Physical Security in the Data Center or the Home
Written by Kevin Korb
as a presentation for GOLUG
Presented on 2005-10-06
This document is available at http://www.sanitarium.net/golug/physical_security.html
- What does this have to do with Linux?
Security is security. The same concepts that apply to computer security can also be applied to physical security. Since physical security is much more hands on than computer security it is much easier to learn about and play with and doing so will help you learn basic concepts which will help with computer security as well.
- Why should we care?
Physical security is just as important as computer security. In fact some times it is even more important. No amount of computer security will help you if someone simply breaks in and steals your computer or even worse installs a key logger so when they come back for the computer they will know your encryption keys. The new USPATRIOT act allows law enforcement to sneak into your home and bug your PC without notice or leaving any evidence. Private investigators often do the same thing. Of course those are just the examples from people who claim to be good guys. The objective of physical security is to make it as difficult as possible for an intruder to get in and to make sure you notice if they do.
- How much security is needed?
This depends on who you are protecting against. The first thing you need to do is determine who your enemy is. If you are trying to protect yourself against a thief trying to steal your TV then decent locks and a motion sensor system is probably all you need. If you are trying to protect sensitive data from some kind of spy then you need really good locks and a really good security system with multiple layers. The biggest difference between these two types of bad guys is that a spy wants to sneak in and steal your secrets without leaving any evidence that they were there while a thief just breaks whatever is in between him and your stuff.
- Door Locks
Look at a building like it is a computer network. The walls are like a firewall. They may not stop a bad guy with a tank but they are usually the strongest point in the security system. Nobody tries to break in through a solid brick wall unless there is no other choice. The door on the wall is kind of like the open ssh port that most of us would leave in our firewall. The lock on that door is kind of like the sshd process and the password would be the key for that lock. There are many types of locks each with its own tradeoffs.
- Key locks: These are the most common type of locks. Most key locks are pin tumbler locks which can provide either very little or very good security depending on how the lock is manufactured and installed.
- + Usually good enough: A plain old key lock usually stopps a thief. IOW they usually find some other point to attack instead of trying to defeat the lock itself which makes them good enough for most applications.
- + Forensic traces: Usually a key lock is enough to convince a bad guy to break a window or something instead of attacking the lock itself. If you are worried about spies then you need either high security key locks or something else all together.
- - Pickable: The high security key locks like Medeco are extremely difficult to pick but it is still possible. The standard key locks that you would get in a hardware store are very easy to pick.
- - Impressioning: It is often possible to create a key for a lock using a technique called impressioning which I will get into later. Impressioning allows an attacker to use your lock to duplicate your key and does not leave the forensic traces that picking does.
- - Duplicate keys: If someone gets ahold of a key it is very easy for them to duplicate it giving them access any time they want it. A high security lock will mitigate this threat by using restricted blanks but a skilled bad guy with a milling machine can make any key.
- - No audit trail: If there is a breach you have no log of when it happened and who might have done it. An electronic system can give a different "key" to each user and log when they are used so you can tell which persons access was used to breach security.
- - Bypass: Depending on how the lock is installed it may be possible to bypass it. Make sure that nothing can be wedged in to operate the bolt without operating the lock. Make sure that the unlock knob can't be reached from the outside. If you have a door with a window in it then you need to use a double sided lock or a thief can just break the window, reach in, and unlock the door from the inside. If the door hinges are on the outside it can also be possible to bypass the lock by removing them.
- - Revocation of access: If you have 30 employees with the same key and one leaves you can never be sure that they didn't copy the key while they had it. The prudent thing to do is to replace or rekey the lock and give new keys to the other 29 emplyees but this can be very inconvenient.
- - Master keys: Key locks with master keys have additional problems which I will get into later.
- Magnetic locks: These are the most common locks used with electronic systems. They use a large electro-magnet to hold the door in place while locked. Most also have a sensor so they can inform the alarm system if someone is pulling on the door without unlocking it first.
- + Usually very sturdy: These locks don't fit within the door and door frame so if they are installed properly they tend to be much more resistant to brute force attacks than other locks.
- + Bypass: If installed correctly these locks are very hard to bypass. They hold onto the door directly so removing the hinges often does no good at all.
