Just looking for general comments of if/how this can be done. I don't need all the details yet because I don't know if this will ever be done...
If I have a LAN switch that is outdoors and connected to my indoor/home LAN, is there a way (other than physical security) to keep someone from accessing my LAN by plugging into the switch (or moving the LAN cable into the switch to their device)? The main purpose of the outdoor LAN switch is to provide access to wired/PoE security cameras, but I'm not ruling out other outdoor LAN devices.
Personally, I would have wires run to a centrally located patch panel and put the switch there. Otherwise, yes, you can enable security such that a port is disabled if not used, and the used ports have set to only allow a certain MAC address. Not many switches can do this. Of course, someone could fake a MAC address and connect that way. Or, there is usually a reset button on them that would probably defeat and such security.
I assume this could be done, making sure the Ethernet to that switch is on its own vlan from an upstream managed switch but regardless of the options, I would not do this without an external lock box.
It can be done but for the average consumer it's fairly difficult. Mostly issue certificates with an authentication system. You could as noted above do MAC authentication which still would require a radius server and again, a mac could be spoofed. (Though face it, unlikely anyone is gonna do that just to get into your house) Unless you're super network savvy, this may not be the route you would want to embark on. Your better bet is to run a POE switch in your attic and pull wire from each camera location if you are a one story house, or basement and pull wire if you are multi story. If SAF is involved, hire professional wire installers. Will run you about $50 a run. Small price for SAF.
If you insist on running external, you could get something like this. Placed up high you wouldn't really worry too much about a lock though I'm sure a shackle could be added. You will also need to add power to where ever you mount it.
If you are using the outdoor LAN cables for video, connect them to a video recorder that establishes it own VLAN separate from your primary network so that if anyone hacks into the system, they will only be able to reach the video recorder, not your computers, etc.
The LAN switch will be at a driveway gate location 1400' from the house. I'm looking into running fiber between the gate and the house, thus the need for the switch at the gate. I'm waiting on a cost estimate, so I have no idea yet if this is financially doable. I'm also looking at wireless (directional antennas, etc., but I live 10 miles from the gulf coast (not very far from Galveston), so I would rather keep as much stuff near ground level or below as possible. Also, getting a line-of-site between the antennas will be difficult.
I've done some more reading, and it looks like MAC spoofing is the vulnerability that is the hardest to guard against in this scenario.
I experimented with VLAN's at a different home years ago, but never implemented any. If the switch is on a VLAN, does that limit the damage someone could do if they plug into the switch with a spoofed MAC address? Does it make it such that they can only affect other devices on the VLAN? Can I still access the cameras from other devices that aren't on the VLAN? I need to read up on VLAN's again.
