Transcript Network Management - Department of Computer Science, Hong

Chapter 6
Physical Security
COMP4690, HKBU
1
Introduction


The goal of physical security is to provide a safe
environment for all assets and interests of the
organization.
Physical security provides protection for the building,
other building structures, or a vehicle housing the
system, and/or other network components.




Static systems: installed in structures at fixed location
Mobile systems: installed in vehicles or vessels
Portable systems: can be operated in buildings, vehicles,
or in the open
A very basic component of an organization’s total
security plan.
COMP4690, HKBU
2
Threats to Physical
Environment




Natural/environmental
 Earthquakes, floods, storms, tornadoes, hurricanes, volcanic
eruptions, natural fires, extreme temperatures, high humidity,
building collapse
Supply systems
 Communication outage, power distribution, burst pipes
Man-made
 Explosions, disgruntled employees, unauthorized access,
employee errors, sabotage, hazardous spills, chemical
contamination, malicious code, vandalism and theft, intruders,
unintentional acts
Political events
 Bombings, terrorist attacks, espionage, civil disturbances, strikes
COMP4690, HKBU
3
Information Protection
Environment

A layered defense model
Perimeter
Building Grounds
Building Entrance
Building Floors/Office Suites
Offices/Data Centers
Equipment/Supplies, Media
COMP4690, HKBU
4
Crime Prevention through
Environmental Design (CPTED)




CPTED as a concept began during the 1960s.
It states that the physical environment of a building
can be changed or managed to produce behavioral
effects that will reduce the incidence and fear of
crime.
It contains elements that make legitimate users of a
space feel safe and make illegal users feel unsafe in
pursuing undesirable behavior.
It is a psychological and sociological method of
looking at security.
COMP4690, HKBU
5
CPTED strategies

Territoriality



Surveillance




People protect territory that they feel is their own and people have a certain
respect for the territory of others.
CPTED encourages the use of physical attributes that express ownership,
such as fences, pavement treatments, art, signs, good maintenance, and
landscaping.
Surveillance is a principal tool in the protection of a space.
Landscaping and lighting can be planned to promote natural surveillance
from inside and from the outside.
Closed-circuit television (CCTV) is often used as an additional deterrent.
Access control

Properly located entrances, exits, fencing, and landscaping can control the
flow or limit access to both foot and automobile traffic in ways that
discourage crime.
COMP4690, HKBU
6
Site Location


Physical security should begin with a detailed site
selection process.
Where and how a building should be built?







Does our business have specific physical security concerns
regarding the facility location?
Is it vulnerable to crime, riots, or terrorism attacks?
Is it vulnerable to natural disasters?
Where is it located in relationship to adjacent buildings
and/or other businesses?
How far away is it to other types of threats?
What are neighborhood crime rates and types?
What type of emergency support response is provided to
the area?
COMP4690, HKBU
7
Construction Impacts

Construction controls involve designing walls,
windows, doors, and infrastructure support elements,
such as water or gas lines, in a secure fashion.




Constructing walls that are fire-rated
Penetration resistant
Windowless or have non-opening windows
Questions to consider



Could the structure withstand relevant natural threats?
Is it earthquake resistant?
Does the business require specific building enhancements?
COMP4690, HKBU
8
Facility Impacts






Entry points
Infrastructure support systems
Electrical power
Heating, ventilation, air conditioning (and
refrigeration)
Internal sensitive or compartmentalized areas
Portable computing
COMP4690, HKBU
9
Entry points

External entry points


Doors, windows, roof access, service or delivery
doors, fire-escape entries, other secondary
entrances
Internal entry points

Elevators, stairs, door to internal offices
COMP4690, HKBU
10
Infrastructure support systems



Include power, water/plumbing, heating, ventilation,
and air conditioning
The failure or substandard performance of the
support systems may interrupt operation of the
system and may cause physical damage to system
hardware or stored data.
Physical security for the infrastructure support
systems involves not only the area, but also
locations of wiring used to connect elements of the
system, such as cabling, plugs, sockets, loose wires,
exposed cabling.
COMP4690, HKBU
11
Electrical power


