Physical Security – N10-008 CompTIA Network+ : 4.5

There are many physical security tools and techniques that we use to keep our networks safe. In this video, you’ll learn about video surveillance, asset tracking tags, access control hardware, smart lockers, and more.

Almost every organization has some type of video surveillance, and if that video surveillance is just for your facility, we commonly refer to that as CCTV, or closed circuit television. With CCTV, we can cover a much larger area over a much longer period of time than using guards. These cameras are not only able to show us what’s going on, some of them include additional features, such as object detection, so they might be able to differentiate between a car or a person.

This is usually more than a single camera. There’s usually a large number of cameras and they’re all networked back to one central network video recorder. The cameras might also have the ability to inform you when something happens.

They might include motion detection, along with passive infrared capabilities so they can, not only view something that might be moving, but they could see that moving in the dark. Another good physical security feature is to add asset tracking tags to all of your devices. So you might want to add a tag to your routers, your switches, fiber modules, or anything else you may be installing on your network.

These tags can also be integrated with your financial system, so when you purchase a piece of equipment, you can track when that device was purchased, where it was installed, and you can depreciate that particular asset over time on your taxes. The tag might have a barcode or a number associated with the device, and sometimes can even include the name of the organization. This makes it very easy for someone to identify this particular component, whether it’s in your network or somewhere else.

As IT professionals, we can’t be in all of our locations at every moment of the day, so we need to have something that can check to see if a device may have been tampered with. Hardware tampering sensors might be inside of your equipment, and if someone removes the case, it identifies that the case has been removed and sends you an alert. You might find these hardware tampering sensors in your personal computers or they may be in your firewalls, your routers, your switches, and other network devices.

You can also combine this tamper detection with your asset tags. If someone was to remove that asset tag, there would be a message left behind showing that, at one time, there was an asset tag on this device. The employees in your organization are some of the best physical security you can find, and if you train them properly to look for security issues, they can be a great early Warning system.

You’ll need to perform some type of training though to bring them up to speed on what they should be looking for. This might also include posters and signs that give them constant feedback about things that would be important to remember for security in your environment. You can combine this with login messages so that information is displayed on the screen when the person logs in at the beginning of the day, and you can also provide security information on the intranet as an ongoing source of documentation.

This type of training for IT security is an ongoing process, and there should be a set of procedures so that everyone is able to get all of the training they need for IT security. If you go into a large office building, you’ll probably see access control hardware that’s similar to the one on the screen here. This is going to stop someone from entering the rest of the building until they provided some type of authentication.

These might be gates providing access to a room or to the elevator banks. Maybe it’s a lock that’s on a door or a camera that is used. Organizations might use one or many types of access control hardware, depending on their requirements. All of these systems are usually integrated together. So you can have the access control systems, where you have to badge in to be able to gain access to the elevators, but notice there’s also cameras on the wall to be able to provide video surveillance of everyone who’s coming through that system.

When you enter a building and come to one of those access control systems, you probably need to provide some type of key that will let you in. Maybe this is an electronic system that would be either keyless or you would put in a personal identification number. This means you don’t have to carry around a physical key, just have to make sure that you either know the personal identification number or you have your badge with you.

These are often centrally controlled, so you can go to one central workstation and configure exactly who has access to which rooms through that one central management console. Inside the card, it is usually an identification chip, and that chip is powered and read using this antenna that is inside the card. Instead of using an access card, maybe we’re using ourselves as the access mechanism. This would be biometrics.

So we would use a fingerprint, a retina scan, or voice print to be able to gain access to a room. This biometric device is usually storing a mathematical representation of your body. So it could take a fingerprint, create a mathematical representation of that fingerprint, and store that for future checks.

One of the nice parts about using biometrics as an access control method is that they don’t tend to change over time. Your fingerprint is going to be the same today as it will be a year from now, and it’s very difficult for someone to pretend to have your fingerprint, unlike a password, where you would need to change it over time, biometrics don’t need to have any changes because you should be the only person with that fingerprint. Like anything else, biometrics are not foolproof, but they can be used in conjunction with other types of access control methods to create a very strong method of security.

If you’re entering a highly secure area, such as a data center, you may be walking through an access control vestibule. This might be a one person vestibule or it may be a small room that many people can fit in, and it operates by allowing one person through a door. When that door is unlocked, all of the other doors to that room are locked, so you must walk into the room, close the door behind you before you can ever proceed further.

This allows the administrator of the facility to control exactly who may be going through a particular area. Once that person opens the door to go into the other room, all of the other doors will be locked. This ensures that no one would be able to tailgate through as this person is led into the highly secure area. You’ll often see these in very large data centers, third party facilities, or anywhere you need to control the number of people who may be moving in or out of an area.

Here’s an access control vestibule that lets you in with a pin and biometric reader. You can see there’s a check-in desk, and then you can proceed through to the rest of the facility. Here’s a different access control vestibule. Now that this door is open, no one else is able to gain access into the vestibule itself. This door would have to be closed before anyone else is let in, and then the guard would be able to process them before allowing them into the data center.

Once you’re in the data center, you may find that all of the racks are locked. You must have a key to gain access to the devices that are on the inside. That’s because the hardware inside of these racks may be managed by different organizations, so by having a lock, you can ensure that no one else can gain access to your systems when you’re not there.

These racks usually allow you to Mount them side to side because they’re usually panels on the side that will restrict access, and often, the locks on the front still allow someone to have ventilation either through the top or bottom so that everything inside can be cool. Here’s what this would look like in a data center. You can see these 19-inch racks have been all put side by side, and each one of them has a handle in the front that has a key integrated into it.

So you have to have the key to be able to unlock that door and gain access to what’s inside of that single panel. We’ve taken the idea of a locked panel and moved it out of the data center and put it into our shopping centers. You often find these smart lockers in front of a place of business where deliveries can be made and then you can pick them up at the smart locker. So if you’re ordering something from a retailer online, they can deliver it to the smart locker, send you an email or a text message with instructions, and then you can show up, put in your personal identification number, and have that locker unlock and provide you with your delivery.

You no longer have to rush home to try to get access to the delivery. You know that you can stop by the smart locker and pick up your package without worrying about someone else taking it when you’re not there. IT security professionals know that third parties are always after our information, whether that’s something that is printed on a sheet of paper or something that is stored on a particular type of media.

If we need to dispose of that information, we need to be sure it’s done in a way that no one else can gain access to that information later. We first have to be sure that we can actually dispose of this information. Some organizations have a legal mandate to maintain this data a certain number of years, so you might keep all of this information online at your main location or you might back it up and store it off site.

You definitely don’t want to put this in the normal trash. People will go through your trash, they’ll find this information, and then either use it for themselves or post this information online. If this is highly secure data, then you may want to consider physically destroying the media, which means that no one would ever gain access to that information. But sometimes you’d like to be able to use this SSD or hard drive for another system, and there are plenty of ways to sanitize the information that’s on that drive so that no one would be able to recover it after the fact.

If you’re working with a piece of infrastructure equipment like a switch, a router, or a firewall, there’s usually an option to perform a factory reset, which will delete all of your personal information, your logs, any encryption keys, and anything else that may be configured in that device. The next person who turns that device on will find that it is exactly the same as if it came from the factory, and none of your personal information will be saved on the device. If this is a hard drive or an SSD, you might want to consider using a wipe data function.

You can usually do this by files, or you can wipe everything that’s on the storage device so that no one can gain access to any of that data.