Networking

The art of physical, outer perimeter security

The first barrier to physical intruders is the perimeter fence. In this post, Tom Olzak describes best practice for outer perimeter security, both preventive and detective.

When information security professionals think of perimeter security, firewalls, SSL VPN, RADIUS servers, and other technical controls immediately come to mind.  However, guarding the physical perimeter is just as important.

During the past weeks, I’ve written a series of articles that describe various components of an effective physical security strategy.  In this final article in the series, we’ll look closely at best practices for constructing the initial barrier to physical access to your information assets: the outer perimeter.

Components of a physical perimeter

Having served for several years in the military police, the concept of physical perimeter has two meanings.  However, we’ll skip the combat definition with its automatic weapons placement and final protective lines and focus on facility security.  (At least I hope your information asset physical security isn’t that strict, department of defense facilities excluded…)

The outer perimeter of a facility is its first line of defense.  It can consist of two types of barriers: natural and structural.  According to the United States Army’s Physical Security Field Manual, FM 3-19.30 (2001, p. 4-1):

  1. Natural protective barriers are mountains and deserts, cliffs and ditches, water obstacles, or other terrain features that are difficult to traverse.
  2. Structural protective barriers are man-made devices (such as fences, walls, floors, roofs, grills, bars, roadblocks, signs, or other construction) used to restrict, channel, or impede progress.

In other words, if you can use the terrain, do so.  Otherwise, you have to spend a little money and build your own obstructions.

The most common type of structural outer perimeter barrier is the venerable chain-link fence.  However, it isn’t good enough to simply throw up a fence and call it a day.  Instead, your fence, a preventive device, should be supported by one or more additional prevention and detection controls.  The number of controls you implement and to what extent are dependent upon the risks your organization faces.

Fence basics

A fence is both a psychological and a physical barrier.  The psychology comes into play when casual passers-by encounter it.  It tells them that the area on the other side is off-limits, and the owner would probably rather they didn’t walk across the property.  A fence or wall of three to four feet is good enough for this.

For those who are intent on getting to your data center or other collection of information assets, fence height should be about seven feet.  See Figure A.  For facilities with high risk concerns, a top guard is usually added.  The top guard consists of three to four strands of barbed wire spaced about six inches apart and extends outward at a 45 degree angle.  The total height, including fence and top guard, should reach eight feet. Figure A

Fence installation

Installing a perimeter fence requires some planning.  See Figure B.  Set the poles in concrete and ensure the links are pulled tight.  The links should form squares with sides of about two inches.  The fence should not leave more than a two inch gap between its lower edge and the ground. Figure B

Figure C depicts other considerations regarding fence placement.  First, identify any culverts, ditches, or objects that cause an opening beneath the fence.  Remember the two-inch rule above.  There should be no gaps greater than two inches below the edge of the fence. When any opening under the fence--whether enclosed as with the culvert in our example, or open--exceeds an area greater than 96 square inches, it should be blocked (FM 3-19.30, p. 4-5).  This is a good rule-of-thumb.  However, use common sense.  If you think a hole is big enough for a person to defeat your fence, block it.  Figures D and E (MIL-HDBK-1013/10, 1993, p. 15) show two methods. Figure C

Clear the area on both sides of the fence to provide a clear view of future intruders.  The recommended clearances, as shown in Figure C, are:
  • 50 feet between the fence and any internal natural or man-made obstructions.
  • 20 feet between the fence and any external natural or man-made obstructions.

Natural obstructions include trees and high weeds or grass.

Figure D

Figure E

Supporting controls

Vehicle Barriers

When vehicular intrusions are a concern, support the fence and gate opening with bollards or other obstructions, as depicted in Figure F (FM 3-19.30, p. 3-4). Figure F

Lighting

Lighting is a critical piece of perimeter security.  It works as a deterrent and assists human controls (roving guards, monitored cameras, first responders to alarms, etc.) detect intruders.  Lighting standards are pretty simple:

  • Provide sufficient light for the detection controls used
  • Position lighting to “blind” intruders and keep security personnel in shadows
  • Provide extra lighting for gates, areas of shadow, or probable ingress routes, as shown in Figure C.

A general rule to start with is to position lights with two-foot candle-power at a height of about eight feet.

Intrusion detection controls

As with our technical controls, we make the assumption that if someone wants to get through our perimeter, they will.  So we need to supplement our fence with intrusion detection technology, including:

Use of detection technology must be coupled with a documented and practiced response process.

The final word

The field of physical security is broad and is often a dedicated career path.  So the information here is not intended to make you an expert.  However, organizations are increasingly integrating computer and physical security under one manager.

The need for information security professionals to understand physical controls is great enough that the most popular certifications, such as CISSP, require some knowledge of the topic.  Don’t be left behind.

Finally, many of the controls discussed in this article are too extreme for many organizations.  However, It’s always better to understand all your options.

About

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

11 comments
elrico-fantastica
elrico-fantastica

i think we should bring back the moat... it kept the villagers at bay for hundreds of years and nothing sets of a drive way like a classic draw bridge. just sayin

Daniel Breslauer
Daniel Breslauer

In our small office (100 employees, mostly homeworkers - office has room for 20-30, usually around 10), I, as the IT person, am responsible for the access control system (access cards).

dawgit
dawgit

Inside the wire :) they make excellent watch dogs ?:| and keep the grass cut too. Serious though, good article, or for some of us a good refresher.

Neon Samurai
Neon Samurai

A nice comfy home and redilly available food may have been part of it. Mind you, put some momma bears and cubs inside the fense and you've got some protective behavior. Rather novel idea for the growers but I still can't see forest and rec having an issue tranking the bears on the way in with the police. Like dogs, even if they are good for detection, they are easily negated when you don't have to be stealthy.

robo_dev
robo_dev

then the bears would just hang out all day watching cartoons and playing X-box :)

santeewelding
santeewelding

A little kid or drunk falls in and drowns, you got problems.

Jellimonsta
Jellimonsta

Our street gets flooded on occasion, so we end up with a big wet ditch (foot deep) at the end of the driveway. Does that count? :p

robo_dev
robo_dev

Post 9/11 I spent a lot of time looking at hardening data centers. The coolest things are the bollard systems. There are specialty bollard systems(steel posts), with about five tons of steel and concrete structure underground, capable of stopping a 10,000 lb truck going 50mph..to a dead stop. I watched a crew install a set of these across the front of a data center. Even better are the hydraulic pop-up bollards to allow access to the property. These have a 'panic mode' that pops the bollard up from the pavement in about 1/3 of a second with enough force to launching a car several feet off the ground or punch through the floor of a truck and stop it. Cameras: CCTV and video surveillance is something I've worked with a lot....fun technology.

Neon Samurai
Neon Samurai

It's truly amazing how many laws where implemented due to insurance rather than any other motivation. Heck, firefighters and fire stations where an invention of the insurance industry. (if where not insured by the company that the fire station who showed up belonged to, they'd watch it burn)

santeewelding
santeewelding

I'd forgotten about that. Something like the institution of policing in San Francisco. Whatever. I'm sure the author did consider the aspect of litigation attendant to every physical attribute related to security. He did forgo the automatic weapons, and a drone permanently overhead loaded with Hellfires.