It is often said that physical security is one of the first considerations in a layer defence model.
In this case we are talking about how all servers, routers, switches and hubs should be physically protected by, for example, being locked in a specific server room. However, is it really that secure?
Consider the following scenarios. Your organisation manages several important servers.
As the system administrator, you do the right thing and have these precious cornerstones of your IT infrastructure locked away in the designated server room where only certain administrators and hardware technicians are allowed access.
Disaster Stories From The Server Room No problems here – this is the right and proper thing to do. So why is it that if I wanted to I could write a book entitled Disaster Stories from the Server Room. A few real life stories from this fictional title might include:-
• The Day The IT Administrator Accidentally Turned off the Wrong Server
It is a very easy mistake to make, there are so many servers. You are having a problem with a server that won’t shutdown or reboot, so you physically hit the on/off button but whoops – it’s the wrong server!
• How a Rogue IT Admin Hacked into a Secure Server
No matter what type of security you have implemented on a server, immediately there is physical access, the data and programs on that server can easily be compromised by booting into an alternative operating system either via floppy disk, CDROM or USB device.
This is whether you have Windows or Linux, encryption or access controls. So the reality is that wherever possible no one should come near your servers or have any physical access to the server room.
When you give administrators physical access to the server room – they have access to all the servers even the ones they are not authorised for.
In addition, it is only human nature to be curious, especially IT engineers!
• The Day All The Servers Were Shut Down
Many server rooms have a number of buttons that can instantly provide or remove power from all systems.
The accident referred to, in this case, relates to a junior administrator accidentally leaning on the switch which had been placed too low down on the wall.
There are many more of these common accidents and deliberate attempts at attacking a system. The point is that if you physically lock a system away – then physical access wherever possible should be limited. If anyone has physical access to a server then things can potentially go wrong.
The Top Two Security Threats
If you have a look at any IT related security statistics, you will see that the top two security compromises are caused by internal staff; either staff errors caused by mis-configuration or working on the wrong server or actions by unauthorised staff actions.
So in a secure environment, what exactly can we do to mitigate this problem. Well one solution is to use an extended version of the humble KVM (Keyboard, video, mouse) device.
You can find these devices in most of server rooms. They are the units that allow you to access racks of servers by using only one keyboard, mouse and monitor.
The KVM would be housed in one secure room, whilst the server racks are stored in another. This gives physical security to both the KVM device and the servers. Now the beauty of this solution is that it:-
• Prevents accidents such as on/off buttons being accidentally pressed or network or power cables being pulled out by mistake while working near the cabinets.
• Prevents physical access to the servers where any rogue administrator could compromise a system or learnt the access codes to systems that they do not have authority over.
• Maintains the aggregation of racks of servers into a single console and gives quick access to all servers. Systems usually require a user to log on but this normally is a generic ‘password’ for simplicity.
The Problems of Traditional KVM Switches
Using your KVM switches in this fashion gives you greater physical security however what traditional KVMs don’t give you is:-
• Auditing facilities such as which servers was accessed by an administrator logged at what time on at that KVM.
• The ability to hide servers that an administrator has no authorisation to view (and hence potentially access).
• The ability to authenticate the user accessing the KVM switch itself to an external DB, such as Active Directory – any user will have controlled console access to a server on the KVM switch.
In other words, what is needed is some type of built-in intelligence. There are however companies such as Raritan (www.raritan.com) that provide intelligent switches combined with centralised monitoring devices that can give you this additional security.
Bringing Intelligence to Console Management
In order to provide the extra security, each device has a certain amount of intelligence by using embedded appliances.
By giving each KVM switch an embedded processor, intelligent access and control can be created.
This allows the ability for connection to the network via interfaces with a central authorisation device that can audit and control access..
The beauty of built-in intelligence, is that it still gives the user the fast access they need but only via a central log-on point to the switch before even gaining any type of access to a server.
In addition, this logon can be linked to a database, which contains the exact servers an administrator has access to and via what switch those servers are connected to.
In this new scenario, when an administrator wishes to access a server:-
• They are first forced to authenticate to a central device
• This device shows only the servers that the administrator is allowed to manage (Eg Server A, Server G and server Y), thus preventing rogue users from having console access to servers for which they have no authority (eg Server X).
• This device will also audit when, the administrator logged on, which servers they accessed and how long they were on those servers for.
A by-product of this more secure way of managing servers is the aggregation of server management.
As you can see in diagram 1, in addition to providing additional security features, the Intelligent Central Monitoring Console has also aggregated the KVM switch devices, thus allowing for the management of potentially thousands of servers if required - all via a single console or web browser.
Having the intelligence in the central monitoring console means that functionality can be increased. Some examples of this include:-
• Web browser access from any secured workstation using SSL authentication and encryption features.
• The ability to automatically log an authenticated administrator on to any and all servers they are authorised to manage.
• The ability to alert a central system, should any kind of unauthorised access be attempted.
• The ability to produce a variety of special reports on device usage, access and fault analysis.
In this article, we’ve purely focused on physical security and minimising damage and denial of service from bad physical security implementations.
However, there are many other benefits such as consolidation of server management as seen in Diagram 1. Console access to servers is essential and is going to be required for a foreseeable future.
Where possible, every enterprise should restrict access to the datacenter but offer secured console access.
For best practice, enterprises should consider solutions that can enhance the console access security while still giving the fast access IT users require in the modern datacenter.
Raritan Inc is one of the companies that are leading the way in this type of deployment, increasing security and the functionality of the tools offered (www.raritan.co.uk).
Ben Chai is the content director for ITProPortal.com and a director for Incoming Thought Limited who specialise in security white papers and security education.