لطفا منتظر باشید ...
Physical Security
Although this book focuses mainly on the security issues of networks, physical security is also important. It is relatively easy to implement and maintain a tight security policy for your network security. Physical security is much more difficult to implement.Physical security is defined here as the use of blueprints, standards, or models to protect networks. Physical security involves the identification and description of all the measures required to protect your facility. This process includes both internal and external security measures, disaster-recovery plans, and personnel training.The implementation of a valid physical security plan can fall short for various reasons, the most important being budget constraints. A slight shift in focus is taking place with the recent effects and threats of global terrorism. This shift might trigger the necessary attention so that comprehensive physical security implementations become as common as encryption, firewalls, virtual private networks (VPNs), and others.
Outside and External Security
When implementing physical security at a company level, the first consideration is the location of your site. In reality, considering the change of a company's location might not be an option because budget limitations may force you to use an existing building. Given an existing site, however, you can make sure that the site meets a minimum set of requirements, which are defined by physical security blueprints or models.NOTEA set of governmental specifications is available in the document "The Director of Central Intelligence Directive 1/21: Manual for Physical Security Standards for Sensitive Compartmented Information Facilities (SCIF)." The following link provides a reference guide and checklist for SCIF construction:http://www.fas.org/irp/offdocs/dcid1-21-refThe complete document can be found at the following link:http://www.fas.org/irp/offdocs/dcid1-21Once a facility is built, multiple layers of security are required. The following list is an overview of available layers and options for external physical security:
- Electronic fence
- Electromagnetic IDS
- Camera systems
- Entrance security (smart cards, PIN code)
- Permanent guards
In many situations, the objective of achieving maximum external physical security, according to the specifications in the preceding list, is compromised because not all layers can be easily implemented.
Internal Security
The approach to implementing internal physical security is similar to the approach to implementing external physical security. Some of the external and internal measures overlap. For instance, camera systems can be installed all over a campus, with priority given to the entrances to mission-critical areas such as lab space, communication rooms, and server rooms. Just as the effectiveness of external security depends on layers of security, internal security is implemented in layers. For example, low-security areas may require only a pin code or card reader for entrance, and high-level security areas may require card readers in combination with biometrics for entrance. High-level security areas can also be equipped with smoke, temperature, and humidity sensors.Chapter 8, "Router Security," it is also important to think about the physical access to devices. Having terminals available to connect to console ports of routers and switches makes it possible to alter configurations fairly easily. In general, avoid console access to any platform in your labs, server rooms, and communication rooms. Console authentication should be configured if physical console access is required to assure that unauthorized console access is avoided.
Disaster-Recovery Plans
Even for the most protected and secure areas, a decent disaster-recovery plan needs to be defined. A disaster-recovery plan spells out measures that limit losses that can be incurred by disasters such as hurricanes, floods, and electrical failure. Disaster-recovery plans also outline how business practices are to be resumed after disaster. The possibility of things going wrong needs to be addressed upfront. For instance, uninterruptible power supplies (UPSs) are the de facto standard for countering power blackouts. In addition, implementation of multiple Internet connections is a must for connecting your site to a service provider's network. Having only a single connection creates a single point of failure. Furthermore, a central backup system is a mandatory service for all servers in the network.The industry has developed three levels of disaster-recovery plans:
- Hot site
This is the most sophisticated and expensive type of data replication routine. Data is replicated on two separate servers, one housed in the operational location and one at a different physical site. Data is updated on both systems simultaneously. - Warm site
With this solution, the data replication routine can occur from once every 24 hours to once a week. In the event of a disaster, the warm site would provide day-old data. - Cold site
This solution is the most cost effective because companies do not have to purchase duplicate machines. Data is sent either on tape or via the Internet and installed on shared hardware.
The ultimate disaster-recovery service is the implementation of a complete fail-over site. This is a drastic approach. When defining the disaster-recovery plan, companies need to consider not just the loss of data but also the loss of a complete workplace. This might sound ridiculous, but the cost of losing your complete workplace, data included, is nothing compared to installing a fail-over site.
Personnel Awareness
Developing a strong security policy helps to protect your resources only if all staff members are properly instructed on all facets and processes of the policy. Most companies have a system in place whereby all employees must sign a statement confirming that the policy was read and understood. This policy covers the multiple security situations that employees encounter during a day of work: laptop security, password policy, handling of sensitive information, access levels, photo IDs, PIN codes, and so on. A top-down approach is required if the policy is to be taken seriously. This means that the security policy needs support from the executive level downward.
