With all the noise on the news today about the latest organization to be hacked into, the threat of cyberterrorism, and the never-ending war with computer viruses, it might seem that some of the rules of physical security no longer apply. Nothing is further from the truth. When it comes right down to it, it doesn’t matter how many service packs you put on your operating system. If the server is sitting right in the middle of your office where anyone can get to it, you might as well not have any security at all.
What is physical security?
Physical security refers to the sometimes dreary task of ensuring that only authorized people have physical access to your systems. This is not nearly as exciting as the war being waged on the Internet, but it can be more important in protecting your corporate assets.
Computers are unavoidably vulnerable to physical attack. Routers allow their passwords to be reset, server software-based security can be easily bypassed, and user passwords can be cracked and stolen. All of this is possible with a reasonable amount of physical access to the system.
Sometimes those who are gaining access to a system are not cyberterrorists; instead, they're just curious employees who want to learn more about the systems or perhaps play with some settings to see if they can allow themselves a greater ability to control their PCs.
The importance of physical security
Physical security is an important component to the protection of corporate information. The ability to gain physical access to servers and network equipment not only can allow all the information to be downloaded, but it can create an opening that hackers can continue to use for years to come.
Gaining physical access to a server provides direct access to the server’s hard drives and the ability to reboot the server. Remember that all the security set up on your servers is software-level security. That is, the operating system software protects the files based on the security settings you've established. If someone rebooted the server and installed a new copy of the operating system, that person could establish new rules for access. Intruders can use this fact to install a new version of the operating system and grant themselves access to every file on the server.
Once an intruder has access to the file system, he or she can extract a special file, called a password file, that contains the usernames and passwords of every user on the system. This file typically contains encrypted passwords for users; however, there are a variety of tools that will break the encryption on these files to reveal the password of every user on the system.
This is dangerous because users typically use the same password for every system. Once the security of one system has been compromised, it is possible for an intruder to use that information to gain access to other systems. Additionally, most networks contain several special-purpose system accounts that are used so that automated tools can manage the network and perform administrative functions, such as backing up the network. These passwords are typically never changed and never expire. Furthermore, because some of them are likely to access every file on the network repeatedly, they are rarely audited.
The end result of a password-cracking activity might be to allow an intruder an account that is not audited, whose password never changes, and one that is not often thought of when looking for potential security breaches. This is all possible despite the fact that the account may contain administrative access.
Locking the door
Physical security is all about who has access to the equipment. In the past, it was clear that only authorized people would have access to the systems. Computers lived in big “glass houses” where only IT people were allowed to go. The systems were always kept under lock and key.
Locks have been around forever and have the benefit of being simple in their design. However, keys can be lost, stolen, or duplicated, which presents a problem when you're trying to manage user access to the servers. One lost key or disgruntled person, and the potential physical security is gone.
In addition, keys do not generate audit trails. It is impossible to determine, from just a lock, who has unlocked the door and gained access. The key-and-lock combination prevents anyone except the determined from gaining access but does not offer the extended ability to keep records.
In more recent times, most computer rooms and many businesses have shifted to a card access (or token access) system. Under such a system, each user has a unique card that authenticates the user. Once the card access system knows who the person is, it determines whether the person is authorized for entry. Once properly authorized, the person can be allowed entry and the person’s access can be logged.
There are several benefits to the card access system. First, it allows each user to be identified individually. Where a lock-and-key environment has the same key for every authorized user, card access systems can uniquely identify a user. This is important because it allows for the ability to audit who gained or requested access to the room.
In addition, the separation of authorization from authentication is important because it allows for a single card to be used for access to a configurable array of doors and resources. In the lock-and-key world, you were required to carry a key for each different lock or group of locks that you wanted to open. In an electronic card access system, this is no longer a necessity.
Whether you use a standard lock-and-key or card access system, it is important to maintain control of who has access to the computers by controlling access to the rooms they are in.
With the increasing density of computers and the number of servers being used at smaller and smaller offices, it is no longer safe to assume that all the critical servers in an organization are behind lock and key in one big room. Today branch offices are receiving servers, which run some of the operations such as file and print services, that demand larger communications bandwidth. While a line of business applications may still be present on a central server, more operations are moving local to the user to improve responsiveness.
The unfortunate part of this is that suddenly servers must share their space with other equipment and potentially with a much wider array of employees. A server may be squirreled away in the corner of a janitor’s closet or in the break room, or any number of other locations where controlling physical access to the room may not be practical.
