[187587] in North American Network Operators' Group
Re: Shared cabinet "security"
daemon@ATHENA.MIT.EDU (Sean)
Fri Feb 12 09:56:12 2016
X-Original-To: nanog@nanog.org
Date: Fri, 12 Feb 2016 07:56:07 -0700
From: Sean <spedersen.lists@gmail.com>
To: Mike Hammett <nanog@ics-il.net>,
North American Network Operators' Group <nanog@nanog.org>
In-Reply-To: <1767618948.585.1455116296142.JavaMail.mhammett@ThunderFuck>
Errors-To: nanog-bounces@nanog.org
Some examples from where I work:
- Open space, but your own cabinet. We have open areas where there are rows=
of half and full cabinets where customers can rent space. That cabinet spac=
e is theirs, but they=E2=80=99re in the open and anyone can get to the physical ca=
binet. While in general the cabinets are secure, they could still be broken =
in to. One could also disconnect power from the overhead junction boxes, or =
cut the fiber/copper feed going into the cabinets.=20
- Caged space. Your cabinets are inside a locked cage. You can choose to ha=
ve a =E2=80=9Cceiling=E2=80=9D installed if you think someone is going to squirrel their=
way up the walls. The whole area is locked, no one else can get in. Unless =
they crawl under the floor! Access to power and data lines are only availabl=
e inside the cage.=20
- Completely isolated space. We have a few customers that have paid to buil=
d literal walls around their leased space, giving them a completely isolated=
data center within a data center. Probably the most secure from the custome=
r=E2=80=99s perspective, as they can and have employed their own man-traps, securi=
ty systems, surveillance, etc. on top of our own.
- Module space. We have fully-enclosed modules that are RFID card access on=
ly. Half or whole modules can be leased. Similar to a caged space, but compl=
etely sealed and self-contained. Some of them are shared space, so the same =
potential issues in the first bullet apply.
On top of this, the data center is carded, man-trapped, iris-scanner=E2=80=99d, v=
ideo-surveilled, etc. No lasers or pressure-sensitive plates.=20
These are just examples to illustrate some of the different levels of acces=
s someone else might have to another entity=E2=80=99s gear. I=E2=80=99d be curious to he=
ar examples of cases where malicious activity took place within a data cente=
r, one customer to another.
On 2/10/16, 7:59 AM, "NANOG on behalf of Mike Hammett" <nanog-bounces@nanog=
.org on behalf of nanog@ics-il.net> wrote:
>I say "security" because I know that in a shared space, nothing is complet=
ely secure. I also know that with enough intent, someone will accomplish wha=
tever they set out to do regarding breaking something of someone else's. My =
concern is mainly towards mitigation of accidents. This could even apply to =
a certain degree to things within your own space and your own careless techs=
=20
>
>If you have multiple entities in a shared space, how can you mitigate the =
chances of someone doing something (assuming accidentally) to disrupt your o=
perations? I'm thinking accidentally unplug the wrong power cord, patch cord=
, etc. Accidentally power off or reboot the wrong device.=20
>
>Obviously labels are an easy way to point out to someone that's looking at=
the right place at the right time. Some devices have a cage around the powe=
r cord, but some do not.=20
>
>Any sort of mesh panels you could put on the front\rear of your gear that =
you would mount with the same rack screw that holds your gear in?=20
>
>
>
>
>-----=20
>Mike Hammett=20
>Intelligent Computing Solutions=20
>http://www.ics-il.com=20
>
>Midwest-IX=20
>http://www.midwest-ix.com
