Physical Considerations for Designing Secure Networks
Total Page:16
File Type:pdf, Size:1020Kb
Economy Informatics, 1-4/2004 69 Physical Considerations for Designing Secure Networks Senior Lecturer Răzvan Daniel ZOTA, Ph.D. E-mail: [email protected] During the past ten years or so networks’ vulnerabilities has increased continuously; the need for designing more and more secure networks it is a must in the present. One common secu- rity truism is that if you have physical access to a box, „all bets are off”. If an attacker has physical access to any networking device, like a computer, switch, router, firewall and so on, the security options are considerably reduced. The purpose of this article is to present design considerations for secure networks at the physical level. Keywords: Networking, Security, Security design, Physical Access, Distributed systems, Net- work security. Introduction Lock-and-key access 1 It is well known that if an attacker gain Key card access physical access to a networking device, this Key card access with turnstile fact may compromise dramatically the secu- Lock-and-Key Access rity options. Networking devices, with few The most common physical security control, exceptions, can have their passwords reset by particularly in smaller organizations, is tradi- attaching to their console port. Hosts can be tional lock-and-key access. For this method, booted with a special floppy disk or CD- individuals who need access to certain rooms ROM designed to circumvent most host se- or buildings are given keys for access. This curity on the device. The article do not cover option has the following benefits: physical security in detail and topics like site Generally, this is the cheapest option for selection or disaster recovery are not dis- small organizations. cussed. A network designer, however, must No technical experience is required. know where to rely on physical security to Special keys are available to thwart key support overall network security. There are duplication. some general rules to follow in order to suc- However, there are also several drawbacks: cessfully manage the network security: If employees leave the company on less Physical access control to facilities; than amicable terms, they might "lose" their Control physical access to data centers; keys or might simply stop showing up for Separate identity mechanisms for insecure work. In such cases, it can be very costly to locations; rekey the locks and redistribute keys to the Prevent password-recovery mechanisms in valid employees. insecure locations; Unless coupled with an alarm system that Electromagnetic radiation; augments the lock-and-key access, there is no Physical PC security threats; mechanism to determine when employees Cable plant issues. with keys access a given physical location. Most keys can be easily duplicated at the 2. Physical access control to facilities local hardware store. Effectively controlling physical access to the Key authentication is single-factor, mean- organization's facilities must be the single top ing the key is all a person needs to access concern for both physical security staff and locked areas. the network designer. Most organizations Key Card Access utilize one of three mechanisms to implement More common in larger organizations, key physical security (presented in increasing or- card access can alleviate some of the man- der of security): agement problems associated with lock-and- 70 Economy Informatics, 1-4/2004 key access and can provide increased secu- plus more. rity measures. Key card access can take the Tailgating is greatly diminished because form of a magnetic card reader or a smart only one person can enter per card. card. All of these systems have the same ba- Access to multiple locations can be con- sic pros and cons once you eliminate the trolled with a single card. technical differences of the technology. In the event that an employee leaves the These are the benefits of a key card system: company, the employee's card can be quickly Access to multiple locations can be con- disabled whether or not it is physically re- trolled with a single card. turned. In the event that an employee leaves the Locks should never need to be "re-keyed." company, the employee's card can be quickly Reports can be run to show when individu- disabled whether or not it is physically re- als enter specific locations. turned. The drawbacks of a system such as this are as Locks should never need to be "re-keyed." follows: Facilities with multiple entrances are easily Like the previous two systems, key card supported. access with turnstile is a single-factor iden- Reports can be run to show when individu- tity system. Any individual with a valid card als entered specific locations. could gain access to the building. The drawbacks to a key card system are as This doesn't work well for facilities with follows: multiple buildings and multiple entrances. Like lock-and-key access, key cards are This method generally requires a security single-factor security. Any individual with a guard to verify that individuals are not hop- valid key card could access the location. ping over the turnstile or tailgating through Key card systems can be expensive, and in an entrance designed for persons with physi- the event of a failure in the central authenti- cal disabilities that bypasses the turnstile. cation system, all users can be denied access Turnstiles are not aesthetically pleasing. to a facility. Turnstile access can be inconvenient for The principal problem with key card access employees, escorted guests, or individuals is tailgating. Tailgating is gaining unauthor- using dollies for equipment. ized access to a building by following an in- This method is more expensive than simple dividual with valid access. Oftentimes, if at- key card access and also has the same issues tackers are dressed in the appropriate cloth- in the event of a failure in the key card au- ing, they can simply follow legitimate indi- thentication system. viduals into a building without having to pre- Solving the Single-Factor Identity Problem sent a key card. Even if someone requests to A second factor can be added to either of the see a card, an attacker can show an invalid previous key card authentication processes. card because it might not actually be scanned The first option is to put a personal identifi- by the card reader. cation number (PIN) code reader at every lo- Key Card Access with Turnstile cation where there is a card reader. After us- Although most often associated with ball- ing their key card, employees must enter a parks and stadiums, turnstile access with a PIN to unlock the door. Another option is to key card can be one of the most secure meth- use some form of biometric authentication. ods of controlling physical access to a build- Biometric authentication could be used as ei- ing. For this method, a key card is used to ac- ther the second factor in a key card system or tivate the turnstile and allow one person into the principal factor in a biometric system. In the building. These systems are most com- the second case, users would enter a PIN af- mon in large multi-floor buildings, where ac- ter successful biometric authentication. Both cess can be controlled at the ground floor. In of these alternatives add cost to the system the following list, you can see that this option and inconvenience for users. has all the benefits of the previous option Economy Informatics, 1-4/2004 71 3. Control Physical Access to Data Centers vice ideally. Data-center access can utilize any of the pre- ceding mechanisms in addition to PIN- 5. Prevent Password Recovery Mecha- reader-only access. The important difference nisms in Insecure Locations with data-center access is that you are often Some devices have controls to prevent the dealing with a smaller set of operators, so is- recovery of passwords in the event that an at- sues around key management are somewhat tacker has physical access to your system. reduced. In this context, data center refers to For example, on some newer Cisco routers any location where centralized network re- and switches, we enter the following com- sources are stored. This could include tradi- mand: tional data centers, wiring closets, coat clos- Router(config)# no service password- ets, or someone's desk. It all depends on the recovery size of the facility and the way it is organ- When the above command is entered on a ized. Exceptionally secure data centers utilize router or a switch, interrupting the boot proc- sets of cameras, key card access, biometrics, ess only allows the user to reset the system to and "man-traps" to catch anyone illegally try- its factory default configuration. Without this ing to gain access to the room. command, the attacker could clear the pass- word and have access to the original configu- 4. Separate Identity Mechanisms for Inse- ration. This is important because the original cure Locations configuration might contain common pass- From the physical security perspective it is words or community strings that would allow important to ensure that passwords in physi- the attacker to go after other systems. This cally insecure locations are not the same as would be particularly useful in insecure those used in secure locations. Often an or- branch offices or other locations where the ganization will utilize common authentica- physical security of a network device cannot tion mechanisms for the various systems that be assured. must access network resources. For example, SNMP community strings or Telnet / SSH 6. Electromagnetic Radiation passwords might be set the same on all de- In 1985, the concerns of the paranoid among vices. From a pure security perspective, it is the security community were confirmed.