Economy Informatics, 1-4/2004 69

Physical Considerations for Designing Secure Networks

Senior Lecturer Răzvan Daniel ZOTA, Ph.D. E-mail: [email protected]

During the past ten years or so networks’ vulnerabilities has increased continuously; the need for designing more and more secure networks it is a must in the present. One common secu- rity truism is that if you have physical access to a box, „all bets are off”. If an attacker has physical access to any networking device, like a computer, switch, router, firewall and so on, the security options are considerably reduced. The purpose of this article is to present design considerations for secure networks at the physical level. Keywords: Networking, Security, Security design, Physical Access, Distributed systems, Net- work security.

Introduction ƒ Lock-and-key access 1 It is well known that if an attacker gain ƒ Key card access physical access to a networking device, this ƒ Key card access with turnstile fact may compromise dramatically the secu- Lock-and-Key Access rity options. Networking devices, with few The most common physical security control, exceptions, can have their passwords reset by particularly in smaller organizations, is tradi- attaching to their console port. Hosts can be tional lock-and-key access. For this method, booted with a special floppy disk or CD- individuals who need access to certain rooms ROM designed to circumvent most host se- or buildings are given keys for access. This curity on the device. The article do not cover option has the following benefits: physical security in detail and topics like site ƒ Generally, this is the cheapest option for selection or disaster recovery are not dis- small organizations. cussed. A network designer, however, must ƒ No technical experience is required. know where to rely on physical security to ƒ Special keys are available to thwart key support overall network security. There are duplication. some general rules to follow in order to suc- However, there are also several drawbacks: cessfully manage the network security: ƒ If employees leave the company on less ƒ Physical access control to facilities; than amicable terms, they might "lose" their ƒ Control physical access to data centers; keys or might simply stop showing up for ƒ Separate identity mechanisms for insecure work. In such cases, it can be very costly to locations; rekey the locks and redistribute keys to the ƒ Prevent password-recovery mechanisms in valid employees. insecure locations; ƒ Unless coupled with an alarm system that ƒ Electromagnetic radiation; augments the lock-and-key access, there is no ƒ Physical PC security threats; mechanism to determine when employees ƒ Cable plant issues. with keys access a given physical location. ƒ Most keys can be easily duplicated at the 2. Physical access control to facilities local hardware store. Effectively controlling physical access to the ƒ Key authentication is single-factor, mean- organization's facilities must be the single top ing the key is all a person needs to access concern for both physical security staff and locked areas. the network designer. Most organizations Key Card Access utilize one of three mechanisms to implement More common in larger organizations, key physical security (presented in increasing or- card access can alleviate some of the man- der of security): agement problems associated with lock-and-

