Dealing with Physical Security IssuesIf an attacker gains physical access to a computer, router, switch, firewall, or other networking device, your security options are severely limited.
Most of the networking devices, can have their passwords reset by attaching to their console port. Computer hosts can be booted with purpose made CD-ROM designed to circumvent most host security on the device. In this crux series, we quikly look at some key rules concerning physical network security aspects and hence network security as a whole: Control physical access to network and data center facilities Effectively controlling physical access to your organization's facilities should be the single top concern for both your physical security staff and you as network designer. Toolset to implement this may include cameras, key card access, biometrics, and "man-traps" to catch anyone illegally trying to gain access to the room. Separate identity mechanisms for insecure locationsOften an organization will utilize common authentication mechanisms for the various systems that must access network resources. For optimal security, different passwords should be used on each device, but this is often operationally impossible for large networks. Therefore, at a minimum, organize your common passwords so that they are never used on systems in physically insecure locations. Prevent password-recovery mechanisms in insecure locationsFor example, on some newer Cisco routers and switches, the command is as follows: Router(config)# no service password-recovery
This would be particularly useful in insecure branch offices or other locations where the physical security of a network device cannot be assured. Be aware of cable plant and electromagnetic issuesUTP cable is very easy to tap, but it was thought years ago that fiber was immune to cable taps. We now know that this is not the case. The National Security Association (NSA) is rumored to have already tapped intercontinental network links by splicing into the cable. Be aware of physical PC security threatsA common overlook in network security design is contributed to a faulty assumption that all the sensitive data within an organization is contained on servers. In reality, there is sensitive information about an organization on almost every single machine present in the enterprise network, as well as on the servers. Utilities and features such as file system encryption are essential to mitigate the threat posed by physical lost of individual PCs or laptops being used by company employees. |
