December 15th, 2006 02:26 PM
Don't forget physical security
So, you've patched all your servers, you're using 802.1x on every switchport, You have incredibly covuluted access rules for your data, and your firewalls and IDS/IPS are top notch. So you're pretty secure right? In my experience, probably not. Almost nobody does physical security well.
I run a small (okay, very small) infrastructure company. I rarely concern myself above layer 3 and almost never above layer 4. But along with all the switching and routing, I also do Outside Plant Engineering, Inside Plant Engineering, Power and HVAC assessment, and physical security. Like I said....almost nobody gets the last part right.
What follows is a very abridged tutorial on taking steps to ensure that you are taking proactive steps to physically protect your assets. What we used to call in the Army leaning forward in the foxhole. It will not cover every possible physical attack vector, but I will try to hit on the most common mistakes that I see. Any product mentioned is not an endorsement, just an example.
For my customers, I distill physical security into three relatively straight forward parts:
Control physical access
Monitor that access
Train personnel and have clear policies in place
First: Controlling access. All the high speed software and hardware based security in the world doesn't do a bit of good if I can walk into your server room or data center and walk out with a piece of equipment. Once you lose physical control of a piece of equipment, the bad guys can disect it at their lesiure and without worrying about tripping an IDS. I'm amazed at the number of data centers, server rooms, and telecommunications rooms (TR) that have no lock, or a piece of junk on it.
At a minimum, anyplace that houses your electronics should have metal doors with metal door frames on them. Get rid of the standard lock immediately. A padlock and hasp is better than the lock that comes in most door knobs. I've gotten into countless TRs with nothing more than a credit card. (Actually, I usually use my MCSE card because I don't want to screw up my AMEX ) To increase security even more, you can use a cipher lock (you know...one of those push button things) or an RFID badge. Just make sure that you aren't using 1,2,3,4,5 as your combo (people do it, I've seen it!!) and that you control access to your badges and to who has the combo. Even better is to use both for dual-factor access control.
For really good access control, biometric systems are available. The best I've seen yet was at a Tier 1 carriers Co-lo site where I had to submit my palm for scanning while punching in a very long pin number and standing on a scale in a very tiny locked room. If I weighed too much or too little, I was locked in the room until the guard let me out (sucked for carrying equipment in, but prevents someone from getting into the man trap with you) once I was authenticated, the door to the interior would open up and let me in. Otherwise I wasn't getting anywhere. Of course, this kind of heavy duty security comes with a hefty price tag.
Next: All the physical access control is useless if there isn't a way to monitor it. Any locked door can eventually be broken if there is no means of monitoring it. The old tried and true method is to have guards --or at the very least, attentive employees. Putting ingress points to your sensitve areas should be in places that receive foot traffic. You want people to see who is going in and out of your data center. You do not want to give someone with the intent to do your orginization harm the luxury of having time to work on breaking your locks unobserved.
Relying on the human factor, however, means you're susceptible to human failure. Automation is important and less likely to regularly fail. There are plenty of CCTV systems out there. Some better than others. Some still use old VHS tapes and some run on IP and will store the data indefinately in your SAN. There are also 'all in one' systems out there like NetBotz that can provide enviornmental as well as phsyical monitoring. Get the best you can afford.
Again, all of the high speed video cameras, motion detectors, RFID authentication, et cetera, et cetera is completely useless if no one pays attention to what's going on with it. Policies need to be in place to control who has access and when. And then....someone needs to make sure that it's working like it's supposed to be. Remember, your biggest threats are often from the inside. Someone with legitimate access can easily rob you blind and if you aren't logging who accessed your data center, your list of suspects is everyone who had access to it, which in a large orginization can be a pretty big list.
Finally: Trained personnel and policies. Not only do people need to be doing their job when it comes to monitoring, you need to train for social engineering. True story: I was on a military installation (for legitimate reasons) on the day of the London terrorist bombings. The installation was supposed to be on a heightened security alert that day. By simply strapping a butt set and a cable splicers kit to my belt and carrying a clipboard with me, I walked into almost a dozen different buildings and was escorted into the TR without anyone challenging me as to what I was doing. Once there, I proceeded to take notes and draw diagrams of everything in the room. I was shocked at how easy it was. Only in two places did anyone even stay with me once they had showed me where it was and neither of them bothered to ask me why I was taking notes. I could have just as easily been photographing everything, stealing equipment, or inserting logging devices.
Now, I did have a legitimate reason for doing what I was doing and the props were there so people wouldn't ask questions. And they didn't. It was that easy. Training people to challange strangers would have prevented this as well as clearly defined and widely disseminated access control policies.
Also make sure you have a shred --or even better a burn-- policy for all your paperwork. An elderly woman was recently robbed at gunpoint on her front porch by a junkie that was after her oxycotin perscription. How did he know she had the perscription? He dumpster dived at a local drug store and found improperly disposed of patient records. Shredding or incinerating would have prevented it.
So there are some starting points for creating a comprehensive physical security plan. Defense in depth is just as important when it comes to the physical things as the data. Without it, you're just asking for trouble.