70 Economy Informatics, 1-4/2004 key access and can provide increased secu- plus more. rity measures. Key card access can take the ƒ Tailgating is greatly diminished because form of a magnetic card reader or a smart only one person can enter per card. card. All of these systems have the same ba- ƒ Access to multiple locations can be con- sic pros and cons once you eliminate the trolled with a single card. technical differences of the technology. ƒ In the event that an employee leaves the These are the benefits of a key card system: company, the employee's card can be quickly ƒ Access to multiple locations can be con- disabled whether or not it is physically re- trolled with a single card. turned. ƒ In the event that an employee leaves the ƒ Locks should never need to be "re-keyed." company, the employee's card can be quickly ƒ Reports can be run to show when individu- disabled whether or not it is physically re- als enter specific locations. turned. The drawbacks of a system such as this are as ƒ Locks should never need to be "re-keyed." follows: ƒ Facilities with multiple entrances are easily ƒ Like the previous two systems, key card supported. access with turnstile is a single-factor iden- ƒ Reports can be run to show when individu- tity system. Any individual with a valid card als entered specific locations. could gain access to the building. The drawbacks to a key card system are as ƒ This doesn't work well for facilities with follows: multiple buildings and multiple entrances. ƒ Like lock-and-key access, key cards are ƒ This method generally requires a security single-factor security. Any individual with a guard to verify that individuals are not hop- valid key card could access the location. ping over the turnstile or tailgating through ƒ Key card systems can be expensive, and in an entrance designed for persons with physi- the event of a failure in the central authenti- cal disabilities that bypasses the turnstile. cation system, all users can be denied access ƒ Turnstiles are not aesthetically pleasing. to a facility. ƒ Turnstile access can be inconvenient for ƒ The principal problem with key card access employees, escorted guests, or individuals is tailgating. Tailgating is gaining unauthor- using dollies for equipment. ized access to a building by following an in- ƒ This method is more expensive than simple dividual with valid access. Oftentimes, if at- key card access and also has the same issues tackers are dressed in the appropriate cloth- in the event of a failure in the key card au- ing, they can simply follow legitimate indi- thentication system. viduals into a building without having to pre- Solving the Single-Factor Identity Problem sent a key card. Even if someone requests to A second factor can be added to either of the see a card, an attacker can show an invalid previous key card authentication processes. card because it might not actually be scanned The first option is to put a personal identifi- by the card reader. cation number (PIN) code reader at every lo- Key Card Access with Turnstile cation where there is a card reader. After us- Although most often associated with ball- ing their key card, employees must enter a parks and stadiums, turnstile access with a PIN to unlock the door. Another option is to key card can be one of the most secure meth- use some form of biometric authentication. ods of controlling physical access to a build- Biometric authentication could be used as ei- ing. For this method, a key card is used to ac- ther the second factor in a key card system or tivate the turnstile and allow one person into the principal factor in a biometric system. In the building. These systems are most com- the second case, users would enter a PIN af- mon in large multi-floor buildings, where ac- ter successful biometric authentication. Both cess can be controlled at the ground floor. In of these alternatives add cost to the system the following list, you can see that this option and inconvenience for users. has all the benefits of the previous option

Economy Informatics, 1-4/2004 71

3. Control Physical Access to Data Centers vice ideally. Data-center access can utilize any of the pre- ceding mechanisms in addition to PIN- 5. Prevent Password Recovery Mecha- reader-only access. The important difference nisms in Insecure Locations with data-center access is that you are often Some devices have controls to prevent the dealing with a smaller set of operators, so is- recovery of passwords in the event that an at- sues around key management are somewhat tacker has physical access to your system. reduced. In this context, data center refers to For example, on some newer Cisco routers any location where centralized network re- and switches, we enter the following com- sources are stored. This could include tradi- mand: tional data centers, wiring closets, coat clos- Router(config)# no service password- ets, or someone's desk. It all depends on the recovery size of the facility and the way it is organ- When the above command is entered on a ized. Exceptionally secure data centers utilize router or a switch, interrupting the boot proc- sets of cameras, key card access, biometrics, ess only allows the user to reset the system to and "man-traps" to catch anyone illegally try- its factory default configuration. Without this ing to gain access to the room. command, the attacker could clear the pass- word and have access to the original configu- 4. Separate Identity Mechanisms for Inse- ration. This is important because the original cure Locations configuration might contain common pass- From the physical security perspective it is words or community strings that would allow important to ensure that passwords in physi- the attacker to go after other systems. This cally insecure locations are not the same as would be particularly useful in insecure those used in secure locations. Often an or- branch offices or other locations where the ganization will utilize common authentica- physical security of a network device cannot tion mechanisms for the various systems that be assured. must access network resources. For example, SNMP community strings or Telnet / SSH 6. Electromagnetic Radiation passwords might be set the same on all de- In 1985, the concerns of the paranoid among vices. From a pure security perspective, it is the security community were confirmed. preferable to use two-factor authentication, Wim van Eck released a paper confirming when available, for each user who accesses that a well-resourced attacker can read the the network device. output of a cathode-ray tube (CRT) computer Although this might be possible for users, it monitor by measuring the electromagnetic is often impossible for software management radiation (EMR) produced by the device. systems, which need to run scripts to make This isn't particularly easy to do, but it is by changes on several machines at once. For op- no means impossible. Wim van Eck's paper timal security, different passwords should be can be found here: used on each device, but this is often opera- http://www.shmoo.com/tempest/emr.pdf tionally impossible for large networks. This form of attack is now commonly called Therefore, at a minimum, organize your van Eck phreaking. Additionally, in 2002, common passwords so that they are never Markus Kuhn at the University of Cambridge used on systems in physically insecure loca- published a similar method of reading data tions. For example, assume you have 3 main off of a CRT, this time by measuring the locations (with data centers) to your organi- changes in the amount of light in a room. zation and 10 remote sites (considered inse- Markus Kuhn’s paper can be found here: cure). In this case, only use your shared http://www.cl.cam.ac.uk/~mgk25/ieee02- passwords on the main sites and ensure that optical.pdf and an easy-to-read FAQ on the the passwords for each of the remote systems topic can be found here: are unique per site at a minimum and per de- http://www.cl.cam.ac.uk/~mgk25/emsec/opti