A disruption in the electrical power supply can have a serious business
impact.
Complete power loss



Blackout: complete loss of commercial power
Fault: momentary power outage
Power degradation






Brownout: an intentional reduction of voltage by a utility company
Sag/dip: a short period of low voltage
Surge: a sudden rise in voltage in the power supply
Transient: line noise or disturbance is superimposed on the supply circuit
and can cause fluctuations in electrical power
In-rush current: the initial surge of current required by a load before it
reaches normal operation
Electrostatic discharge: another type of electrical surge can occur when two
non-conducting materials rub together, causing electrons to transfer from
one material to another
COMP4690, HKBU
12
Interference


Interference is a random disturbance interfering with
device operation.
Electromagnetic interference (EMI)


The interference in a circuit. Common-mode noise occurs
between hot and ground wires; traverse-mode noise
occurs between hot and neutral wires.
Radio frequency interference (RFI)



The reception of radio signals.
Small electrical discharges generate RFI, and can be
generated by components of electrical systems,
transmitting devices, or lightning.
Other sources of interference: radio stations, cellular
phones, fluorescent lights, defective power plugs
COMP4690, HKBU
13
Water/Plumbing

Common sources of water problems


Broken pipes, fire-suppression systems, improper
installation of air conditioners, evaporative coolers
Water damage can lead to problems with
mold and mildew that may affect the proper
functioning of the computer resources
COMP4690, HKBU
14
HVAC

Heating, ventilation, and air conditioning



A system that provides the processes of comfort heating,
ventilation, and/or air conditioning within a space
HVAC&R: include refrigeration
Questions:




Where and how the system is installed?
Whether the location of these areas could allow for
unauthorized access or some type of sabotage?
How to remote control, monitor and maintain the system?
Risk of chemical and biological agents entering a building
through the system
COMP4690, HKBU
15
Internal sensitive or
compartmentalized area

Several areas need additional physical
protection





Data center
Server room
Communication center
Switching center
End-user areas where highly sensitive information
is processed and stored
COMP4690, HKBU
16
Portable computing

Because the organization’s data is being
accessed and processed outside the normal
physical protections of the office, the risk of
loss, theft, data exposure, and data
destruction can be significantly greater.
COMP4690, HKBU
17
Security technology and Tools

Layered defense






A fence protects the perimeter
The building entry points are protected with a card access
control system
Inside the building, a card access control system protects
the elevators and door locks secure the stairwells.
The office doors are also secured with locks.
Inside the office, the employee has locked all sensitive
information in an office safe.
Using multiple types of security controls within each
of the layers.
COMP4690, HKBU
18
Perimeter and building
grounds boundary protection

Protective barriers:





Landscaping: can be designed to provide a
measure of security, e.g., shrubs or trees
Fences: to designate a property boundary
Gates: portion of a wall or fence system that
controls entrance and/or egress
Bollards: vehicle barriers
Lighting: an essential element in an integrated
physical security system, be used with other
controls
COMP4690, HKBU
19
Perimeter Intrusion Detection
Systems

Closed-Circuit television (CCTV)


CCTV levels




A television transmission system that uses video cameras
to transmit pictures by a transmission medium (wired or
wireless) to connected monitors.
Detection: the ability to detect the presence of an object
Recognition: the ability to determine the type of object
Identification: the ability to determine object details
Three main components:

Camera, transmission media, and monitor
COMP4690, HKBU
20
CCTV

Camera and lens







To capture an optical image and convert the image into a
video signal that is then transmitted to a remote monitor
display
Tube cameras: use a cathode ray tube (CRT)
CCD cameras: use charge-coupled discharge (CCD)
Infrared cameras: provide night-vision capability
Fixed lens vs. zoom lens
Depth-of-field: the area between the nearest and farthest
points that appear to be in focus
Field-of-view: the entire area that can be captured by the
lens
COMP4690, HKBU
21
CCTV (Cont.)



