Penetration Testing mailing list archives
Re: [PEN-TEST] Datacenter Wiring
From: JLJ <stonewall () CAVTEL NET>
Date: Thu, 19 Oct 2000 15:25:09 -0400
This is a topic that I fear many of us do not take seriously because it is not a "geek" topic - physical security. Ultimately, you must secure the physical premises 24X7 or you are not safe from wire snooping, BIOS/motherboard attacks, etc. It is relatively easy to bribe your way in with the night cleaning crew and install all sorts of fun stuff. Money talks when the cleaning crew gets minimum wage and they have three floors to do tonight...("I left my wife's anniversary card on my desk; I'll get it and just be a minute...oh, come on...OK, here's $20, have one on me for your trouble". If there's no TV in the building you have the run of the place. Physical security measures include perimeter building security, access control systems, patrol, CCTV (recorded, of course), and other measures. You must assess your client's risks, their budgets, and advise them of measures to be taken in some priority order. The physical threat is very very real. If you don't secure the premises, then walking the wire is good right up until you leave... At large shops you can spend quite a while figuring out the wiring, since it has been added to, patched, upgraded, and generally mangled over the years by many different contractors (phone, network, etc) and employees. You will most often find drops still connected in the closet to hubs/switches that no longer have a workstation on the other end. TDRs can find splices, but pinging drops is quite labor-intensive. If there is some reason to believe a client is physically tapped, this may be justified. Clients must be made to understand that they have to secure their premises (and not just the servers). I got my start in physical security, I could go on about this forever, I think you get the idea. stonewall
Current thread:
- Re: [PEN-TEST] FW: [PEN-TEST] Forensic analisys and related training, (continued)
- Re: [PEN-TEST] FW: [PEN-TEST] Forensic analisys and related training Alfred Huger (Oct 17)
- Re: [PEN-TEST] FW: [PEN-TEST] Forensic analisys and related training Bennett, Geoffrey (Oct 17)
- [PEN-TEST] Datacenter Wiring Tom Litney (Oct 18)
- Re: [PEN-TEST] Datacenter Wiring Frasnelli, Dan (Oct 18)
- Re: [PEN-TEST] Datacenter Wiring JLJ (Oct 20)
- Re: [PEN-TEST] Datacenter Wiring Andre Delafontaine (Oct 20)
- Re: [PEN-TEST] Datacenter Wiring c0ncept (Oct 20)
- Re: [PEN-TEST] Datacenter Wiring Peter Van Epp (Oct 20)
- Re: [PEN-TEST] Datacenter Wiring Aj Effin ReznoR (Oct 20)
- Re: [PEN-TEST] Datacenter Wiring Darryl Luff (Oct 19)
- Re: [PEN-TEST] Datacenter Wiring JLJ (Oct 19)
- Re: [PEN-TEST] Datacenter Wiring Tom Litney (Oct 20)
- Re: [PEN-TEST] Datacenter Wiring Drew Simonis (Oct 21)
- Re: [PEN-TEST] Datacenter Wiring McGann, J (Oct 21)
- Re: [PEN-TEST] Datacenter Wiring Lady Sharrow (Oct 24)
- Re: [PEN-TEST] Datacenter Wiring Graham Lewis (Oct 25)
- Re: [PEN-TEST] Datacenter Wiring Jose Nazario (Oct 25)
- Re: [PEN-TEST] Datacenter Wiring van der Kooij, Hugo (Oct 25)
- [PEN-TEST] PEN TEST Price list Erick Arturo Perez Huemer (Oct 24)