72 Economy Informatics, 1-4/2004 cal-faq.html category 5 (or higher) and fiber optic. The A simple way to mitigate van Eck phreaking risk of an attacker accessing your physical might just be to change the type of font you cabling is important to consider because that are using. Ross Anderson and Markus Kuhn level of access often can bypass other secu- did some excellent research on the topic: rity controls and provide the attacker with http://www.cl.cam.ac.uk/~mgk25/ih98- easy access to information (provided encryp- tempest.pdf tion is not used). UTP cable is very easy to Of course it is not recommended that all sys- tap, but it was thought years ago that fiber tems must address these sorts of security was immune to cable taps. We now know considerations, but it is good to know that that this is not the case. The National Secu- such attacks are possible. rity Association (NSA) is rumored to have al- ready tapped intercontinental network links 7. Physical PC Security Threats by splicing into the cable; one may read Often, inexperienced network designers be- about it at the following URL: gin with an unacknowledged assumption that http://zdnet.com.com/2100-11-529826.html. all the sensitive data within an organization It is also theorized that fiber cable could be is contained on servers. In reality, there is bent far enough so that some light would es- sensitive information about the company on cape if the outer layer of the cable is re- the employees’ laptops, as well as on the moved. With the right types of equipment, servers. Like most employees at my com- this information could then be read. pany, server resources are used when neces- Additionally, if an attacker gains physical ac- sary, but often interesting information is cess to a wiring closet or the fiber cable as it stored locally. runs in a cable tray above a drop ceiling, tap- Several physical security issues manifest ping the cable by installing couplers is an- when you operate under the preceding as- other possibility. sumption: All this being said, fiber is more secure than ƒ The first is that portable computer theft is a copper because the means to tap the signal big problem, not just in the cost of replacing are more expensive, difficult to execute, and the computer but in the proprietary informa- often require interrupting the original flow of tion that is stored on it. The best protection data to install. On the other hand, the means against having a lost portable computer turn to tap a UTP signal can easily be purchased into lost trade secrets is some type of file sys- off of the Internet. tem encryption (some are built into modern operating systems). References: ƒ The second is that by compromising the 1. Preston Gralla - Next-Gen Nets Need Next-Gen Se- data coming into and out of a PC, you can curity, networkingpipeline.bitpipe.com, 12 November 2004 learn passwords, sensitive data, and so on. 2. Convery Sean – General Design Considerations for An attacker can achieve this through network Secure Networks – Cisco Press, January 2004 sniffing, EMR emissions (discussed previ- 3. Tanya Baccam - Security Assessments: Reducing ously), remote control software (Back Orifice the Security Risk to Your Enterprise: What Different 2000), or novel devices that attach between Types of Security Assessments Provide – iQ Magazine, 2004 the keyboard and the PC and record to flash 4. Physical Security - What It's All About - memory every key typed. For more informa- http://www.infosyssec.org/infosyssec/physical_securit tion, one may see this URL: y.htm http://www.thinkgeek.com/stuff/gadgets/5a0 5. Robert L. Boque - Lock IT Down: Don't overlook 5.shtml physical security on your network, http://techrepublic.com.com/5100-6329_11-5054057- 2.html 8. Cable Plant Issues 6. E.J. McGowan - Security White Paper - Intra- In today's networks, there are two primary nets.com cable types: unshielded twisted pair (UTP) ABOUT,http://www.infosyssec.org/infosyssec/physic al_security.htm