Lesson 1: Physical Security | Security+ Certification Training Kit (Pro-Certification)

Lesson 1: Physical Security

When studying the more esoteric aspects of network security, it is sometimes easy to neglect the more obvious forms of protection. Installing bulletproof applications and protecting your data with sophisticated encryption algorithms is no help if an intruder can open the door to your computer center and walk off with your server. The physical security of your network is a given that is too often ignored by security specialists who are more interested in the technical aspects of protection.

After this lesson, you will be able to

Understand the need for physical protection of network equipment
List the most commonly used biometric technologies
Understand how intruders use social engineering to penetrate network security measures
Describe how wireless networks present greater security risks than cabled networks
Understand how offsite backup storage and a secure recovery area can reduce down time in the event of a disaster

Estimated lesson time: 40 minutes

Access Control

In most cases, the term access control is used when referring to the mechanisms that regulate network access to computers, software, or other resources. However, security professionals must understand that the term applies equally to the physical access to computers and other equipment that users are granted. Protection against theft is certainly an important consideration; important servers and other equipment should always be kept under lock and key. However, there are other potential dangers that physical access control can protect against as well, including fire, natural disasters, and even simple accidents.

In one small office, the primary server was kept in the lobby so that the receptionist could conveniently change the backup tape every day. Not only did this arrangement expose the server to possible theft, but it also made the server into a piece of furniture that was promptly covered with potted plants. The receptionist diligently changed the backup tape each day, right after watering the plants. One day a planter overflowed and the entire business ground to a halt for several days until a new server could be purchased and installed.

Servers containing important data, routers, and other crucial networking components should always be kept in locked server closets or a secured computer center to protect against theft and even overwatering of plants. However, all too often, the so-called computer center in an office consists simply of the rooms occupied by the IT department, perhaps with an extra air conditioning unit and a combination lock on the door. Servers might be scattered amidst workers' desks and the "secured" door left open during business hours, for the sake of convenience. Server closets can be an equally inappropriate term, when computers have to share unheated storage space with cleaning supplies and other odds and ends.

Closing the combination-locked door of the computer center at night and leaving the air conditioning on can provide a relatively secure environment that defeats the casual thief, but IT workers are no less liable to spill their cups of coffee than anyone else, and having the servers out in the open during working hours is an inherently dangerous practice. In the same way, a closet that is regularly accessed by maintenance workers and other personnel affords little or no protection for your servers.

A properly designed computer center or server closet is one in which physical barriers prevent access by anyone but authorized personnel when they have specific reason to access that equipment. Even authorized IT workers should not have to be in the same room as sensitive networking equipment because their desks are nearby or because they need to get a ream of printer paper or other supplies. In fact, servers and other components should require very little physical access at all, because most maintenance and configuration tasks can be performed remotely.

An installation with proper physical security should use concentric rings of increasingly strong physical barriers, with the most sensitive resources stored in the central ring. The combination lock on the computer center door is still a good idea, protecting the entire IT department from casual intruders. The door should be kept closed and locked at all times, however, perhaps with a buzzer to enable screened outsiders to come in.

Inside the computer center, the actual location of the servers and other critical components should be protected by still another locked door with monitored access. At its simplest, this monitoring could take the form of a paper log in which users sign in and out of the locked room. If more security is required, magnetic key cards, video cameras, or even security guards could be substituted. The point is that no one should be entering the secured area without a specific purpose, and without their presence being logged for later reference.

Physical Barriers

The actual nature of the physical barriers used to secure networking equipment is also an important consideration. Typical office construction standards hollow doors, flimsy drywall, and drop ceilings might defeat the casual intruder, but they are easily penetrated by the determined interloper. A state-of-the-art electronic combination lock is of little value when someone can easily put a fist through the wall or crawl over the doorway through a drop ceiling into the secured area.

