Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Would two simultaneously open ethernet ports pose a security risk?

J

jcbonifacio1

macrumors newbie
Original poster
May 10, 2012
7
0
At work we have two types of network connections:
1) Ethernet Port 1 connects to my office's secure network.
2) Ethernet Port 2 connects to a cable modem. (We need it because the office's secure network is rather restrictive for my department's type of work). You can also tell Parallels Desktop to use Ethernet Port 2. That's very handy because Parallels needs ports that my office network has blocked.

Question is, from a security standpoint, is it safe to have both ethernet ports active simultaneously?

Currently, I am making one port inactive before turning on the other port. It gets really annoying over time!

Thanks very much! I appreciate your tips.
 
Having both ports active simultaneously should be fine, unless you're doing top-secret FBI if-you-tell-anyone-about-this-you-will-be-castrated kind of work. :D
 
jcbonifacio1 said:
Question is, from a security standpoint, is it safe to have both ethernet ports active simultaneously?
Click to expand...

So editorial first: you're very likely breaking your IT rules by dual-homing your Mac, and I'll bet it's a fire-able offense. You might want to check with any documentation, employee handbooks, or whatever. Any IT security person worth his or her salt would fry you in an instant if they found out what you were doing.

/editorial

You've created a potential jump point between the outside world (your cable modem) and the internal office network. IF someone was able to trick you into downloading some crud that gave them access to your Mac, they'd also have open access to your internal network.

Is it likely to happen? Probably not. But, you asked if it's safe from a security standpoint to have them both active. The answer is: no.

jas
 
Thanks very much. Both good replies. For the moment, until I can officially clear this with IT security, I'll keep switching ports instead of having both open simultaneously. Annoying, but if that's the price I pay for allowing me to use a Mac on the office network, then I will pay it!

Now, I wonder if it's possible to write a script that easily toggles back and forth between the two connections...
 
jcbonifacio1 said:
Thanks very much. Both good replies. For the moment, until I can officially clear this with IT security, I'll keep switching ports instead of having both open simultaneously. Annoying, but if that's the price I pay for allowing me to use a Mac on the office network, then I will pay it!

Now, I wonder if it's possible to write a script that easily toggles back and forth between the two connections...
Click to expand...

Actually, I would avoid using the "open" way until you have cleared it with IT at all. As Jasonvp points out, you can even get fired for being a bit careless about these things. I know I would have been :)
 
This is general forbidden by IT departments, so be aware that by doing so you are risking your job (see comments above.)

The worry is that if your Mac somehow got a virus over the unsecured port and was remote controlled over the unsecured port, your secured port will be wide open.
 
I concur with the comments above regarding the serious breach of network security and user conduct this configuration opens up.

However, if you are determined to continue with this, you may be a bit safer to connect the cable modem to a router/firewall and configure this to open only the ports that are necessary. I know you can do this with the mac but the configuration may be easier and the protection more robust with a router.

Cable modems are typically bombarded with port scans and other unwanted traffic looking for open vulnerabilities. My router's log of these rejected packets is pages long per day.

Is it feasible to request a pinhole for the open port(s) obviating the need for a such a setup? After all if your doing legit work you have a good case for this request.
 
How are you "making one port inactive"? If it's just turning it off in software that's only marginally more secure. If someone at my company was doing this, even disabling the ports temporarily, I would not be happy. If someone pops your host while it's on the cable network and opens a tunnel back to themselves that tunnel might still be active when you reconnect to the office network.
 
Thanks for the tips! I'll bring up the suggestion of using a router/firewall. So far (crossing my fingers), I have the blessing of the IT department to toggle back and forth between Ethernet 1 and Ethernet 2.
 
ratfink said:
How are you "making one port inactive"? If it's just turning it off in software that's only marginally more secure. If someone at my company was doing this, even disabling the ports temporarily, I would not be happy. If someone pops your host while it's on the cable network and opens a tunnel back to themselves that tunnel might still be active when you reconnect to the office network.
Click to expand...

Yeah. This isn't really secure because if you had a trojan it could just flip the port back on for you.

Again, this is all theoretical, but the policies are usually based on theoretical as well.
 
jcbonifacio1 said:
Question is, from a security standpoint, is it safe to have both ethernet ports active simultaneously?
Click to expand...

This can be done with a "bare metal" hypervisor that can directly assign Ethernet ports and has virtual I/O support ( Intel calls it Vt-d ).

Basically one VM is assigned Ethernet 1 and another VM s assigned Ethernet 2. As long as neither on can see the others port they are pretty well separated. Even better if the hypervisor can be instructed to ignore Ethernet 2 for admin connection requests.

Put a decent small statefull firewall between Ethernet 2 (and have it also block the ports for hypervisor admin connections ) and the cable modem and this is a reasonably secure set up to run concurrently. It is what most "clouds" vendors are doing to co-host multiple tenants at the same time.

The only problem now is that the graphics are now virtuaized too. :)
I is hard not to leave some gap when the OS that is hosting parallels is not also exposed to the unsecured network.

There are likely some security holes in that the apps not in Parallels that were running on the internal network may burp requests, info, etc out on the cable modem network. [ Similar problem when folks let employees run VPN from home and it isn't configured to disallow bridging on the client side and/or doesn't block ports heading out once tunneled inside is established. ]
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back