1 / 21

Physical Security in the IT Environment

Physical Security in the IT Environment. Patrick J. Burns Colorado State University. Theme. “Do what you can with what you have when you can.” T. Roosevelt. Outline. Protecting the physical IT environment Traceability (cameras) A “poor man’s” disaster recovery node. Goal and Objective.

Download Presentation

Physical Security in the IT Environment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.


Presentation Transcript

  1. Physical Security in the IT Environment Patrick J. Burns Colorado State University

  2. Theme • “Do what you can with what you have when you can.” T. Roosevelt HE Forum on IT Security

  3. Outline • Protecting the physical IT environment • Traceability (cameras) • A “poor man’s” disaster recovery node HE Forum on IT Security

  4. Goal and Objective • Protect the IT environment from major “incidents” • Maintain some level of service in the case of major “incidents” • Cost increases as more services are protected • Strategic decision as to how much to protect • Funding may be available next year from the federal Dept. of Homeland Security – will be funneled through states HE Forum on IT Security

  5. Definitions • Duplication • Automatic or almost automatic fail-over • Examples: clustered services, telephone switches, redundant servers, DNS • Distribution • Geographical separation of duplicated or non-duplicated services • Protecting the IT environment should include elements of both duplication and distribution HE Forum on IT Security

  6. The Vision • Distribute central IT as a strategy to protect the IT environment from disasters • Protection of critical infrastructure has been in vogue since Sept. 11, 2001 • Just “do it” on the cheap, as better than extensive planning for which we will not be funded (based upon 15 yrs. of history) HE Forum on IT Security

  7. Overview of CSU IT Physical IT Infrastructure • Two SONET head ends: ICG and Qwest • Each has multiple fiber paths into CSU, but both enter the same building • Candidate for distribution, but expensive unless negotiated as part of a multi-year service agreement • Used for both voice and data • “Head ends” reasonably secure, alarmed, access id controlled • Adjacent to the telecom office, where many students visit for billing information • Typical conundrum: security vs. access HE Forum on IT Security

  8. Overview of CSU’s … (cont’d) • Fiber/copper buried in the ground or in steam tunnels – reasonably secure • Of 414 buildings in Fort Collins, 211 need fiber • Maybe 30-40 are served by steam tunnels • Secure telecom rooms • Fiber/copper in between telecom rooms in metal conduit, I.e. secure • In-building wiring somewhat secure (in conduit), but scope of vulnerability low (one wire, one user) HE Forum on IT Security

  9. Telecom Rooms • Scope at CSU • 211 buildings, many with multiple telecom rooms (e.g. library has ~17) • Building secure, locked rooms used only for telecommunications • Evicting the janitors • Networking is distributed at CSU, subnet managers need access to the telecom rooms HE Forum on IT Security

  10. Re-keying of Telecom Rooms • Facilities re-keying project • Hundreds of (maybe 1,000) telecom rooms • $100 each for re-keying, 2 keys fit: • Great grand master keys (limited distribution, e.g central staff) • Keys for subnet managers that fit only the telecom rooms in individual buildings HE Forum on IT Security

  11. Telecom Room Access • Facilities issues keys • Require a background check paid for by the subnet manager (~ $12) • Requires signed agreement w/ CSU Telecom • Don’t touch the telephone network • Don’t touch the back end of the network • Touch only patch cords: to maintain 20 year warranty • Use Avaya patch cords only • Dress the patch cords appropriately HE Forum on IT Security

  12. Video Cameras • About 20-30 old analog to CSU PD • Monitored (not well) • Recorded on standard video tape • Require individual fiber connections • New web cameras • Old, central solution insufficient quality (Motion JPEG encoding) • Now, deploying • Pan, tilt and zoom cameras w/ pre-programmed motion • Attached to PC’s in buildings with local storage HE Forum on IT Security

  13. Disaster Recovery • Most IT services at CSU, including redundancy, are co-located • Network backbone nodes meshed and distributed • MMF distance limitation caused us to build six BB nodes • Magnetic tapes stored off site • Enabling factors for distribution • Clustered W2K services • Voice over IP • Multiple servers (boxes) for unix-based IT services • Web cameras HE Forum on IT Security

  14. Currently • Factors that impede, impair or diminish the value of distribution • The “teclo hotel” – central vulnerability • Single SONET node (even though SONET path may be redundant) • Lack of 24x7 staffing • Secure space • Electrical power from a single substation • Cost HE Forum on IT Security

  15. Vulnerability at CSU • In one room, central IT services: • Redundant equipment for Internet access • Router, ATM switch, Packeteer • 31 unix CPU’s in 14 different boxes for e-mail, campus web pages, DNS, unix applications, etc. • W2K domain servers, Cold Fusion server • Administrative application servers • In another room (proximity 100 yards), campus telephony • SL-100 telephone switch, Octel 350 for voicemail, clustered Cisco VoIP Call Managers, SONET, etc. HE Forum on IT Security

  16. CSU’s Accomplishment • Built a simple, redundant node • Geographically isolated from main campus • On a separate electrical substation • Redundant fiber feed from campus BB • Secure and alarmed, but not staffed • Funded from campus rewire project and CSU Telecommunications HE Forum on IT Security

  17. Installed There • Duplicated services • Campus BB network node • Internet equipment • W2K DNS/domain server • File back-up • Planned VoIP distribution/duplication • Big UPS, no generator • Distributed services • Windows server, small AiX server • Explored redundant “head end” services • Too expensive, from ICG for redundancy: $75k SONET, $35k fiber route HE Forum on IT Security

  18. IP Phones Architecture ICG OC12 400 Meridians. 11,000 POTS USC Bldg. Glover Bldg. ICG SONET? Qwest PRI Octel 350 SM SMDI LS1010, Internet Router T-1s Cisco CM SM SL-100 SMDI HDLC HDLC PRI PRI BB 6509 PRI’s Cisco CM Campus GBE BB SHARPS Network W2K #2 AIX Backup, DNS Qwest OC12 OC3 UPS – 2 hr LS 1010, Internet Router BB 6509 Engr. Bldg. Data Center

  19. Still TBD • Still formulating plans for remediation in the event of a disaster • PRI’s for VoIP - 1 DID, 1 DOD? • Separate PRI’s on copper directly from Qwest • Redundant link for Internet (dark fiber) • Strategic placement of VoIP phones across campus, in case of telephone switch failure • Will consider SoftPhone, hardware IP phones • Modem redundancy • MG for new building HE Forum on IT Security

  20. Recommendations • Distribute VoIP services - modems for SMDI link, HDLC for PRI • Distribute DNS servers • Distribute eID, W2K domain servers • Distribute other services as appropriate • IT services: e-mail, CMS, web pages, etc. • Administrative applications • Dark fiber • Develop written document of policies and procedures for disaster recovery HE Forum on IT Security

More Related