The inner rings of your security area should provide protection on all six sides of the room, meaning that doors should be solid and walls should be reinforced and run vertically from slab to slab, through drop ceilings and raised floors. In some cases, even these precautions might be insufficient against intruders with heavy tools; an alarm system or security cameras can provide additional protection.

Biometrics

For installations requiring extreme security, the standard mechanisms used to control access to the secured area, such as metal keys, magnetic key cards, combinations, and passwords, might be insufficient. Keys and key cards can be lost or stolen, and passwords and combinations can be written down, shared, or otherwise compromised. As you saw in Chapter 7, one alternative that has made its way from James Bond fiction to the real world is biometrics.

Biometric technologies can be used for two different purposes: verification and identification. Biometric verification essentially asks the system to indicate whether individuals actually are who they claim to be. Biometric identification is the process of establishing an individual's identity based on biometric information, essentially asking the system to indicate who the person is. Although both functions have their own complexities, most biometric security systems are designed to verify individuals because the process is inherently simpler.

The complexities involved in biometric identification depend largely on the size of the system's user base. When there are a relatively small number of individuals to be identified, the biometric scan can immediately isolate specific minutiae in the individual's physiology and compare them with a database of known records. When the system must authenticate any one of thousands of individuals, the scanned biometric data is typically categorized first, so that the sampling of the database to which it must be compared is reduced. Biometric verification, on the other hand, does not have to compare a sampling to all of the records in an entire database, only to the one specific record belonging to whomever the individual being scanned claims to be.

Biometric authentication devices can use a number of different characteristics to identify individuals. Some of the biometric technologies in use today include the following:

Fingerprint matching.
The fingerprint scan is the oldest biometric technology and still one of the most popular. Because every individual's fingerprints are unique, fingerprint scans can be used for identification or verification. The image enhancement technologies developed over the years have helped to eliminate many of the problems that resulted from inadequate scanning or variances in finger pressure and position during the scan.
Hand geometry.
Hand geometry is a verification technique based on a scan of an individual's hand shape, taking into account various characteristics, such as length, thickness, and curvature of fingers. An individual's hand geometry is not unique, however, as fingerprints are, so this technique cannot be used for identification, only for verification. However, hand geometry scans are much faster, cleaner, and less invasive than fingerprint scans, making them a much more convenient mechanism.
Iris scans.
A scan of the eyeball's iris pattern is usable for both verification and identification. The iris is the colored part of the eye surrounding the pupil. Iris scans are based on a high-resolution photograph of the eye taken from a distance of less than three feet. The pattern of the iris does not change over a person's lifetime and is unaffected by eyeglasses or contact lenses, making it a very reliable form of verification and identification that is almost impossible to mask or imitate.
Retinal scans.
The retina is found on the rear of the eyeball, and it contains a pattern of veins that is unique to each individual. Even identical twins have different retinal patterns. More accurate than virtually any other biometric technology, including iris scanning, retinal scans are more invasive, requiring the individual to look directly into an infrared light, which shines through the eyeball, illuminating the anterior surface.
Speech recognition.
Voice pattern matching is one of the more complex biometric functions, and it is also easier to spoof (with recordings) than the other technologies listed here. The process of matching voice patterns involves the creation of a voice model for the individual to be authenticated. The voice model is a baseline pattern that accounts for the variations in utterances spoken by the same person at different times.
Face recognition and facial thermograms.
Facial recognition systems and thermograms are not yet as accurate as fingerprints and other unique human attributes, but they have the potential to become a fast and uninvasive biometric verification system.

Some of the biometric systems on the market use a combination of physiological factors for various reasons. For example, a system that can perform both hand geometry and fingerprint scans can use the former for rapid identity verifications and the latter for the identification of individuals. Other systems combine two or more biometric technologies to create a combined accuracy rate and performance time that exceeds those of the technologies working individually.

