Penetration Testing mailing list archives
Re: [PEN-TEST] Datacenter Wiring
From: Tom Litney <Tom.Litney () NET-RELIANCE COM>
Date: Fri, 20 Oct 2000 11:43:55 -0700
This is a topic that I fear many of us do not take seriously because it is not a "geek" topic - physical security.
.....
stonewall
I'd like to thank stonewall for his insightful comments. Yes he is right on the mark. I have waited a bit before responding to a thread that I have started. First I would like to summarize some of the replies and then try to synopsize the two camps in this discussion from my stand point. Several people have offered solutions. For example, just encrypt all of your data if you are worried about problems with your wires. I don't think that is real world, though it may be desirable. I have never been in a commercial datacenter where all traffic was encrypted. And as a long time warrior in the hardware vendor wars, I can speak to the difficulty of getting vendors to consider simple changes like using ssh as opposed to telnet for administration. But in this case, I was looking for opinions from a penetration standpoint not solutions to cover up the problem. Others have suggested that if the bad guys are in your datacenter already, you are toast. Hey guys, we are in your data centers and as stonewall and others point out it is very hard to keep us out. They have also stated that if we have penetrated the datacenter there are lots of things we might do that are much easier that screwing with the wires. As a long time physical penetration bunkie I have to agree. I have lifted my share of keyboards and found lots of wonderful stuff "secretly" posted on monitors, walls, etc. With the increases in corporate espionage you must assume a compromise. And then several folks have provided opinions regarding their feeling on conduit verses open wiring and I would like to thank them. Some have been very interesting like the one that suggested using metal conduit and protecting it harmonics. As I see the discussion, folks basically break up into two camps. One I will call wire walkers and the other wire hiders (in conduit). The wire walkers feel that exposed wires are more secure because they feel that they can follow the wire visually and discover if it has been tampered with by a bad guy. They feel that if it is run through conduit, they can not see it or follow it and assume that it has been tampered with because they can't prove otherwise. They feel that they can easily detect a compromise and take immediate corrective action. Is this real world? Doesn't this also help the penetrators identify target wires? Aren't we sneaky enough to tap in to a wire in ways that would not be obvious to the naked eye? (inductive etc.) Now the wire hiders feel that putting a wire in conduit protects it from tapping because it is harder to target and you have to penetrate the barrier to make it happen. They argue that they can walk their conduit as easily as wire walkers can walk their wires. They feel that the conduit may provide other protection for their wires besides just tapping protecting. Does a putting a wire in conduit help conceal a potential tap and make it harder to discover? Does the conduit make it harder for the perps to identify targets? Is walking conduit real world as it tends to be in areas that are not easily accessible. My initial question was attempting to solicit an opinion from you, the experts. Disregarding for a minute the hardware on either side of the wire and whether all traffic should be encrypted questions but focusing in on just the physical wire security. You have been approached by one of your clients who is building a datacenter. They are asking your opinion on how they should wire it to provide the best security against penetration. Which method would you recommend? Are you a wire walker or a wire hider? And why? That was the conversation I hoped to create with my post. I want to thank all who have replied and hope the rest of you will consider how you feel on this subject. Who knows when it may come up in the real world for you. As someone pointed out the US government seems to fall into the wire walker camp. Are they right? I suspect that a majority of the people on this list are remote tool penetrators. Nothing gets your juices flowing more than trying a little physical penetration (nothing illegal mind you). Get your best smile ready, warm up your bull sh** generator, and have at it. You should really try it once if you get the chance. It is really very interesting and I think the results will scare the heck out of you, if you believe datacenters are secure. Also, you better keep a get out of jail free card handy, just in case. :-)) Tom
Current thread:
- Re: [PEN-TEST] FW: [PEN-TEST] Forensic analisys and related training, (continued)
- Re: [PEN-TEST] FW: [PEN-TEST] Forensic analisys and related training Bennett, Geoffrey (Oct 17)
- [PEN-TEST] Datacenter Wiring Tom Litney (Oct 18)
- Re: [PEN-TEST] Datacenter Wiring Frasnelli, Dan (Oct 18)
- Re: [PEN-TEST] Datacenter Wiring JLJ (Oct 20)
- Re: [PEN-TEST] Datacenter Wiring Andre Delafontaine (Oct 20)
- Re: [PEN-TEST] Datacenter Wiring c0ncept (Oct 20)
- Re: [PEN-TEST] Datacenter Wiring Peter Van Epp (Oct 20)
- Re: [PEN-TEST] FW: [PEN-TEST] Forensic analisys and related training Bennett, Geoffrey (Oct 17)
- Re: [PEN-TEST] Datacenter Wiring Aj Effin ReznoR (Oct 20)
- Re: [PEN-TEST] Datacenter Wiring Darryl Luff (Oct 19)
- Re: [PEN-TEST] Datacenter Wiring JLJ (Oct 19)
- Re: [PEN-TEST] Datacenter Wiring Tom Litney (Oct 20)
- Re: [PEN-TEST] Datacenter Wiring Drew Simonis (Oct 21)
- Re: [PEN-TEST] Datacenter Wiring McGann, J (Oct 21)
- Re: [PEN-TEST] Datacenter Wiring Lady Sharrow (Oct 24)
- Re: [PEN-TEST] Datacenter Wiring Graham Lewis (Oct 25)
- Re: [PEN-TEST] Datacenter Wiring Jose Nazario (Oct 25)
- Re: [PEN-TEST] Datacenter Wiring van der Kooij, Hugo (Oct 25)
- [PEN-TEST] PEN TEST Price list Erick Arturo Perez Huemer (Oct 24)