernet over power](http://security.stackexchange.com/questions/96534/preventing-ethernet-over-power) – Philipp Sep 09 '15 at 09:18
  • 1
    Thanks Philipp, I read it before and I don't want to prevent it. I actually I want to use it :-) – Malo Polsky Sep 09 '15 at 09:20
  • 1
    possible duplicate of [Are powerline ethernet adapters inherently secure?](http://security.stackexchange.com/questions/9725/are-powerline-ethernet-adapters-inherently-secure) – WhiteWinterWolf Sep 09 '15 at 10:43
  • 3
    I suggest we keep this open as the "Are powerline ethernet adapters inherently secure" question doesn't have particularly good answers – paj28 Sep 09 '15 at 11:03
  • 5
    EoP behaves like wifi in that multiple users will be in contention. It won't be usable for more than a few simultaneous users. Also surge protectors dampen the signal. Expectation to use it for any more than a last resort point to point connection is pretty unrealistic. – JamesRyan Sep 09 '15 at 11:26
  • Really I suggest you don't do that. Instead find out your options for laying cables. False ceiling? plastic ducts? Just trailing the stuff around? – Ben Sep 09 '15 at 14:37
  • I agree with @WhiteWinterWolf. If the solutions on that question aren't good enough, why not try to improve them there rather than creating a more-or-less duplicate question? – glibdud Sep 09 '15 at 14:46

3 Answers3

3

Good one. Ethernet over power has distance constraints and in practice, I've seen the ethernet connection die after 20-30 meters due to the quality of the cabling in the building. In an older building where we were using ethernet over power - it died after 10 meters....

Also the devices work in pairs - so a person who wants to tap into your LAN would have to have a paired device just like yours.

These constraints would make it difficult for someone outside the building to tap in - especially since another building would be on a separate circuit.

And - it's easy enough to test. Take an adapter outside the building and see if you can get Ethernet connectivity.

This may sound lame - but why not use secure WIFI?

Danny Lieberman
  • 388
  • 2
  • 6
  • Yes. Good comment. FWIW - PLC can run at low bit rates for long distances - like reading meters etc... – Danny Lieberman Sep 09 '15 at 10:46
  • 2
    I don't disagree with any of this from a practical standpoint, but not being able to get a connection when naively trying to plug in from outside isn't exactly proof of security. (You're not claiming that it is... just wanted to clarify for other readers.) – glibdud Sep 09 '15 at 17:49
1

As mentioned in an answer to the older version of this question, HomePlug AV uses AES-128. This paper suggests the cipher is used in CBC mode with a key that is changed at lease once an hour, so implementation flaws aside, the network can be as secure as as a WPA2-PSK wireless network.

One concern is the pre-shared key. The key is stored in each adapter and can be broadcast from any by pressing the pairing button, so anyone with physical access to one of the adapters can permanently breach the network. (Of course, the admins can securely change the key by plugging a computer directly to each of the adapaters, but I doubt anyone is willing to do this frequently.)

Another concern is the firmware. The adapters I own seems to allow arbitrary firmware updates from devices connected to its physical port. So someone with one-time access to the network may be able to upload a malicious firmware that defeats any security measure in the standard. (There are only a limited number of vendors who manufacture the chipsets, so it's reasonable to assume many devices have this feature/flaw.)

If you want to pretect against these, you can consider running a VPN or IPSec tunnel, in which case you more or less treats the connection as Internet.

Community
  • 1
billc.cn
  • 3,852
  • 1
  • 16
  • 24
1

That really depends on your electrical infrastructure. In a usual household, your neighbours cannot be on the same electrical source so you are 'safe'. Powerline cannot extend beyond the cupboard. In reality however, it is very common that electricity is leaking to your neighbours. In each situation you want to encrypt your home powerline network.

We concluded that you really want security because if you have a cupboard for yourself, it will always leak. With company data, you want it secure.

There are a few ways to do that. A very simple way is to buy a set of powerline adapters with management software. In that case you can only add a new powerline adapter with a password.

Xander
  • 35,525
  • 27
  • 113
  • 141
Adam Sitemap
  • 303
  • 2
  • 10