You know those really cool server rooms in the movies where they
are surrounded by glass and you can see all the neat stuff? I have
only ever seen one telco closet that I would put in a fishbowl like
that. Mostly as there was nothing configurable in it and the wiring
was very tidy. I don't need people looking in on my equipment and
seeing that something is out of date or not supported anymore. I
will take an extreme example here but lets assume that someone is
still using a Cisco 2500 series router for their core system. If my
rack was in a fishbowl and some attacker posing as a repairman saw
that, they would immediately know that a DOS attack would bring down
my network in no time. Or they could use a specific exploit on my
router as they now have more specific knowledge on where to start.
Don't get me wrong; I love seeing those sweet setup in movies but
common, they are not realistic.
The physical setup of your equipment is important for a variety of
reasons. I run Cisco gear at home and one day my son came with me
into my workshop. That little guy loves to push buttons and can you
guess what button he pushed right away? Yep. My main Cisco router.
My physical security of my home equipment was breached by a 2 year
old. It didn't help that the button was right at his eye level but
you get the point. Buttons have a way of being pushed by people that
don't know what they are doing or don't realize how close they are to
equipment. You could invite your friend from college to see the cool
gear you are working with and the next thing you know they
accidentally pulled a network cable out just enough to lose
connectivity but not pop out of the port.
A general rule of thumb is that there needs to be three physical
barriers to keep people away from your important gear. The most
obvious one is the main entrance to your workplace. Depending on
where you work it could be a simple door to the business or protected
by armed guards. Either way when someone walks into your business
they should see someone there to greet them. This is the first step
in making sure that people don't wander where they shouldn't.
I have worked in a variety of business sizes and in general the
companies servers are separate from the rest of the employees (as
they should be). This would be the second level of defense in our
little “push random buttons” game. Even regular employees should
not have access to the IT department or computer lab areas.
The third level of physical security would be the locked server
room door. There are multiple ways to secure a server room including
a simple key lock to a biometric scanner but the end goal is the
same. Keep people out of there! You wouldn't want someone on their
last day of work walking by and turning off all the power to your
servers or plugging network cables into random spots. That would be
no fun.
Last but not least; don't forget your motion sensors and cameras.
Motion sensors can activate the cameras or simply provide you an
alert to your phone that someone has walked into the server room.
Cameras are obvious as they give you a visual of who was in there.
-- Joe McShinsky
Saturday, April 7, 2012
Subscribe to:
Posts (Atom)