- - Dependant on power: These locks are usually installed at locations that have backup power (UPS and/or generator) so it isn't as big of a problem as it could be but it is unfortunately common for these devices to be overlooked during power system installations which can leave them on unprotected power. If they are unprotected then a power failure will unlock the door.
- - Dependant on contact: Since these locks are just magnets there must be good contact between the magnet and the metal plate on the door. If the door sticks and never makes contact with the lock then the door is not locked. If someone puts a thick layer of tape or a small rubber stopper between the lock and the plate they can make the door seem to lock but they will be able to pull it open later with a bit of force.
- - Fire code: The fire code requires that all magnetic locks release whenever the building fire alarm goes off. Normally a bad guy isn't willing to attract the fire department just to get through your door however if the fire panel is located somewhere outside of the protection of the lock then it may be possible to convince the lock that the fire alarm is going off without actually setting it off. If that happens the door will simply unlock and the only audit trail will likely be a "trouble" signal on the fire alarm not a security alarm on the door.
- Strike locks: These are locks that are both electronic and mechanical. They are triggered electronicly but use a manual bolt to hold the door in place like a key lock.
- + Fire code: These locks are allowed to remain locked during a fire alarm so that is not an issue.
- - Bypass: These have all the bypass problems of a key lock but they are required by fire code to have a more simplistic unlocking method to allow people out in an emergency. This is often much easier to access from the outside than regular key locks with knobs. It is suprisingly common for the strike lock release to not only be accessible from the outside but even visible making the lock just about useless. If you use these locks they MUST be installed perfectly or you may as well use a plain old key lock.
- Motion Sensor release: This isn't really a security device but it is important to mention since it can break security. These are the little motion sensors that are often installed above doors with electronic locks on the inside so that people can simply walk out without having to hit any buttons or operate any locks.
- + Convenience: This is the only positive aspect of these things. They let you through the door quicker.
- - Bypass: These are often way too easy to use to bypass the electronic lock. If the door has anything less than an air tight seal all the way around it will probably be possible to trigger the motion sensor from the outside. A straightened coat hanger with a piece of paper attached to it (like a flag) can be slipped under or in between doors and waved in front of the motion sensor until the door unlocks. In almost every installation I have seen these things they are the weakest link in the security and very easy to trigger from the outside.
- Magnetic strip cards: These are the old fassioned kind of key cards. They have a magnetic strip that must be swiped through a reader like a credit card.
- + Can't be picked: Since there are no moving parts you can't pick the lock
- + Can store secure data: If you put something on the card that can't be easily guessed like a long random string or a hash it is virtually impossible for an attacker to create his own card.
- + Audit trail: Since each key card can be unique it is possible to log who unlocked the door and when they did it.
- + Revocation of access: This is really easy to do with access cards since you can simply cancel the card from the system. After that any unauthorized copies that were made will not work and you don't even have to collect the card.
- - Duplicate cards: If someone gets ahold of a card it is relatively easy to duplicate it. You can get mag strip card writers on eBay for not much money.
- - Audit trail: This can also be a disadvantage. If someone's card does get duplicated without their knowledge when a breach is detected they will get the blame for it. The log of the card swipe is certainly enough for an innocent person to lose a job and may even put them in jail.
- Proximity cards: These are somewhat newer access card systems that rely on RFID technology to communicate the secret stored on the card to the lock instead of a magnetic strip. The cards are usually about 3 credit cards thick and have no strip on them.
- + Convenience: Once again we have something that was created for convenience. Since the card can be read at a short distance there is no need to remove it from your wallet. You can simply wave your wallet containing the card in front of the lock and the door will open.
- - Can be read at a distance: Like a magnetic strip card these cards can be cloned. However, unlike a magnetic strip card you don't have to possess the card in order to clone it. These cards will happily give away their secret to any reader that happens to come within range. To make matters worse the range is dependant upon the power in the reader not the card. It is possible to read these cards from as far away as 10 feet using a reader that can fit in a brief case. Someone could sit on a bench on the street and clone every card that walks past them. They could take a ride in an elevator with you and you will never know that your key was copied.
