Một bài toán tôi từng gặp đó là thiết kế Physical Security cho một Data Center. Các tài liệu nói về phần Security cho DC thường có thiên hướng đi sâu vào khía cạnh ” bảo mật với lính gác, tuần tra, hệ thống CCTV, và lớp bên trong thiên về công nghệ như các loại thẻ quẹt, Firewall …)
Trong khi đó phần Security về mặt vật lý không đơn giản chỉ là như thế, đối với các DC có diện tích rộng lớn, diện tích khu đất lớn gấp >= 10 lần diện tích xây dựng DC thì mọi việc trở nên đơn giản hơn rất nhiều, việc đáp ứng các tiêu chí cơ bản của Tier 3 – 942 ở mức độ vĩ mô là khả quan.
Nhưng đối với các DC có diện tích khu đất nhỏ hơn thì vấn đề lại khác biệt hoàn toàn. Các quy định về khoảng cách hàng rào, chiều cao hàng rào, đèn chiếu sáng… là tương đối mù mờ – thậm chí không có tiêu chuẩn trong các khóa học chuẩn. Tôi thấy bài viết này hay và chia sẻ với các bạn.
When information security professionals think of perimeter security, firewalls, SSL VPN, RADIUS servers, and other technical controls immediately come to mind. However, guarding the physical perimeter is just as important.
During the past weeks, I’ve written a series of articles that describe various components of an effective physical security strategy. In this final article in the series, we’ll look closely at best practices for constructing the initial barrier to physical access to your information assets: the outer perimeter.
Components of a physical perimeter
Having served for several years in the military police, the concept of physical perimeter has two meanings. However, we’ll skip the combat definition with its automatic weapons placement and final protective lines and focus on facility security. (At least I hope your information asset physical security isn’t that strict, department of defense facilities excluded…)
The outer perimeter of a facility is its first line of defense. It can consist of two types of barriers: natural and structural. According to the United States Army’s Physical Security Field Manual, FM 3-19.30 (2001, p. 4-1):
- Natural protective barriers are mountains and deserts, cliffs and ditches, water obstacles, or other terrain features that are difficult to traverse.
- Structural protective barriers are man-made devices (such as fences, walls, floors, roofs, grills, bars, roadblocks, signs, or other construction) used to restrict, channel, or impede progress.
In other words, if you can use the terrain, do so. Otherwise, you have to spend a little money and build your own obstructions.
The most common type of structural outer perimeter barrier is the venerable chain-link fence. However, it isn’t good enough to simply throw up a fence and call it a day. Instead, your fence, a preventive device, should be supported by one or more additional prevention and detection controls. The number of controls you implement and to what extent are dependent upon the risks your organization faces.
A fence is both a psychological and a physical barrier. The psychology comes into play when casual passers-by encounter it. It tells them that the area on the other side is off-limits, and the owner would probably rather they didn’t walk across the property. A fence or wall of three to four feet is good enough for this.
For those who are intent on getting to your data center or other collection of information assets, fence height should be about seven feet. See Figure A. For facilities with high risk concerns, a top guard is usually added. The top guard consists of three to four strands of barbed wire spaced about six inches apart and extends outward at a 45 degree angle. The total height, including fence and top guard, should reach eight feet. Figure A
Installing a perimeter fence requires some planning. See Figure B. Set the poles in concrete and ensure the links are pulled tight. The links should form squares with sides of about two inches. The fence should not leave more than a two inch gap between its lower edge and the ground. Figure B
Figure C depicts other considerations regarding fence placement. First, identify any culverts, ditches, or objects that cause an opening beneath the fence. Remember the two-inch rule above. There should be no gaps greater than two inches below the edge of the fence. When any opening under the fence–whether enclosed as with the culvert in our example, or open–exceeds an area greater than 96 square inches, it should be blocked (FM 3-19.30, p. 4-5). This is a good rule-of-thumb. However, use common sense. If you think a hole is big enough for a person to defeat your fence, block it. Figures D and E (MIL-HDBK-1013/10, 1993, p. 15) show two methods. Figure C
Clear the area on both sides of the fence to provide a clear view of future intruders. The recommended clearances, as shown in Figure C, are:
- 50 feet between the fence and any internal natural or man-made obstructions.
- 20 feet between the fence and any external natural or man-made obstructions.
Natural obstructions include trees and high weeds or grass.
Lighting is a critical piece of perimeter security. It works as a deterrent and assists human controls (roving guards, monitored cameras, first responders to alarms, etc.) detect intruders. Lighting standards are pretty simple:
- Provide sufficient light for the detection controls used
- Position lighting to “blind” intruders and keep security personnel in shadows
- Provide extra lighting for gates, areas of shadow, or probable ingress routes, as shown in Figure C.
A general rule to start with is to position lights with two-foot candle-power at a height of about eight feet.
Intrusion detection controls
As with our technical controls, we make the assumption that if someone wants to get through our perimeter, they will. So we need to supplement our fence with intrusion detection technology, including:
- Motion detectors
- Photoelectric systems
- Passive infrared
- Surveillance cameras that are monitored in real time
- Acoustic-seismic detection
Use of detection technology must be coupled with a documented and practiced response process.
The final word
The field of physical security is broad and is often a dedicated career path. So the information here is not intended to make you an expert. However, organizations are increasingly integrating computer and physical security under one manager.
The need for information security professionals to understand physical controls is great enough that the most popular certifications, such as CISSP, require some knowledge of the topic. Don’t be left behind.
Finally, many of the controls discussed in this article are too extreme for many organizations. However, It’s always better to understand all your options.