Wednesday, July 21, 2010

Physical Security

Unauthorized access to your servers can occur just as easily from the inside as the outside. Perhaps even more so since the internal organization is seen as less of a threat. While that may be (somewhat) true from a user perspective, the unauthorized use of the organization’s facilities and hardware is a very real threat.
To most people, physical security means locking up the server hardware and hubs/switches. However, it goes far beyond that. It involves the entire physical plant, the systems that connect to it, and the office space those systems are located in. It even extends to the notebooks carried by your company’s road warriors. Notebooks and PDAs get stolen all the time. And there’s no telling who has access to the computers of those who dial-in from home where users have a tendency to check the “Remember password” box on their dial-up connections.
I have seen countless instances of organizations that spend all kinds of money on fancy security systems surrounding the rooms that house servers and other IT equipment and at the same time have network jacks in locations that anyone can get to without breaking a sweat. Someone could hook up a pocket-sized packet sniffer and in less than a minute have all the IP address information and maybe even some IDs and passwords they need. With all of the foot traffic in large companies at quitting time, it wouldn’t take much for someone with a notebook to slip into a secluded office or cubicle and spend hours on your network with no one but the cleaning people to bother them.
Networks, by their very nature, mean you don’t need to be phsically at a server to administrate that server. While IT operations typically don’t have a lot of clout with a facility’s security people, there are some infrastructure-related steps you can take to try and lock things down. Unplugging unused or publically-accessible network jacks at the cross-connects is one measure. Restricting users to logging in only on certain systems, whether they be identified by MAC address or a hostname, and only during certain hours is a start. Security-minded organziations are also setting up VPNs on internal networks and requiring that all Intranet Web traffic be SSL to guard against unauthorized sniffing.
And how many users do you know have their passwords written down on Post-It Notes stuck to their monitor or on a piece of paper inside a desk drawer? Biometric devices have dropped dramatically in price in the last two years. You can buy a hardware device that reads a fingerprint in order to authenticate users for a little over $100 now (U.are.U Pro from Digital Persona). Setting up certificate servers helps ensure that only authorized systems have access to network resources. They’re not just for remote systems anymore.
That’s not to say physical security of the servers and wiring closets isn’t important. Just don’t overlook the obvious. One organization was so proud of their fire-proof file room for all of their personnel records until I pointed out the room had a wooden door. A chain is only as strong as its weakest link. Do the doors to your server room or wiring closets open out? If so, it’s probably just a matter of popping the hinge pins out and a door comes right off. Crawling over the top of a wall by popping out the panels in a suspended ceiling isn’t all that tough either.
There are many steps you can take to secure the physical environment. Some are electronic, some are mechanical, and others are procedural. But nothing substitutes for common sense.