Social Engineering

All of the security mechanisms that you use on your network are essentially a compromise between the need to protect valuable resources and the need to provide people access to those resources with a minimum of inconvenience. It would not be difficult to assign complex 20-character passwords to all your user accounts, run all your network cables through heavy steel conduits, and seal your servers inside a bank vault. The result would almost certainly be greater security than you have now. However, the expense of the installation and the revolt of the users faced with the inconvenience of remembering the passwords and unlocking the vault makes extreme measures like these impractical.

Even though security policies are typically implemented and enforced by the management of an organization, security actually rests in the hands of the people that use the protected systems every day. The object of all your security procedures is to make people understand the importance of protecting sensitive resources and to urge them to work with you in providing that protection. No matter how stringent your password policies, for example, there's nothing you can do to stop users from writing down their passwords in inappropriate places or sharing them with the wrong people, except educate them about the dangers of these practices.

Social engineering is a term used to describe the process of circumventing security barriers by persuading authorized users to provide passwords or other sensitive information. In most cases users are duped into giving an intruder access to a protected system through a phone call in which the intruder claims to be an employee in another department, a customer, or a hardware vendor. A user might give out a seemingly innocent piece of information, which the intruder then uses to elicit more information from someone else.

For example, in the first phone call, an innocent user might supply the information that Terry Adams, manager of the IT department, is out on vacation for the week, and that Mark Lee is the acting manager. In the next call, to Mark Lee, the intruder might identify himself or herself as the IT manager of one of the company's other offices, saying that Terry Adams had promised to fax the details of the office's firewall configuration and asking for the information to be faxed to 212-555-1234. The intruder might identify himself or herself as a salesperson for a router manufacturer. By getting a network administrator to chat about current router needs, the intruder might get the information needed to penetrate the company's defenses.

Attitude is everything when it comes to social engineering. It is surprising how often these seemingly obvious and transparent techniques are effective at eliciting confidential information when the intruder is adept at sounding confused, hurried, confident, or imperious. Kevin Mitnick, probably the best known of the so-called computer hackers since his conviction for breaking into telephone company computers, stealing data, and abusing electronic communication systems, obtained confidential information using his social engineering skills as much as his technical expertise.

You can't protect your network against social engineers with locked doors, passwords, or firewalls. The only true protection is educating your users about the techniques used by social engineers and the need to verify people's identities before disclosing any information to them. However, a telephone system that is capable of recording calls for later examination (along with the standard "your call may be recorded for quality control purposes" disclaimer) can act as a deterrent.

Environment

The environment in which your network must operate is an important consideration in the design and construction of the network and the technologies that you select. The typical office environment is usually augmented with additional air conditioning, air filtration, humidity control, or power conditioning in places where high concentrations of sensitive equipment are located, such as data centers and server closets. This type of environmental planning is as important to the continued operation of your network as securing your resources against theft, destruction, and data loss.

Fire Suppression

Protecting sensitive equipment from theft and maintaining proper operating conditions is important, but fire is a major threat to the continued operation of network equipment. The damage caused by fire, and by standard firefighting techniques, can cause not only data and equipment loss, but also damage to the facilities themselves that can take a long time to repair before replacement equipment can even be installed.

For large installations, a fire suppression system should be mandatory in the data center or server room. In the event of a fire, these systems flood the room with an inert gas, displacing the oxygen that the fire needs to burn. This puts the fire out quickly and prevents firefighters from destroying electronic equipment with water or foam. Unfortunately, these systems also displace the oxygen that people need to breathe, so evacuation alarms and emergency air supplies are also a necessary part of the system.

Halon compounds were the fire suppression gases of choice for many years, until they were found to damage the ozone layer. Now, they are in the process of being phased out in most countries around the world. Today, Dupont markets a line of replacement products, such as FE-13 and FE-36, that are safer for the environment and less toxic to humans. These types of chemical fire suppressants are well suited for electrical fires.

Wireless Networking

Typical operating environments, such as factory floors and laboratories, might require special networking equipment, such as fiber optic cables for resistance to electromagnetic interference or wireless technologies to support roaming users or bypass obstacles that inhibit the installation of standard network cables. Recent developments in wireless networking technology, and particularly the 802.11b standard published by the Institute of Electrical and Electronic Engineers (IEEE), have led to explosive growth in the use of wireless networks, and the security hazards that accompany this growth should not be underestimated.

