9

In some environments it can be helpful to have the ability to turn off an Ethernet port remotely. One case of this is in a public building where you might have a computer kiosk using the port once a week, but the rest of the time it is open for anyone to plug into and you don't want the port to be active to them. I can also see times in a corporate environment where you might want to be able to easily shut off a port if someone gets a virus.

I can handle all of the remote access parts of the project, but what can I do to actually disconnect the Ethernet port? Using relays on all of the lines seems like it would take up a lot of space and cost a good amount of money. Could I use a simple resistor and mosfet or transistor to pull the lines low? I want to make sure that I wont hurt the devices on either side.

Kellenjb
  • 17,609
  • 5
  • 53
  • 87
David Sabalesky
  • 91
  • 1
  • 1
  • 2
  • 4
    One simple and inexpensive method to block the signal is to unplug the cable. – JonnyBoats Oct 30 '11 at 22:49
  • 1
    What is wrong with a relay? – Kellenjb Oct 30 '11 at 23:51
  • hook any of the lines straight into the mains. That should get rid of that pesky ethernet router – Earlz Oct 31 '11 at 20:09
  • 1
    He said "remote" and "relay is out of my budget", didn't he? – abdullah kahraman Dec 21 '11 at 14:49
  • How about an ethernet enabled uC with a servo, which connects or removes a connector (you will have to remove the latching tab). – 0x6d64 Dec 21 '11 at 14:58
  • @abdullahkahraman I have just been going through trying to get some of our unanswered questions updated to be able to get answers. This may not be exactly what he originally intended, but since he never came back we wont know exactly what he wanted. Either way, this question is still an interesting one that can help people in the future. As far as what he originally said, you can look at the edits to see this. – Kellenjb Dec 21 '11 at 15:21
  • @Kellenjb, ah sorry then. Good job, lol :) – abdullah kahraman Dec 21 '11 at 15:30
  • ...to pull the lines now?... typo here? – abdullah kahraman Dec 21 '11 at 15:32
  • @abdullahkahraman yes, typo. thanks for catching that. – Kellenjb Dec 21 '11 at 15:38
  • Out of curiosity, how would one "reconnect" the port? I assume you are sending it the command to "disconnect" via ethernet, once it is disconnected how would you reconnect it? Are you controlling it remotely via another means of communication? Or do you mean to control the port from the local machine? I feel that there is a better solution at the software level instead... – Jon L Dec 21 '11 at 17:20
  • Bring down the router port when not required. No special electronics is required for this. However, one might have to modify the router software, if the router does not have this facility already. On linux, I would put ethx up/down in crontab. – Indraneel Apr 15 '21 at 09:17

7 Answers7

6

It may be quite some trouble to find a relay formally rated with the needed bandwidth, and design the system to maintain characteristic impedance throughout, though in practice you may find that an ordinary one and not worrying about that works. With some thought, you could probably make it work by interrupting only one or two lines rather than all of them.

A lot of professional-grade network equipment does have the capability to enable/disable ports on remote command, often used precisely for the case of isolating infected machines which you mentioned. Even a consumer grade device such as a wifi router running customized firmware could probably do so at least on the scale of all of its downstream ports; though you'll have the added headache of making sure it's wifi is disabled. Atmel used to off an embedded linux evaluation platform for their AVR32 chip with dual ethernet configured as a gateway - one of those would do the job if you can still get one.

And there's always putting a locking cover on the box. This has some advantages in that securing it becomes part of deploying/removing the kiosk, and also that there's a chance staff would notice if the cover were left open.

Finally realize that securing the physical network should be only the first line of defense.

Chris Stratton
  • 33,491
  • 3
  • 44
  • 90
  • 7
    The correct answer is to use SNMP on a managed Ethernet switch to remotely enable/disable ports on the switch (as Chris S. mentioned). A relay is also possible, especially with 100Base-T (the signaling requirements are not that critical). I personally would use a simple 4-port switch as a repeater and then put an appliance timer on it. –  Dec 21 '11 at 23:15
5

I'd get a managed switch and configure the port for 802.1x authentication, then install the necessary credentials on the kiosk computer.

This uses a standardized and fairly secure authentication method that was designed for exactly this use case, gives you the best possible user experience (nothing required except plugging in the kiosk) and avoids configuration changes at runtime.

Simon Richter
  • 12,618
  • 1
  • 25
  • 52
5

The solution that I would use is decidedly low-tech but eliminates most of the technical hurdles. Purchase the lowest-cost Ethernet switch that you can find, connect one port to the computer and another port to the outside cable. Then simply switch the power to the Ethernet switch OFF and ON as required.

This has the advantage of not needing to worry about maintaining the impedance of the line pairs. It's also not particularly expensive - I am able to purchase 10/100 switches for very little money locally. Even less if I purchase from eBay.

Switching the power going into the switch is left as an exercise for the student (grin).

Dwayne Reid
  • 23,792
  • 2
  • 38
  • 70
4

If it's ok to turn on/off a whole group of ports together you can turn on/off the power of the ethernet switch the ports are connected to.

Curd
  • 16,283
  • 35
  • 46
1

Copper ethernet uses twisted pairs of wires that have a nominal impedance of 100 ohms and interface with small radio frequency transformers, usually located in the connector housing. The logic side of the connector is similar to the cable side, but DC-biased. Use of relays or analog switches in this environment is not the most reliable way to go, though it might work for you. Powering up and down a hub used to buffer the signal electronically is a great idea. The professional IS solution, as mentioned in other answers, is to use a managed switch or gateway.

Larry Cox
  • 11
  • 1
0

I am not sure, but would a simple analog switch IC work here? Something like this one may be suitable. It has a serial interface, so you can easily control it from any mcu, and a single one should let you switch all 8 conductors in a standard ethernet port.

From the datasheet, it can switch voltages from -15V to +15V, so ethernet is easily in that range. I just don't know if the electrical characteristics (100 ohm resistance) of the switches will degrade the ethernet signal somehow. Maybe somebody else can address that.

captncraig
  • 2,054
  • 3
  • 24
  • 46
0

Easiest way would be is to use a router or a network switch and plug it in on a digital timer. Sometimes the simple way stumps the hacker.

David Mikeska
  • 339
  • 1
  • 8