Luckily, servers and equipment have been standardized to fit a standard 19-inch rack. Initially, racks were free-standing mounting hardware that allowed for a mechanism to stack equipment into tighter spaces, but the evolution of computer equipment has led to 19-inch rack mount cabinets that may or may not be fully enclosed. Enclosed racks offer the unique opportunity to create a physical barrier to accessing the servers without providing complete room security.
Once they are sufficiently loaded with computers or bolted to the floor, rack cabinets become substantially more difficult to move and therefore much more difficult to steal. Locked rack cabinets, although having the problems associated with having a lock and key, do provide a measurable level of additional physical security, particularly for environments where the room housing the servers cannot be practically secured.
What to secure
It is obvious that access to servers is critical and that servers should be protected, but there are other items whose physical access should be protected. Anything that has data on it should obviously have some physical security protecting it from being taken by someone who should not have it.
Perhaps the best example of this is your backups. You probably already know that you should rotate backup tapes off-site just in case there is a fire, flood, tornado, hurricane, or other disaster that destroys your location. However, do you encrypt the data that is on those tapes with a password? Without some sort of basic encryption, the tapes are as good as having access to the server itself. The data can be restored to another system and become a way for corporate spies to gain access to your information—and your passwords.
Although most off-site tape rotation companies are bonded and insured, there is often little thought given to leaving the tapes for those companies at a front desk, on a shipping dock, or in other places where it would be easy for someone to steal. Remembering to protect your backups with physical security is an important step.
In addition to backup tapes, special care should be given to any device that might allow a user to gain access to the network remotely. A good example of this type of device is firewalls that are installed in a branch office and configured to automatically establish a VPN to the main office. If the firewall were stolen, it would be relatively easy to create an environment that would establish the VPN to the home office without needing to know the password on the device or in any way modify the configuration.
The implication is that the person could gain access to your network from anywhere he or she wanted. This is particularly true when all branch offices are configured with the same VPN password—because changing the VPN password would require reconfiguring all of the devices.
Monitoring is an important consideration for servers as well. There is no foolproof way to ensure that a server is always physically protected. Breakdowns in security always happen. Monitoring is necessary to ensure that unauthorized actions do not occur with the server.
The most basic kind of monitoring is the kind that you may already have in place on your network. For intruders to attack the server, they will need to take it off the network, either by stealing it or just rebooting it to their operating systems. By monitoring for servers that go offline, you can identify connectivity and stability problems as well as machines that may be targets.
Obviously, monitoring when a server is present and when it is not present is a good start, but it does not tell you who took the server. That is what video monitoring can do for you. Video monitoring uses digital video cameras to snap pictures of the individuals entering a room or approaching a server. There are a variety of devices that can perform this function.
These devices wait for a contact to be broken or until they detect motion. They then begin to take still images at the rate of a few per second and forward them off to an e-mail account or an FTP server. The contacts they monitor are the same kind used in alarm systems. They can be any kind of a contact that can be broken; however, they are typically small magnetic door switches that indicate when the door is open.
These devices use motion detection that is image-based. They use a complex analysis of the video they receive to determine whether there is any motion. This works surprisingly well in office environments where there isn't a lot of changes in the image, but the motion detector can be fooled by shadows moving on the wall.
The most basic device is a simple camera like the Axis 2120 Camera. It supports all of the features I've discussed here and has a built-in Web site that can be used to see what the camera is looking at. On the higher end are devices such as the NetBotz WallBotz, which not only provides the features mentioned above but also does environmental monitoring and notification. WallBotz and its sibling RackBotz monitor temperature, humidity, airflow, and audio level in addition to the video monitoring. The airflow monitoring can indicate when fans are failing to move enough air across the computers to ensure that they stay cool. The audio monitoring can be used to listen for errors that are not connected to the system, such as an alarm from the air conditioner that it is about to fail.
NetBotz also offers a centralized monitoring and reporting option that allows you to see the results of the environmental monitoring over time. This is something that can really help to protect your computer systems from the stresses of poor environmental control.
Security goes beyond patches
Physical security is a critical component of your security plan, because a failure in physical security can quickly eliminate all the work done on the software side to secure the systems. Implementing a solid monitoring solution is essential in detecting problems with the physical access and in being able to create an audit log for those who have gained access to the server—rightfully or unrightfully.