Sometimes it is necessary to connect a device on your security permiters edge to your network. Doing so without any protection can be don, but might not be wise.
So how do you secure your PoE Surveillance-Cam which covers the from of your office or your IP-based intercom which are accessible by the public?
802.1x would be a good solution. However – for that you would require a CA/PKI + machine-certificates for the devices, would have to rotate them on a regular base which might not be possible and could be wuite some effort.
Furthermore – not all devices support 802.1x – so how could we secure these devices?
Before we start, lets analyse the threat:
A devices such as a PoE-Surveillance cam, an IP-InterCom or similar devices are located outside of a “protected” perimeter where anybody might have easy access to the device. An attacker could easily unplug the network-cable, add a switch in between and get access to the network.
MAC based ACLs could be used to ensure that only “allowlisted” devices (so devices with the correct MAC address) are granted access.
However running tcpdump, getting the allowed devices MAC and “cloning” it via macchanger --mac=XX:XX:XX:XX:XX:XX isn’t really that hard.
So that doesn’t really work! Yes, the network should be segmented anyways to reduce the impact of such a security incident. But still – there might be some interesting piece of hardware/software in that network which could be exploited by an attacker to get a foothold in the network or at least gather some additional information about other devices which are used.
So the best approach is, to do not even let the attacker in.
With Cisco we could do so by utilizing the EEM (Embeded Event Manager).
That piece of software allows us to react on events that are registered by the switch.
So what we want to archive is:
- Given an (I)OT-device on the edge of your network perimeter
- when the device is unplugged
- then disable the port the device is attached to
Unplugging the network cable generates a port-down syslog entry on the switch, which can be utilized to execute a command/command set.
If we want to “secure” a device located on port 20 the following configuration could be used to manually shut down (disable) the port once a disconnect was detected.
event manager applet Interface_Down_PoE-CAM
event syslog pattern "Line protocol on Interface GigabitEthernet1/0/20, changed state to down"
action 1.0 cli command "enable"
action 1.5 cli command "config t"
action 2.0 cli command "interface GigabitEthernet1/0/20"
action 2.5 cli command "shutdown"
action 3.0 cli command "end"
action 3.5 cli command "who"
The above example will immediately set the port to shutdown, once the line protocol went down/device was unplugged from the network.
However – keep in mind, that a restart of the device (especially for devices which use external PowerSupplies might also cause a port-down event while restarting which will result in a disabled port.
Doing maintenance could also result in a port down event, if somebody shuts down/unplugs the device while doing the maintenance tasks!
So is using this method to secure the perimeter, it is very important to also have some monitoring in place which will notify about disabled ports.
If ports shall be automatically enabled again (e.g. when office hours start) the EEM + KRON can be used.
As it seemed that execution actions like with the EEM are not supported in the KRON-policies i used the workaround to generate another syslogevent via cron which does the “reset” (no shutdown) for the perimeter ports.
! define the cron-occurence - so when our job should be run.
kron occurrence Daily_8AM at 8:00 recurring
! list policies which shall be excuted
policy-list Policy_A
policy-list Policy_B
!
kron policy-list Policy_A
! send the following message to syslog:
cli send log 0 "set_port_Gi1/0/35_UP"
!
kron policy-list Policy_B
! send the following message to syslog:
cli send log 0 "set_port_Gi1/0/20_UP"
!
! DISABLE the port when a defined syslog message is detected
event manager applet EEM_01
event syslog pattern "Line protocol on Interface GigabitEthernet1/0/20, changed state to down"
action 1.0 cli command "enable"
action 1.5 cli command "config t"
action 2.0 cli command "interface GigabitEthernet1/0/20"
action 2.5 cli command "shutdown"
action 3.0 cli command "end"
action 3.5 cli command "who"
!
! DISABLE the port when a defined syslog message is detected
event manager applet EEM_02
event syslog pattern "Line protocol on Interface GigabitEthernet1/0/35, changed state to down"
action 1.0 cli command "enable"
action 1.5 cli command "config t"
action 2.0 cli command "interface GigabitEthernet1/0/35"
action 2.5 cli command "shutdown"
action 3.0 cli command "end"
action 3.5 cli command "who"
!
! enable the port when a defined syslog message is detected
event manager applet EEM_03
event syslog pattern "set_port_Gi1/0/35_UP"
action 1.0 cli command "enable"
action 1.5 cli command "config t"
action 2.0 cli command "interface GigabitEthernet1/0/35"
action 2.5 cli command "no shutdown"
action 3.0 cli command "end"
action 3.5 cli command "who"
!
! enable the port when a defined syslog message is detected
event manager applet EEM_04
event syslog pattern "set_port_Gi1/0/20_UP"
action 1.0 cli command "enable"
action 1.5 cli command "config t"
action 2.0 cli command "interface GigabitEthernet1/0/20"
action 2.5 cli command "no shutdown"
action 3.0 cli command "end"
action 3.5 cli command "who"
!
end
