3.2 Protecting Physical Assets

So how paranoid do you have to be to protect your company's information? That depends entirely on your company, the potential cost of losing data, and the security policies your company adopts. Typical American businesses might not need to worry about intruders tapping into their network cables, but many government organizations worry about precisely that. Most companies might not need to worry about someone reprogramming hubs and switches to eavesdrop on network traffic, although large financial institutions, with their increased liability for compromised information, take extra steps to protect their hubs and switches. Some organizations, such as companies in the health care industry, are required by law to provide security measures for certain types of data. Physical security can be expensive; the level of physical security you implement will depend upon your organization's needs and requirements.

As I mentioned earlier, simply knowing about your security vulnerabilities?even if you choose to do nothing about them?is half the battle. Once you know what your vulnerabilities are, you and your company's managers can look at the cost of fixing those vulnerabilities and decide what's right for your company.

As with all security implementations, the measures you take to mitigate vulnerabilities depend on your particular situation. There is no one-size-fits-all security strategy. For example, an airline may value its reservations database above all other assets, and any compromise of that database would cause irreparable harm to the company. On the other hand, a law firm may care little about its databases but place immense value on its file shares that contain client communications and legal research. These two companies will eventually need to assign values to the importance and expected cost of compromise of their assets and implement appropriate security based on these values. This type of analysis and cost factoring is discussed in Chapter 15.

In the next few sections, I'll give you some tips for securing specific vulnerabilities.

3.2.1 Securing the Office

Most companies use DHCP to make IP address management easier. Unfortunately, DHCP makes it easy for unauthorized users as well, allowing them to obtain a valid IP address on your network and the address of your name resolution server, and from there, the IP address of every important server on your network. You may as well pass out maps to everyone who comes into your office. Without DHCP, the intruder would have to spend more time figuring out this information.

DHCP can be controlled, and I talk about that more in Chapter 11. If you're concerned about unauthorized users accessing the network, configure your DHCP server with reservations. Those reservations would allow computers with known physical addresses (also known as MAC addresses) to obtain an IP address and other information via DHCP. Computers with unknown MAC addresses would be unable to obtain any addressing information, rendering your network useless to them. Although this method requires a significant amount of administration to implement and maintain, you will defeat all but the most determined network intruders. Using DHCP to secure your network in this fashion is often easier and more efficient than trying to maintain physical control over every network jack in your building. Essentially, you're not worrying so much about the network jacks because you're tightly controlling the IP addresses issued to the computers plugged into those jacks. And although those IP addresses can be spoofed by an attacker, it's a bit harder for them.

Several other solutions to this problem have been gaining attention lately. They mainly culminate into two distinct solutions:

Routers as network filters

In this solution, the network must be heavily routed. Network segments must be small and often segregated by the type of data used or the classification of users on that segment. This solution identifies all legal MAC addresses and instructs the router to block traffic from any unauthorized MAC address. While this solution could work, it's mostly theoretical. The expense of implementing the solution is two-fold: the initial infrastructure is costly, as is the daily maintenance of the MAC address lists. For these reasons, this solution remains mostly unimplemented.

802.1x for wired clients

This solution has the administrator create a public key infrastructure (PKI) and issue certificates to all users. Routers are configured to require 802.1x authentication for all network clients. Although 802.1x is primarily a wireless security solution, it is an open standard and can be used to restrict network port access to authorized entities. This solution is similar to the other solution in that the routers do the security work, which can be considered a fundamental flaw in the theory. Also, the initial setup of client computers requires a complex enrollment process before they can communicate normally on the network.

If you want to prevent visitors from accessing your network resources but still allow them to use your network to reach the Internet, you can configure your DHCP server with a separate scope of IP addresses that don't overlap your existing IP addresses. Company users will still get a valid IP address through their reservation; visitors will receive an address from the other scope. The addresses used by the "visitor scope" should work with your routers and firewalls but not with your corporate servers. You can also segment your network so that visitor data ports are filtered on routers to allow only specific, untrusted network access.

Phone lines present a potential security vulnerability that is easily controlled. Have your local phone company provide you with a list of phone numbers that are supplied to your location. Cancel any phone numbers that aren't authorized and instruct the phone company to disregard requests for new lines unless they are approved by a specific group or individual within your company who is responsible for information security. Ensure that any computer attached to a phone line is secured in such a way that outsiders can't use the phone line to access your network. For example, computers with attached phone lines shouldn't run software like pcAnywhere, which would allow anyone with a phone line and relatively unsophisticated password-guessing software to gain full remote access to them. Phone lines also present a way for employees to transmit information off your network without using centrally controlled resources such as an email server. Organizations that need to tightly control the transmission of information should view phone lines as a major vulnerability.

Floppy drives (and other removable media drives, like CD-ROM and ZIP drives) on most office computers can be disabled or completely removed. Users who require access to removable media can use external floppy drives or other forms of removable media, connected to their computers via USB. In addition, you can enforce security on USB devices so only authorized users have access. By restricting the users with access to a removable media drive, you can significantly reduce the threat of computer virus incursions on your network. Organizations desiring an especially high level of security will prohibit the use of removable media drives on client computers, and instead require users to submit removable media to an administrator. The administrator can then scan the media for viruses and mount the media in a network-accessible drive for the user to access.

3.2.2 Securing Laptops

Chapter 4 has detailed descriptions of several technologies that help protect against data compromise on a stolen laptop. In addition, the prevention of physical theft of the laptop is important. Laptop locks should be distributed with all laptops, and the users should be educated on their proper use in theft prevention. Users should further be educated on how to prevent theft via awareness of their surroundings, proper storage of laptops when not in use, and so forth. An administrative policy that requires laptop owners to attend training before taking possession of their laptops is a great way to ensure this occurs.

