Re: [PEN-TEST] Datacenter Wiring

[JLJ <stonewall () CAVTEL NET>]

This is a topic that I fear many of us do not take seriously because it is
not a "geek" topic - physical security.  Ultimately, you must secure the
physical premises 24X7 or you are not safe from wire snooping,
BIOS/motherboard attacks, etc.  It is relatively easy to bribe your way in
with the night cleaning crew and install all sorts of fun stuff.  Money
talks when the cleaning crew gets minimum wage and they have three floors to
do tonight...("I left my wife's anniversary card on my desk; I'll get it and
just be a minute...oh, come on...OK, here's $20, have one on me for your
trouble".  If there's no TV in the building you have the run of the place.

Physical security measures include perimeter building security, access
control systems, patrol, CCTV (recorded, of course), and other measures.
You must assess your client's risks, their budgets, and advise them of
measures to be taken in some priority order.  The physical threat is very
very real.  If you don't secure the premises, then walking the wire is good
right up until you leave...

At large shops you can spend quite a while figuring out the wiring, since it
has been added to, patched, upgraded, and generally mangled over the years
by many different contractors (phone, network, etc) and employees.  You will
most often find drops still connected in the closet to hubs/switches that no
longer have a workstation on the other end.

TDRs can find splices, but pinging drops is quite labor-intensive.  If there
is some reason to believe a client is physically tapped, this may be
justified.  Clients must be made to understand that they have to secure
their premises (and not just the servers).  I got my start in physical
security, I could go on about this forever, I think you get the idea.

stonewall