Page 32

EETE DEC 2014

INTERCONECTS Enhancing network security with physical layer management By Rudy Musschebroeck Infrastructure and network security systems are fine as far as they go, but they don’t provide visibility into the state of the physical network. For complete security, network administrators need to know who is connecting to the network at any given time, where they are connecting, and how they are connecting. Physical layer management (PLM) systems enhance network security and allow administrators to know how, where, and when there have been changes or modifications to the physical network. Physical network security challenges The physical layer of the network (cables and patch panels) is often ignored when it comes to documenting and managing the network. But without knowledge of where cables are and what they connect, network administrators are at a loss to prevent physical network attacks or even know if and where they Quaero CPID chip embedded in a patch cord. occur. Someone can simply unplug a patch cord, insert a rogue monitoring and collection device, and then plug in a new patch cord connecting that device to the patch panel. The network management system shows that the network is down for a few seconds, but it comes back up, operating normally, so the event is ignored. These internal network attacks are more worrisome than some might think. While external, Internet-based attacks by third parties get all the press, it is estimated that 63 percent of network attacks are done by the victim’s own employees, and that 30 percent of those attacks are physical access attacks. PLM systems and network security PLM systems are Cyber Physical Systems (CPS) and address physical security problems by electronically documenting the physical layer of the network and maintaining real-time knowledge of the state of the network. CPS standards are developed by the National Institute of Standards and Technology to bring traditionally passive equipment and standalone PLM systems to a common standard for intercommunications and features. In a PLM network, the ports of the patch panels and the endpoints of patch cords are being continually monitored. PLM systems and their approaches have evolved, keeping pace with advances in technology, network architecture and operational needs. Each approach and technology advancement has improved the security posture of the physical layer network. Some of the more established approaches to PLM are: Inference (presence detection) – in this approach, the ports on a patch panel will detect the insertion (or removal) of a device and report that something has been inserted (or removed). This system relies on an inferred process: you connect port A first, port B second, port C first and port D second, and it assumes you’re going to do it in order, one patch cord at a time. If that process is not followed, the data becomes inaccurate. In the event of a man-in-the-middle attack, there is no way for the system to tell if the patch has been restored by the same cable, or even to the same position as the system does not know the origin or destination for any of the cables. Also, because the system does not physically monitor the patches, the system would not detect any changes that happened during a power down period. Ninth wire – a ninth wire is a wire that runs along the length of a patch cord like a security loop. It tells the network administrator that point A is connected to point B, but offers no detail about what is making that connection from A to B. If anyone breaks the connection, an alarm goes off. In the event of a manin the-middle attack, where someone inserts themselves within the circuit to monitor traffic such as financial transactions, capturing passwords or credentials to access critical information, there is no way to identify that the patchcord has been replaced by the same cable. In case the patch has been moved to another port in an attempt to steal data, the system can tell you exactly which port the patch has been moved to. Connection point identification (CPID) – this approach uses a chip in the end of each connector with a serial number that identifies the connector and the patch cord it is associated with. The two chips on the ends of a patch cord have the same base serial number, but they also have a designator that tells one end of the patch cord from the other. When the cord is plugged in, the patch panel knows where the cord is and where the two connection points are. With CPID, the system always knows exactly which connector is where and if anything changes in that circuit path, including a different connector being inserted. The user will know immediately when circuit changes take place. Rudy Musschebroeck is business development manager at TE Connectivity – www.te.com - you can contact him at rudy.musschebroeck@te.com 32 Electronic Engineering Times Europe December 2014 www.electronics-eetimes.com


EETE DEC 2014
To see the actual publication please follow the link above