How to tie traffic from one ethernet port to another? (newbie security)

Hi everyone, I have basic networking knowledge, but this is stepping out of my knowledge base.

Am happy to educate myself through the wonders of youtube - I just need to know if its possible and what the terminology would be.

I have a server plugged into a managed switch (say eth:1). The server serves multiple clients on the same switch. I have ONE client plugged into another ethernet port (say eth:15) on the same switch. Is it possible to force eth:15 (the client) to only accept rx/tx data to/from eth:1 and block all access from all the other ports at a switch hardware level?

Essentially, I have some legacy hardware that only accepts pure TCP data using http: and not https: and it has ZERO authentication.

Obviously this is a real easy target for a 12 year old with a packet sniffer, so I want to mitigate as much as I can. I dont actually care if the packets themselves get sniffed as the data in the packets is not important, but by isolating one port (eth1 to eth15) at the switch hardware level it would appear like a hard cabled connection (server to client). I DONT want to use mac addresses of the server/client as a 14 year old would know how to spoof the mac address of the server. Using this idea would also mitigate a MiM attack.

As I said, Im happy to educate myself. I just dont know what I need to be researching

If the switch is managed you can create a VLAN and put those ports in that VLAN. You would also want to secure the other ports to make sure they are not allowed traffic from the VLAN those devices are on.

Aside from VLANs, many switches have something along the lines of “protected” ports. Some implement this the Cisco way - protected ports can’t talk to each other. This doesn’t exactly help you in your case, since you have just one port that needs isolation from almost all others, and all those other ports should be able to talk to each other. Other vendors, like HPE/Aruba, let you build a full list of what ports each port can send and receive traffic from. It is more work if you did want to implement the “Protected port” setup, but offers better flexibility for situations like yours.

So, which exact managed switch are you using for this? Or are you still in the research/shopping phase?

But also its probably easiest if you just make a VLAN for this client. The Client’s port would be set to access/untag for that VLAN, and the server’s port would be set to trunk/tagged. Then you’d add a VLAN subinterface on the server (details depend on the OS) and give both devices static IPs (the client doesn’t know its in a VLAN). Or, instead of adding the VLAN to the server, you could add the VLAN to your router, and use ACL/firewall to restrict the client VLAN to/from the server.

Edit: Looks like Cisco also has “port isolation” which does what you want - isolated ports can only talk to the designated uplink/promiscuous ports. That seems to be a “newer” feature - like in the past decade.

1 Like

I’m a bit confused about your setup. You mention both “a server” and “some legacy hardware” - are they the same thing? Also, when you say the legacy hardware doesn’t support HTTPS, it makes it sound like you’re referring to an appliance on which you don’t have control over the software. Is that the case?

Also you say “pure TCP data” and HTTP - which is it? Because if it’s HTTP, I would probably solve this using a reverse proxy (e.g. nginx, Traefik, HAProxy). Clients would connect to the reverse proxy via HTTPS with optional authentication and the reverse proxy would connect via HTTP to the actual service. All direct ways for clients to access the service must be prohibited so that using the reverse proxy to access the service is the only way. The easiest scenario would be to run the reverse proxy on the same hardware as the service itself. If the service runs on an appliance, that’s probably not possible. The next best thing would be to put the appliance in a separate network and run the reverse proxy on another machine which is connected to this network as well as the client network.

Thanks people for replying and getting me one step closer.

Tom - just to check. Is it possible a VLAN/MAC address could be spoofed, or by virtue that a VLAN adds something to the packet, makes it impossible to spoof a mac address?

@brwainer thanks for your suggestions I will look into those suggetions. At the moment Im using an edgeswitch but I am open to change to something different.

@paolo the environment is Node-Red to a Modbus TCP/485 hub. Modbus is completely insecure as a protocol from both the master and slave perspectives. It implementation is both a read and write scenario. Obvioulsy i want to protect the write side as it is an industrial situation.

If you lock a switch port to a specific VLAN and MAC physical access to those ports would be required to spoof it.

Thank you everyone for this - have implemented it