3.2.3 Securing the Data Center

Use card key access systems instead of combination locks, because card keys are much more secure. Make sure you have a proactive system that detects when employees have lost a card key. For example, requiring employees to use their card keys to reach their offices will allow you to spot any missing cards first thing in the morning.

Make sure that the folks managing your card key system understand the need to keep the data center secure. If necessary, implement a separate card key system to protect the data center and place it under the control of your company's information technology or information security staff.

Use cameras in the data center to spot tailgating and unauthorized visitors. Make sure employees are aware that they must use their card keys even if someone holds the door open for them, and make sure your policy on data center visitors is clearly displayed on the door. High-end security companies can install detection systems that will sound an alarm if someone attempts to tailgate, helping ensure that employees use their card keys. If you experience repeated tailgating incidents, you may consider entry access devices that allow exactly one person entry at a time (think of the older subway entry gates). Although primitive, they are effective at ensuring that each card key use admits just one person.

Card key systems can also be used to log employees out of the data center, not just in. These exit-based systems allow you to keep a complete log of who entered the data center and how long they stayed. Due to fire regulations, these systems usually cannot be mechanically enforced and are based on the diligence of your employees. You should always consult with an experienced physical security expert before employing any physical security control.

3.2.4 Securing Servers

Never assume that your company's data center safeguards are enough. Keep servers in locked racks with secure rear doors and sidewall panels. The keys for these racks might be stored in a locked cabinet in the data center, requiring a combination or, even better, a card key to open the cabinet and obtain a rack key.

Every Windows Server 2003 includes Remote Desktop, which allows up to two different administrators to remotely administer the computer at the same time. Locking your servers in racks shouldn't present a significant burden, because most administrative tasks can be performed without even entering the data center. As a rule of thumb, once a server is installed in a rack, the only time you should need to physically touch it is to manually power it down?for example, to replace or upgrade hardware.

Consider disabling or removing the floppy drives and even the CD or DVD drives in your servers. They are rarely needed for business purposes and present a significant security threat, since they can be used to start the computer or introduce viruses. You can always keep a USB floppy drive or CD drive handy in case you need to use removable media with a server. Ensuring that the server racks' rear doors are locked will prevent anyone from plugging in the USB drive without a key to the rack.

In Windows XP and Windows Server 2003, you must have administrative rights on the computer to install new device drivers. This is to help combat the security issue presented when a user installs a removable media drive on a computer. Using the principle of least privilege, very few users should have administrative rights on their computer. This should help ensure that unauthorized individuals cannot just insert a convenient storage device and have it work.

3.2.5 Securing the Wiring Closet

Few companies bother to lock their cable plants or wiring closets. Given the large number of vulnerabilities that network wiring presents, locking the cable plant definitely seems a bit futile. But remember that the cable plant often includes hubs and switches, and those devices can be accessed by intruders and turned into powerful network eavesdropping tools. If you don't lock your cable plant (which you should definitely do), at least keep your hubs, switches, routers, and other connectivity devices in locked cabinets.

Keeping your cable plant neat and tidy is another intruder deterrent. Neat, orderly cabling makes it easier to notice additional cables that an intruder may have added or to spot changes that an intruder may have made. If you have standardized a color for your network and patch cords, leave no extra cables unlocked. This forces intruders to either cannibalize existing cable, which will alert you in the form of a network disconnection, or use the wrong color cable. The only purple cable in a cabinet full of pink cables can be spotted quickly and easily.

3.2.6 Securing Network Transmissions

Network cabling is practically impossible to protect. It's snaked throughout the walls, ceilings, and sometimes even floors of your office. Copper-based cabling emits electromagnetic waves that can be detected and used to eavesdrop without even touching the cabling. Fiber-optic cabling is not only more secure, but also significantly more expensive.

You have to work under the assumption that your network cables aren't secure and that they are instead broadcasting every byte they carry into the air for anyone to receive. In fact, that's pretty much exactly what they do. With all your data being transmitted into the air, if you've based your security solution on the fact that wires are secure, your other security precautions are potentially meaningless.

You need to make those transmissions useless to an intruder. Technologies like IP Security (IPSec), which you'll learn about in Chapter 8, allow you to encrypt sensitive data before it is transmitted across your network cabling. Encrypted traffic is useless to an intruder without the private key, which is well protected in these configurations.

Wireless networks in particular seem like a huge security problem because they literally transmit network data for hundreds of feet. Most wireless networking products include built-in encryption capabilities, but those encryption capabilities are not foolproof, and several security schemes have been compromised by attackers. Wireless networks should be considered a major security concern, especially since they allow intruders to tap into your network without entering your building. While wireless networks can be convenient in certain situations, they should never be allowed to carry sensitive data without heavy-duty encryption using something like IPSec.

Wireless Security?

Can you actually implement some type of wireless network that's "secure"? No. There's no such thing as absolute security and doubly so for something you have little control over such as the airwaves. Unless your building is shielded in copper and lead and has a one-mile guarded perimeter, someone from outside your property will try to attack your wireless network.

How do you prevent an attack from succeeding? That's a bit easier to address. You must make it difficult for the attacker. Numerous layers of security are required here. MAC filtering, service set identifier (SSID) broadcast restriction, 802.1x certificates, and encryption keys are all elements that can help protect against attack. In addition, a strong security policy that states that certain classes of data cannot be passed through the wireless network is required. This can be enforced by careful routing and addressing (i.e., all sensitive servers are within a specific IP address range and your wireless routers are configured to disallow communications with hosts in that range).