Would two simultaneously open ethernet ports pose a security risk?

Discussion in 'Mac Pro' started by jcbonifacio1, Jun 18, 2012.

  1. jcbonifacio1 macrumors newbie

    Joined:
    May 10, 2012
    #1
    At work we have two types of network connections:
    1) Ethernet Port 1 connects to my office's secure network.
    2) Ethernet Port 2 connects to a cable modem. (We need it because the office's secure network is rather restrictive for my department's type of work). You can also tell Parallels Desktop to use Ethernet Port 2. That's very handy because Parallels needs ports that my office network has blocked.

    Question is, from a security standpoint, is it safe to have both ethernet ports active simultaneously?

    Currently, I am making one port inactive before turning on the other port. It gets really annoying over time!

    Thanks very much! I appreciate your tips.
     
  2. barredfreak macrumors 6502

    Joined:
    Jan 9, 2012
    #2
    Having both ports active simultaneously should be fine, unless you're doing top-secret FBI if-you-tell-anyone-about-this-you-will-be-castrated kind of work. :D
     
  3. jasonvp macrumors 6502a

    jasonvp

    Joined:
    Jun 29, 2007
    Location:
    Northern VA
    #3
    So editorial first: you're very likely breaking your IT rules by dual-homing your Mac, and I'll bet it's a fire-able offense. You might want to check with any documentation, employee handbooks, or whatever. Any IT security person worth his or her salt would fry you in an instant if they found out what you were doing.

    /editorial

    You've created a potential jump point between the outside world (your cable modem) and the internal office network. IF someone was able to trick you into downloading some crud that gave them access to your Mac, they'd also have open access to your internal network.

    Is it likely to happen? Probably not. But, you asked if it's safe from a security standpoint to have them both active. The answer is: no.

    jas
     
  4. jcbonifacio1 thread starter macrumors newbie

    Joined:
    May 10, 2012
    #4
    Thanks very much. Both good replies. For the moment, until I can officially clear this with IT security, I'll keep switching ports instead of having both open simultaneously. Annoying, but if that's the price I pay for allowing me to use a Mac on the office network, then I will pay it!

    Now, I wonder if it's possible to write a script that easily toggles back and forth between the two connections...
     
  5. Boomhowler macrumors 6502

    Joined:
    Feb 23, 2008
    #5
    Actually, I would avoid using the "open" way until you have cleared it with IT at all. As Jasonvp points out, you can even get fired for being a bit careless about these things. I know I would have been :)
     
  6. goMac macrumors 603

    Joined:
    Apr 15, 2004
    #6
    This is general forbidden by IT departments, so be aware that by doing so you are risking your job (see comments above.)

    The worry is that if your Mac somehow got a virus over the unsecured port and was remote controlled over the unsecured port, your secured port will be wide open.
     
  7. cutterman macrumors regular

    Joined:
    Apr 27, 2010
    #7
    I concur with the comments above regarding the serious breach of network security and user conduct this configuration opens up.

    However, if you are determined to continue with this, you may be a bit safer to connect the cable modem to a router/firewall and configure this to open only the ports that are necessary. I know you can do this with the mac but the configuration may be easier and the protection more robust with a router.

    Cable modems are typically bombarded with port scans and other unwanted traffic looking for open vulnerabilities. My router's log of these rejected packets is pages long per day.

    Is it feasible to request a pinhole for the open port(s) obviating the need for a such a setup? After all if your doing legit work you have a good case for this request.
     
  8. ratfink macrumors member

    Joined:
    Feb 11, 2012
    #8
    How are you "making one port inactive"? If it's just turning it off in software that's only marginally more secure. If someone at my company was doing this, even disabling the ports temporarily, I would not be happy. If someone pops your host while it's on the cable network and opens a tunnel back to themselves that tunnel might still be active when you reconnect to the office network.
     
  9. jcbonifacio1 thread starter macrumors newbie

    Joined:
    May 10, 2012
    #9
    Thanks for the tips! I'll bring up the suggestion of using a router/firewall. So far (crossing my fingers), I have the blessing of the IT department to toggle back and forth between Ethernet 1 and Ethernet 2.
     
  10. goMac macrumors 603

    Joined:
    Apr 15, 2004
    #10
    Yeah. This isn't really secure because if you had a trojan it could just flip the port back on for you.

    Again, this is all theoretical, but the policies are usually based on theoretical as well.
     
  11. deconstruct60 macrumors 604

    Joined:
    Mar 10, 2009
    #11
    This can be done with a "bare metal" hypervisor that can directly assign Ethernet ports and has virtual I/O support ( Intel calls it Vt-d ).

    Basically one VM is assigned Ethernet 1 and another VM s assigned Ethernet 2. As long as neither on can see the others port they are pretty well separated. Even better if the hypervisor can be instructed to ignore Ethernet 2 for admin connection requests.

    Put a decent small statefull firewall between Ethernet 2 (and have it also block the ports for hypervisor admin connections ) and the cable modem and this is a reasonably secure set up to run concurrently. It is what most "clouds" vendors are doing to co-host multiple tenants at the same time.

    The only problem now is that the graphics are now virtuaized too. :)
    I is hard not to leave some gap when the OS that is hosting parallels is not also exposed to the unsecured network.

    There are likely some security holes in that the apps not in Parallels that were running on the internal network may burp requests, info, etc out on the cable modem network. [ Similar problem when folks let employees run VPN from home and it isn't configured to disallow bridging on the client side and/or doesn't block ports heading out once tunneled inside is established. ]
     

Share This Page