Location

Because the signals that most wireless networking technologies use today can penetrate walls and other barriers, it is entirely possible for clandestine users outside the building to access the network using their own equipment. When selecting and installing wireless networking components, and particularly access points that provide access to a cabled network, you should test carefully to ascertain the operational range of the devices and select locations for the antennae that are near the center of the building, as far away from the outside walls as possible. In cases where sensitive data might be transmitted over the wireless network, it is best to keep the transmission power of all the wireless devices to the minimum needed for effective operation, so that any intruders outside the building have a harder time connecting to the network.

Shielding

Another way of protecting a wireless network from unauthorized connections is to shield the operational area. This can also protect the wireless network from denial of service (DoS) attacks. Implementing a DoS attack on a wireless network is alarmingly easily. Because microwave ovens operate at the same frequency as IEEE 802.11b transceivers, simply bypassing the door switch on an oven so that it can operate with the door open enables you to generate up to 1000 watts of interference.

Depending on the transmission power of the wireless networking equipment and the materials used to construct the building, the walls themselves might function as an effective shield. In the future, buildings could be constructed with integrated shielding, enabling wireless networks to operate inside without fear of a security breach. The problem with using shielding to protect a wireless network is that the signals of other devices, such as cell phones and pagers, could be blocked as well.

Wireless Cells

Wireless technologies such as IEEE 802.11b are well suited to local area networking applications because their operational ranges are sufficient for a typical network installation and a potential intruder has to be relatively close to a transceiver to connect to the network. However, cellular technology has virtually unlimited range, and there are now many products available that enable portable computers to connect to a network located almost anywhere in the world. In addition, the Bluetooth short-range wireless products that are now coming to market will make it even simpler (and cheaper) for users to connect a laptop to a remote network using the cell phones in their pockets.

Although cellular networking is slower than IEEE 802.11b and its ilk, the potential security danger of this technology is far greater, because the intruder need not be anywhere close to the network installation to gain access to its resources. Before implementing any cellular-based wireless network, you should consider carefully how you are going to protect the network against outside intrusion.

Disaster Recovery

In a security context, a disaster is any occurrence that can prevent your network from operating normally or prevent your company from doing business. Disasters can be as simple as a hard disk failure or as catastrophic as a hurricane, and a properly designed network has a plan in place that covers both these extremes and everything in between.

Backups

Backing up your data should be the first thing that comes to mind when you think of disaster recovery. Making regular backups and testing them by performing regular restores is basic, but it is only the beginning of a good disaster recovery plan.

In most cases, network administrators use backups to recover files that were accidentally deleted. This is a simple task, in that you simply use the same software that created the backup in the first place. Beyond that, however, everyone understands that backups are also protection against disk failures, computer thefts, or disasters in which a computer is damaged or destroyed. Restoring from a backup in these events is more complicated, because you must first install the operating system and the backup software before you can even access the data stored on your backup tapes or other media.

Many network backup products have a disaster recovery feature (often available as an add-on product at an additional cost) that simplifies the process of performing a complete restore. These products enable you to boot a computer from a CD-ROM that contains only the operating system and backup software components needed to perform a simple restore job. Completing the job restores the entire operating system and the full backup software product, so the system performs normally after that. For a business in which server down time means lost money, these products are a good investment against further damage resulting from the original disaster.

Offsite Storage

A recent backup can be a lifesaver in the event of a drive failure or computer theft, but you must also plan for disasters that might result in the complete destruction of your computer center, your building, or even your city. Fires, floods, tornadoes, and other catastrophes can destroy your backup media as easily as they can destroy your computers, so keeping copies of your backups offsite is an essential part of any disaster recovery plan.

