Re: [PEN-TEST] Datacenter Wiring

[Tom Litney <Tom.Litney () NET-RELIANCE COM>]

> This is a topic that I fear many of us do not take seriously because it is
> not a "geek" topic - physical security.
.....
> stonewall

  I'd like to thank stonewall for his insightful comments.  Yes he is right
on the mark.  I have waited a bit before responding to a thread that I have
started.  First I would like to summarize some of the replies and then try
to synopsize the two camps in this discussion from my stand point.  Several
people have offered solutions.  For example, just encrypt all of your data
if you are worried about problems with your wires.  I don't think that is
real world, though it may be desirable.  I have never been in a commercial
datacenter where all traffic was encrypted.  And as a long time warrior in
the hardware vendor wars, I can speak to the difficulty of getting vendors
to consider simple changes like using ssh as opposed to telnet for
administration.  But in this case, I was looking for opinions from a
penetration standpoint not solutions to cover up the problem.  Others have
suggested that if the bad guys are in your datacenter already, you are
toast.  Hey guys, we are in your data centers and as stonewall and others
point out it is very hard to keep us out.  They have also stated that if we
have penetrated the datacenter there are lots of things we might do that are
much easier that screwing with the wires.   As a long time physical
penetration bunkie I have to agree.  I have lifted my share of keyboards and
found lots of wonderful stuff "secretly" posted on monitors, walls, etc.
With the increases in corporate espionage you must assume a compromise.  And
then several folks have provided opinions regarding their feeling on conduit
verses open wiring and I would like to thank them.  Some have been very
interesting like the one that suggested using metal conduit and protecting
it harmonics.

  As I see the discussion, folks basically break up into two camps.  One I
will call wire walkers and the other wire hiders (in conduit).  The wire
walkers feel that exposed wires are more secure because they feel that they
can follow the wire visually and discover if it has been tampered with by a
bad guy.  They feel that if it is run through conduit, they can not see it
or follow it and assume that it has been tampered with because they can't
prove otherwise.  They feel that they can easily detect a compromise and
take immediate corrective action.  Is this real world?  Doesn't this also
help the penetrators identify target wires?  Aren't we sneaky enough to tap
in to a wire in ways that would not be obvious to the naked eye? (inductive
etc.)  Now the wire hiders feel that putting a wire in conduit protects it
from tapping because it is harder to target and you have to penetrate the
barrier to make it happen.  They argue that they can walk their conduit as
easily as wire walkers can walk their wires.  They feel that the conduit may
provide other protection for their wires besides just tapping protecting.
Does a putting a wire in conduit help conceal a potential tap and make it
harder to discover?  Does the conduit make it harder for the perps to
identify targets?  Is walking conduit real world as it tends to be in areas
that are not easily accessible.

  My initial question was attempting to solicit an opinion from you, the
experts.  Disregarding for a minute the hardware on either side of the wire
and whether all traffic should be encrypted questions but focusing in on
just the physical wire security.  You have been approached by one of your
clients who is building a datacenter.  They are asking your opinion on how
they should wire it to provide the best security against penetration.  Which
method would you recommend?  Are you a wire walker or a wire hider?  And
why?  That was the conversation I hoped to create with my post.  I want to
thank all who have replied and hope the rest of you will consider how you
feel on this subject.  Who knows when it may come up in the real world for
you.  As someone pointed out the US government seems to fall into the wire
walker camp.  Are they right?

  I suspect that a majority of the people on this list are remote tool
penetrators.  Nothing gets your juices flowing more than trying a little
physical penetration (nothing illegal mind you).  Get your best smile ready,
warm up your bull sh** generator, and have at it.  You should really try it
once if you get the chance.  It is really very interesting and I think the
results will scare the heck out of you, if you believe datacenters are
secure.  Also, you better keep a get out of jail free card handy, just in
case. :-))

       Tom