Transmission media
 Coaxial cable
 Fiber-optic cables
 Wireless transmission
Display monitors
 NTSC, PAL
 HDTV
Other equipments
 Pan and tilt units: designed for remote control positioning of
cameras in both the horizontal (pan) and vertical (tilt) planes.
 Multiplexers or switches: combine several cameras onto a single
line or allow selected viewing of multiple cameras
 Videotape recorders
 Digital recorders
COMP4690, HKBU
22
Building Entry Points

Doors


Windows


Key locks, combination locks, smart locks
Guard Stations


Shatter-resistant, installed in fixed frames, can be locked
from the inside
Locks


Hollow-core versus solid-core
To monitor the security of the facility through TV monitors,
alarm systems, intercoms, etc
Card Access Control or Biometric Systems

card & card reader
COMP4690, HKBU
23
Inside the Buildings

Supply system controls







Electric power controls
Surge suppressors
Controlling interference
Uninterruptible power supply (UPS)
HVAC controls
Water controls
Gas lines
COMP4690, HKBU
24
Fire Protection

Fire prevention




Fire detection




Materials used in construction should be as fireproof as possible
Backup tapes and software should be stored in fireproof containers (they will
produce poisonous gases when they burn)
File-prevention training, includes fire drills
Smoke detectors
Photoelectric detectors
Heat detectors
Fire suppression



Fire-extinguishing systems
For computer equipment, type ABC extinguishers are appropriate
Automatic sprinkler systems: unpure water may compound the problem
instead of help!


If possible, equipment should be shut off before discharging the sprinkler
system.
Once a computer is wet, it should not be turned on until it is thoroughly dry.
COMP4690, HKBU
25
Fire Classes
Class
Type
Suppression
A
Common combustibles
(i.e., wood products)
Water, soda acid
B
Liquid (i.e., petroleum
products, coolants)
Gas, CO2, soda acid
C
Electrical (i.e., electrical
equipment, wires)
Gas, CO2
D
Combustible metals
Dry powder
COMP4690, HKBU
26
Penetration Detection Systems

Basic types of physical intrusion detection
systems include:






Breaking or making an electrical circuit
Interrupting a light beam
Detecting sound or changes in sound levels
Detecting vibration
Detecting changes in heat level through passive
infrared detectors
Detecting a disturbance in an electrostatic,
microwave, ultrasonic, or other type field
COMP4690, HKBU
27
Good Security Practices for
Data Center Security

Access control





Electronic access control: badge/smart cards/biometric
devices
Post an access control list on the outside of the door,
indicating who is allowed unescorted access
Have access control policies for daytime use, after-hour
use, or during an emergency
CCTV to view visitors
Site location



Location within the building should not be easily accessible
to visitors or to the general public
Away from external windows or walls
Away from water pipes or other support system facilities
COMP4690, HKBU
28
Good Security Practices for
Data Center Security

Walls




Construct the room as a single unit
Walls should not form part of an external wall of the
building
If using glass as an external wall barrier, use shatterresistant glass to limit damage from breakage
Doors




Should be solid core
Should not open out
Door frame should be permanently fixed to the adjoining
wall studs
Door hinges should be fixed to the frames with a minimum
of three hinges per door
COMP4690, HKBU
29
Good Security Practices for
Data Center Security

HVAC




Power supply





Should be on a separate system from the rest of the building
The size of the ducts and vents should ensure that they cannot be breached
by an intruder
Positive pressures should be maintained
A backup power supply (UPS or generator) should exist for a minimum
amount of time as required by the organization’s needs
Backup power supply needs to be tested on a regular basis
Electrical facilities that support the data center should be separate from the
main building
Electrical closets, cables, and wiring should be properly secured
Fire




Deploy portable extinguishers at exits and near equipments
Install fire sensors/detection equipment
Have documented and tested emergency plans
Install water sensors under the raised floor
COMP4690, HKBU
30