When information security professionals think of perimeter security, firewalls, SSL VPN, RADIUS servers, and other technical controls immediately come to mind. However, guarding the physical perimeter is just as important.
During the past weeks, I've written a series of articles that describe various components of an effective physical security strategy. In this final article in the series, we'll look closely at best practices for constructing the initial barrier to physical access to your information assets: the outer perimeter.
Components of a physical perimeter
Having served for several years in the military police, the concept of physical perimeter has two meanings. However, we'll skip the combat definition with its automatic weapons placement and final protective lines and focus on facility security. (At least I hope your information asset physical security isn't that strict, department of defense facilities excluded…)
The outer perimeter of a facility is its first line of defense. It can consist of two types of barriers: natural and structural. According to the United States Army's Physical Security Field Manual, FM 3-19.30 (2001, p. 4-1):
- Natural protective barriers are mountains and deserts, cliffs and ditches, water obstacles, or other terrain features that are difficult to traverse.
- Structural protective barriers are man-made devices (such as fences, walls, floors, roofs, grills, bars, roadblocks, signs, or other construction) used to restrict, channel, or impede progress.
In other words, if you can use the terrain, do so. Otherwise, you have to spend a little money and build your own obstructions.
The most common type of structural outer perimeter barrier is the venerable chain-link fence. However, it isn't good enough to simply throw up a fence and call it a day. Instead, your fence, a preventive device, should be supported by one or more additional prevention and detection controls. The number of controls you implement and to what extent are dependent upon the risks your organization faces.
A fence is both a psychological and a physical barrier. The psychology comes into play when casual passers-by encounter it. It tells them that the area on the other side is off-limits, and the owner would probably rather they didn't walk across the property. A fence or wall of three to four feet is good enough for this.For those who are intent on getting to your data center or other collection of information assets, fence height should be about seven feet. See Figure A. For facilities with high risk concerns, a top guard is usually added. The top guard consists of three to four strands of barbed wire spaced about six inches apart and extends outward at a 45 degree angle. The total height, including fence and top guard, should reach eight feet. Figure A
Fence installationInstalling a perimeter fence requires some planning. See Figure B. Set the poles in concrete and ensure the links are pulled tight. The links should form squares with sides of about two inches. The fence should not leave more than a two inch gap between its lower edge and the ground. Figure B MIL-HDBK-1013/10, 1993, p. 15) show two methods. Figure C
- 50 feet between the fence and any internal natural or man-made obstructions.
- 20 feet between the fence and any external natural or man-made obstructions.
Natural obstructions include trees and high weeds or grass.Figure D
Vehicle BarriersWhen vehicular intrusions are a concern, support the fence and gate opening with bollards or other obstructions, as depicted in Figure F (FM 3-19.30, p. 3-4). Figure F
Lighting is a critical piece of perimeter security. It works as a deterrent and assists human controls (roving guards, monitored cameras, first responders to alarms, etc.) detect intruders. Lighting standards are pretty simple:
- Provide sufficient light for the detection controls used
- Position lighting to "blind" intruders and keep security personnel in shadows
- Provide extra lighting for gates, areas of shadow, or probable ingress routes, as shown in Figure C.
A general rule to start with is to position lights with two-foot candle-power at a height of about eight feet.
Intrusion detection controls
As with our technical controls, we make the assumption that if someone wants to get through our perimeter, they will. So we need to supplement our fence with intrusion detection technology, including:
- Motion detectors
- Photoelectric systems
- Passive infrared
- Surveillance cameras that are monitored in real time
- Acoustic-seismic detection
Use of detection technology must be coupled with a documented and practiced response process.
The final word
The field of physical security is broad and is often a dedicated career path. So the information here is not intended to make you an expert. However, organizations are increasingly integrating computer and physical security under one manager.
The need for information security professionals to understand physical controls is great enough that the most popular certifications, such as CISSP, require some knowledge of the topic. Don't be left behind.
Finally, many of the controls discussed in this article are too extreme for many organizations. However, It's always better to understand all your options.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.