142 lines
6.7 KiB

Introduction to Physical Security and Security of Services
Jennifer Vesperman
Revision History
Revision 0.1 2002-02-17 Revised by: MEG
Converted from text file. Modified wording.
Revision 0.2 2002-02-24 Revised by: MEG
Conforming to LDP standards. Added abstract.
How does an individual or organisation assure their Internet services such as
websites are available? This article discusses techniques for assuring
physical security of hardware and methods of making sure the servers run and
have Internet access.
Table of Contents
1. Introduction
1.1. Copyright Information
1.2. Overview
1.3. Physically Securing the hardware
2. Physical security of networks
3. Power
4. Network Access
1. Introduction
1.1. Copyright Information
Copyright (c) 2002 by Jennifer Vesperman. This material may be distributed
only subject to the terms and conditions set forth in the Open Publication
License, v0.4 or later (the latest version is presently available at [http://
www.opencontent.org/openpub/] http://www.opencontent.org/openpub/).
1.2. Overview
If an intruder gets physical access to a computer, they can easily gain
access to the information stored on the computer. Methods range from simply
tucking the computer under their arm and walking off with it to collect the
data at leisure, to using a 'rescue disk' or some other method of starting
the computer with no passwords, to removing the hard drive and starting it on
their own computer, with full access to the information stored on the drive.
Most operating systems have some method of starting the computer with no
passwords - this is intentional, because most organisations will lose or
forget a critical password at some time. This can only be done when
physically at the computer, however - the operating system designers rely on
the user being aware of this fact, and securing the computer room.
There are methods, in most operating systems, of disabling the 'no password'
start - if you choose to implement them, be extremely careful and document
the passwords well. But secure the copy of the passwords.
1.3. Physically Securing the hardware
Keep any computers which have sensitive information away from the general
public. Use common sense - locked doors, locked windows and security systems
are all readily available. Your local police department is likely to have
up-to-date advice on realistic security for your area.
There are specialist devices available for attaching computers to desks, or
for locking computer cases closed. If you (or your local police department)
feel that that is warranted for your system, buy them and apply them. Just
remember that you also need to prevent an intruder from actually reaching the
computer in the first place - information can be stolen without moving the
computer itself.
2. Physical security of networks
Networks can be easier to secure - if there is a single computer (or a small
group of computers) which hold the sensitive information, those are the
computers which must be physically secured. Other computers can be left less
secure, provided the network itself is secure and the unsecured computers
don't have sensitive information on them - such as network passwords.
In 'big business' the computers which store the sensitive information are
often kept in a special computer room, in a secured building. In small
business or home environments, keep these separate - don't use them as
regular computers. Make certain they're behind the scenes somewhere, away
from customers.
3. Power
There are two issues with power supply. One is the matter of power smoothing,
preventing sudden surges or drops in supply, and the other is supply itself.
Blackouts and brownouts can cause the computers to shut down suddenly, losing
any information stored only in short-term memory (RAM). Sudden surges or
drops in supply can cause physical damage to computer components, if they are
bad enough.
Power smoothing is only needed in some areas. Local computer experts will be
able to tell you if your area's supply is prone to surges and dips, and can
offer advice on whether you need surge protectors or power smoothers.
However, if you buy a UPS (uninterruptible power supply), most have power
smoothing built in.
A UPS (uninterruptible power supply) is used to protect against sudden loss
of power. It's somewhat of a misnomer, as it doesn't itself provide power -
it is essentially a large battery that charges itself from the power main.
The computers are plugged into the UPS, and if the mains power cuts out, the
UPS provides enough power for the computers to shut themselves down and save
all their information.
Most UPSes will signal the computer when the main power cuts out. Get your
local computer expert to ensure that yours does (preferably before you buy
it), and ensure that your computer is set up to respond to that signal.
If you want a truly uninterruptible supply, there are companies in existence
which would be happy to sell you a power generator that cuts in automatically
when mains power cuts out, and a UPS-like device to handle the cutover to the
4. Network Access
Network access, such as internet access, tends to be at the mercy of large
organisations which run the local internet 'backbones' (the main routes).
Even if you buy your connection through a small provider, their own
connection is usually with one of the larger organisations.
The reliability of your local providers can be a significant issue to the
success of your business - or it might not be, depending on what your
business is. If it is important to have reliable access, you might want to
either write reliability (and penalties) into your contract with them, or to
have two different providers, who themselves, preferably, are connected to
two different backbones.
If you have the two providers, you will probably need to have a specialist
configure your network so that in the event of one provider failing you, your
network automatically cuts over to the other. And that when the first resumes
connectivity, the network routing switches back to a dual-route.