nanog mailing list archives
Re: Fiber cut in SF area
From: Shane Ronan <sronan () fattoc com>
Date: Sat, 11 Apr 2009 10:59:05 -0400
An easy way to describe what your saying is "Security by obscurity is not security"
On Apr 11, 2009, at 8:31 AM, Joe Greco wrote:
Jo¢ wrote:I'm confussed, but please pardon the ignorance. All the data centers we have are at minimum keys to access data areas. Not that every area of fiber should have such, but at least should they? Manhole covers "can" be keyed. For those ofyou arguing that this is not enough, I would say at least it’s a start.Yes if enough time goes by anything can happen, but how can oneargue an ATM machince that has (at times) thousands of dollars standsout 24/7 without more immediate wealth. Perhaps I am missing something here, do the Cops stake out those areas? dunnoThe nice thing about the outdoors is how much of it there is.Cute, but a lot of people seem to be wondering this, so a better answeris deserved. The ATM machine is somewhat protected for the extremely obvious reason that it has cash in it, but an ATM is hardly impervious. http://www.youtube.com/watch?v=4P8WM8ZZDHk There are all sorts of strategies for attacking ATM's, and being susceptible to a sledgehammer, crowbar, or truck smashing into the unit shouldn't be hard to understand. Most data centers have security that is designed to keep honest people out of places that they shouldn't be. Think that "security guard" at the front will stop someone from running off with something valuable?Maybe. Have you considered following the emergency fire exits instead?Running out the loading dock? Etc? Physical security is extremely difficult, and defending against a determined, knowledgeable, and appropriately resourced attacker out to get *you* is a losing battle, every time.Think about a door. You can close your bathroom door and set the privacy lock, but any adult with a solid shoulder can break that door, or with a pin (or flathead or whatever your particular knob uses) can stick it in and trigger the unlock. Your front door is more solid, but if it's wood, and not reinforced, I'll give my steel-toed boots better than even oddsagainst it. What? You have a commercial hollow steel door? Ok, that beats all of that, let me go get my big crowbar, a little bending will let me win. Something more solid? Ram it with a truck. You got afreakin' bank vault door? Explosives, torches, etc. Fort Knox? Bring alarge enough army, you'll still get in.Notice a pattern? For any given level of protection, countermeasures are available. Your house is best "secured" by making changes that make it appear ordinary and non-attractive. That means that a burglar is going to look at your house, say "nah," and move on to your neighbor's house, whereyour neighbor left the garage open.But if I were a burglar and I really wanted in your house? There's not that much you could really do to stop me. It's just a matter of how wellprepared I am, how well I plan. So. Now. Fiber. Here's the thing, now. First off, there usually isn't a financial motivation to attack fiber optic infrastructure. ATM's get some protection because without locks, criminals would just open them andtake the cash. Having locks doesn't stop that, it just makes it harder.However, the financial incentive for attacking a fiber line is low. Glass is cheap. We see attacks against copper because copper is valuable, and yet we cannot realistically guard the zillions of miles of copper that is all around. Next. Repair crews need to be able to access the manholes. This is a multifaceted problem. First off, since there are so many manholes toprotect, and there are so many crews who might potentially need to accessthem, you're probably stuck with a "standardized key" approach if youwant to lock them. While this offers some protection against the averageperson gaining unauthorized access, it does nothing to prevent "insidejob" attacks (and I'll note that this looks suspiciously like an "insidejob" of some sort). Further, any locking mechanism can make it moredifficult to gain access when you really need access; some manholes arenot opened for years or even decades at a time. What happens when the locks are rusted shut? Is the mechanism weak enough that it can be forced open, or is it tolerable to have to wait extra hours while a crew finds a way to open it? Speaking of that, a manhole cover is typically protecting some hole, accessway, or vault that's made out of concrete. Are you going to protect the concrete too? If not, what prevents me from simply breaking away the concrete around the manhole cover rim (admittedly a lot of work) and just discarding the whole thing? Wait. I just want to *break* the cable? Screw all that. Get me a backhoe. I'll just eyeball the direction I think the cable's going, and start digging until I snag something. Start to see the problems? I'm not saying that security is a bad thing, just a tricky thing. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net"We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e- mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Current thread:
- Re: Fiber cut in SF area, (continued)
- Re: Fiber cut in SF area Jorge Amodio (Apr 11)
- Re: Fiber cut in SF area Peter Beckman (Apr 12)
- [OT] Re: Fiber cut in SF area Lamar Owen (Apr 11)
- Re: [OT] Re: Fiber cut in SF area Joe Greco (Apr 11)
- Re: [OT] Re: Fiber cut in SF area Christopher Morrow (Apr 11)
- Re: [OT] Re: Fiber cut in SF area Paul Vixie (Apr 11)
- Re: [OT] Re: Fiber cut in SF area Izaac (Apr 13)
- Re: [OT] Re: Fiber cut in SF area Valdis . Kletnieks (Apr 13)
- Re: [OT] Re: Fiber cut in SF area Charles Wyble (Apr 13)
- Re: [OT] Re: Fiber cut in SF area Peter Beckman (Apr 11)
- Re: Fiber cut in SF area Shane Ronan (Apr 11)
- Re: Fiber cut in SF area Joe Greco (Apr 11)
- Re: Fiber cut in SF area Mike Lewinski (Apr 11)
- Re: Fiber cut in SF area Joe Greco (Apr 12)
- RE: Fiber cut in SF area Dylan Ebner (Apr 13)
- RE: Fiber cut in SF area Mikael Abrahamsson (Apr 13)
- Re: Fiber cut in SF area Andy Ringsmuth (Apr 13)
- Re: Fiber cut in SF area Dorn Hetzel (Apr 13)
- Re: Fiber cut in SF area Dorn Hetzel (Apr 13)
- Re: Fiber cut in SF area Justin M. Streiner (Apr 13)
- Re: Fiber cut in SF area joel . mercado (Apr 13)