In addition to the backups of your data, your offsite cache should also include copies of your company's disaster recovery plans and all emergency policies and procedures. The time and money you spend to devise a comprehensive disaster recovery plan would only be wasted if your building burns down, destroying all copies of the plan.

Depending on how much protection you think you need, an offsite storage solution could be as simple as making an extra copy of your backup tapes and taking it home every night. If a fire should destroy the building, you would still have a copy of your data to restore from. You might also consider storing the offsite copies in a bank's safe deposit vault or in a fireproof safe or storage facility.

Secure Recovery

Making backups on a regular basis and storing copies offsite, even with a disaster recovery disk, protects your data, but that doesn't necessarily mean that you can be up and running in a matter of hours if a disaster should strike. Depending on the nature of the disaster, you might have to replace a drive, a server, or even the entire office where the server was located. This could mean days or even weeks of down time before you can even begin restoring your data.

However, there are solutions that can reduce your down time to a matter of hours, even in the event of a catastrophic disaster. Secure recovery refers to an alternate site that contains a replica of all or part of your network. Depending on your budget and the nature of your business, solutions can range from a mirror server running at a site in another city to a complete secure recovery area containing everything you need to keep your business going until you can replace your original equipment.

Alternate Sites

A number of companies specialize in business recovery services. Some are simply hosting services that run mirror servers for you in a protected environment in another city. Under normal conditions, the servers can take on some of your normal traffic load, but when disaster strikes and your primary server goes down, the mirror server takes over immediately. Other services can provide you with everything from computers to office space to temporary workers, and anything else you might need to keep your business operating during a crisis.

One of the additional benefits of these services is that they provide you with a test platform for your emergency procedures and a convenient means of staging emergency drills to test the efficacy of your plans and the readiness of your people.

It isn't always necessary to use a professional service to have an alternate site for your network, however. If your company has branch offices in other cities, you can arrange for each office to have a mirror server at another location. You can even enter into a mutual agreement with another company to host servers for each other in the event of an emergency.

All of these solutions are known as hot sites, or alternative sites where you have servers running all the time, for immediate use in the event of an emergency. For businesses with limited budgets where continuous operation is not as critical, a cold site might be sufficient. A cold site means you keep duplicate equipment in offsite storage, ready for use if disaster strikes. For example, if there is a fire in your office and you have offsite copies of your backups and an extra server in storage, you can rent some temporary office space, or even a hotel room, and be up and running in a matter of hours.

Disaster Recovery Plan

The most important tool to have when disaster strikes your network or your business is a well-organized and well-maintained recovery plan. It is critical for everyone in your company to know what has to be done to keep your business going in the event of an emergency, and who is going to be responsible for which tasks. Disasters are, by definition, unpredictable, and you have no way of knowing what hardware, software, and even human resources will be lost. If recent events have taught us anything, it is that disaster can strike without warning at any time, so planning for the worst is the prudent thing to do in any business.

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the question again. Answers to the questions can be found in Appendix A, "Questions and Answers."

Why is a biometric device based on hand geometry suitable only for verifying users and not identifying them?
Which of the following attributes of cellular networking products make them a greater security risk than IEEE 802.11b wireless products?
1. Lower cost
2. Greater transmission range
3. Less susceptibility to interference from walls and barriers
4. Use of higher frequencies
What is the difference between a mirrored server stored at a hot site and one stored at a cold site?

Lesson Summary

Network resources must be protected physically as well as technically.
Proper physical security uses concentric rings of increasingly strong barriers as you approach the central ring.
Biometric technologies provide an additional method for identifying and verifying users.
Social engineering is the process of circumventing security barriers by persuading authorized users to provide passwords or other sensitive information.
Fire suppression systems using inert gas minimize the damage caused by fire and firefighting techniques.
Wireless networking presents additional security problems that can be minimized by judicious selection of power settings and careful antenna placement.
Regular backups with offsite storage are an essential element of any disaster recovery plan.
Maintaining mirror servers at distant sites provides an immediate failover capability.