- Challange/response cards: These are the most secure access cards you can get currently. The card reader sends a challange and a string of random data to the card which encrypts the random string using a key based on the card's secret and the challange. The card then transmits the encrypted string back to the reader where it is verified. Since the string is random it will only work once. If an attacker intercepts the signal it can't be used later to unlock the door and anything they read from the card itself will not help them later. They have a variety of looks. Originally they looked like credit cards with smart chips on them and required physical contact like a magnetic strip card but recently they have started making challange/response cards that work and look like proximity cards so it is not always easy to tell what you have.
- + Can't be cloned: The only way to clone one of these cards would be to sniff a whole bunch of challange/response sessions to build a big enough data pool to be able to do a crypto-analysis and reverse engineer the card's secret which is never transmitted. This would take a great deal of time and resources.
- Biometrics: These are devices like finger print and iris scanners that use a person's own body as the key.
- + Convenience: Since the user's own body is the key there is no need to carry anything around and there is no chance of locking your keys inside.
- + A great addition: If a biometric system is used in conjunction with some other secret based system it can add a great deal of protection against cloning or picking.
- - Impressioning: It is often possible to convince a finger print reader that you are the last person who used it by enhancing the print left on the reader's screen.
- - Cloning: It is possible to take a picture of someone's iris from a distance with a good camera and we leave finger prints all over so it is easy to get the keys and fabricate duplicates.
- - Key changing: If an attacker does duplicate your iris or finger print it is impossible to change them. This means that once you have been compromised you can never trust a biometric system again.
- - Government databases: Expect that any part of you which can be used as a biometric key will probably be logged by the goverment and put into a database eventually and that db could be compromised revealing your keys.
Just like in the computer world windows are usually the weakest link in security. Windows are easy to break and their locks are usually easy to defeat. It is a good idea to assume that your windows WILL be breached and have a second layer of security behind them like a motion sensor.
- Door and Window Alarms
These are a good idea to have however they are often fairly easy to defeat if the attacker knows they are there. They are usually a pair of magnets that short a pair of electrical contacts whenever they are in contact. However a magnet is a magnet and the one on the door can usually be replaced with any other magnet and trick the sensor into thinking that the door is closed. This should not be your only layer of security.
- Motion Sensors
These are the most common final layer of security. Their purpose is to detect when the other layers of security have been breached and someone is inside who shouldn't be. If they are installed properly they can be very difficult to defeat and will almost always detect an intruder. Placement is very imporant and any time you change the layout of a room you need to make sure that the parts of the room where an intruder is likely to be are visible to a sensor. I have seen more than one computer room with a new server cabinet sitting directly in front of a motion sensor making it useless.
- Other Sensors
There are tons of other types of sensors you can add to an alarm system. Sound sensors are somewhat common and can detect things like a breaking window very well. Most people do not need any extra specialized sensors however since they are uncommon they can sometimes trip a clever intruder that doesn't know they are there.
- Knox Box
The Knox Box is a hardened box that is mounted on the outside of many businesses and office buildings. There is no law that requires them however it is a good thing for a business to have. The Knox Box is essentially a safe where you keep a copy of every key that is needed to get into any part of your building. The Knox Box can ONLY be opened by a special key that is only available to your fire department. When you order a Knox Box you must do so through your local fire department to ensure you get one with the correct key and it will arrive open. Once you install it, fill it with keys, and close it you can't open it again. Only your local fire department has the key. The idea behind the Knox Box is to allow the fire department and the paramedics easy access to your building in an emergency. The alternative of course is for them to take a fire ax or a big circular saw to your door which they will not hesitate to do if they believe someone is in danger or the building is on fire. The lock on the Knox Box is a Medeco and is very difficult to pick. Some of the Knox Box models have an optional connection in the back to connect to your security system so you get an alarm if it is opened.
- Lock Picking
Lock picking is a way of exploiting design flaws in a lock to unlock it without a key. The way it works is you use a tension wrench to put pressure on a lock until the pins bind. Then you can use a pick to move the pins into place until the lock opens.
Here is a picture that shows how a key moves the pins inside of a lock to open it:
As you can see when the correct key moves the pins so that the split between the bottom and top pins matches up with the split between the lock and the cylendar (the sheer line) the cylendar can turn which opens the lock.
Here are 2 flash animations that show the same thing in an animated way: