Saturday, April 7, 2012

Security+ Topic - Physical

You know those really cool server rooms in the movies where they are surrounded by glass and you can see all the neat stuff? I have only ever seen one telco closet that I would put in a fishbowl like that. Mostly as there was nothing configurable in it and the wiring was very tidy. I don't need people looking in on my equipment and seeing that something is out of date or not supported anymore. I will take an extreme example here but lets assume that someone is still using a Cisco 2500 series router for their core system. If my rack was in a fishbowl and some attacker posing as a repairman saw that, they would immediately know that a DOS attack would bring down my network in no time. Or they could use a specific exploit on my router as they now have more specific knowledge on where to start. Don't get me wrong; I love seeing those sweet setup in movies but common, they are not realistic.


The physical setup of your equipment is important for a variety of reasons. I run Cisco gear at home and one day my son came with me into my workshop. That little guy loves to push buttons and can you guess what button he pushed right away? Yep. My main Cisco router. My physical security of my home equipment was breached by a 2 year old. It didn't help that the button was right at his eye level but you get the point. Buttons have a way of being pushed by people that don't know what they are doing or don't realize how close they are to equipment. You could invite your friend from college to see the cool gear you are working with and the next thing you know they accidentally pulled a network cable out just enough to lose connectivity but not pop out of the port.


A general rule of thumb is that there needs to be three physical barriers to keep people away from your important gear. The most obvious one is the main entrance to your workplace. Depending on where you work it could be a simple door to the business or protected by armed guards. Either way when someone walks into your business they should see someone there to greet them. This is the first step in making sure that people don't wander where they shouldn't.


I have worked in a variety of business sizes and in general the companies servers are separate from the rest of the employees (as they should be). This would be the second level of defense in our little “push random buttons” game. Even regular employees should not have access to the IT department or computer lab areas.


The third level of physical security would be the locked server room door. There are multiple ways to secure a server room including a simple key lock to a biometric scanner but the end goal is the same. Keep people out of there! You wouldn't want someone on their last day of work walking by and turning off all the power to your servers or plugging network cables into random spots. That would be no fun.


Last but not least; don't forget your motion sensors and cameras. Motion sensors can activate the cameras or simply provide you an alert to your phone that someone has walked into the server room. Cameras are obvious as they give you a visual of who was in there.

-- Joe McShinsky