[187609] in North American Network Operators' Group
Re: Shared cabinet "security"
daemon@ATHENA.MIT.EDU (Mike Hammett)
Sat Feb 13 11:35:16 2016
X-Original-To: nanog@nanog.org
Date: Sat, 13 Feb 2016 10:35:10 -0600 (CST)
From: Mike Hammett <nanog@ics-il.net>
Cc: nanog@nanog.org
In-Reply-To: <56BF5A1D.8070904@unlimitednet.us>
Errors-To: nanog-bounces@nanog.org
AFAIK, there's no way to securely compartmentalize someone else's rack, whi=
ch is why I've been going down this road.=20
-----=20
Mike Hammett=20
Intelligent Computing Solutions=20
http://www.ics-il.com=20
Midwest-IX=20
http://www.midwest-ix.com=20
----- Original Message -----
From: "Jason Canady" <jason@unlimitednet.us>=20
To: nanog@nanog.org=20
Sent: Saturday, February 13, 2016 10:30:21 AM=20
Subject: Re: Shared cabinet "security"=20
Mike,=20
Are you leasing a full cabinet and sub-leasing out portions of it? Not=20
sure how you can define what other customers do, unless they're your=20
customers. Split cabinets are ideal, as you the sections are=20
compartmentalized.=20
--=20
Jason Canady=20
Unlimited Net, LLC=20
Responsive, Reliable, Secure=20
www.unlimitednet.us=20
jason@unlimitednet.us=20
twitter: @unlimitednet=20
On 2/13/16 11:25 AM, Mike Hammett wrote:=20
> Right, but that doesn't limit one's ability (intentional or not) to pull =
out the wrong power cord or smack someone's loosely ran cables, etc. We're =
sorting out some standards now and I think it'll largely involve color codi=
ng, wire looms, horizontal cable management and a "cabinet practices" docum=
ent defining standards for use in the cabinet. This is meant to protect cus=
tomers from themselves and each other.=20
>=20
> IE: Someone is removing a power cable and the pull the wrong one out of t=
he PDU. Maybe they pull the right one out of the PDU, but it's wrapped arou=
nd someone else's power cable and theirs gets pulled out along the way. Stu=
ff like that.=20
>=20
>=20
>=20
>=20
> -----=20
> Mike Hammett=20
> Intelligent Computing Solutions=20
> http://www.ics-il.com=20
>=20
> Midwest-IX=20
> http://www.midwest-ix.com=20
>=20
> ----- Original Message -----=20
>=20
> From: "Greg Sowell" <greg@gregsowell.com>=20
> To: "Mike Hammett" <nanog@ics-il.net>=20
> Cc: "NANOG list" <nanog@nanog.org>=20
> Sent: Saturday, February 13, 2016 10:16:17 AM=20
> Subject: Re: Shared cabinet "security"=20
>=20
>=20
> Mike,=20
> I've seen people use shelves to segregate cabinets. I've seen some that s=
crew from both sides and eat very little space.=20
> Greg=20
> On Feb 13, 2016 8:07 AM, "Mike Hammett" < nanog@ics-il.net > wrote:=20
>=20
>=20
> Getting a cabinet in someone else's datacenter (Equinix, Coresite, Telx, =
etc.) and having sub-tenants. Most networks aren't going to need more than =
a handful of U in a datacenter, but the more significant the datacenter, th=
e less likely they are to provide partial cabinets... which makes no sense.=
Sure, some networks need large chassis routers chewing up 10U - 20U, but t=
here are far more networks that need routers that take up 1U, 2U, something=
like that. For many networks, the sheer cost of the space in the datacente=
r doubles their overall cost per megabit.=20
>=20
>=20
>=20
>=20
> -----=20
> Mike Hammett=20
> Intelligent Computing Solutions=20
> http://www.ics-il.com=20
>=20
> Midwest-IX=20
> http://www.midwest-ix.com=20
>=20
> ----- Original Message -----=20
>=20
> From: "Bevan Slattery" < bevan@slattery.net.au >=20
> To: "Mike Hammett" < nanog@ics-il.net >=20
> Cc: "North American Network Operators' Group" < nanog@nanog.org >=20
> Sent: Saturday, February 13, 2016 2:36:34 AM=20
> Subject: Re: Shared cabinet "security"=20
>=20
>=20
> Sorry. I'm not sure I get from which angle you are coming at this from. H=
appy to clarify for you and anyone interested if you can help me out here.=
=20
>=20
>=20
> Cheers=20
>=20
> [b]=20
>=20
> On 13 Feb 2016, at 12:58 PM, Mike Hammett < nanog@ics-il.net > wrote:=20
>=20
>=20
>=20
>=20
>=20
> There are more options when you're not just using someone else's datacent=
er.=20
>=20
>=20
>=20
>=20
> -----=20
> Mike Hammett=20
> Intelligent Computing Solutions=20
> http://www.ics-il.com=20
>=20
> Midwest-IX=20
> http://www.midwest-ix.com=20
>=20
> ----- Original Message -----=20
>=20
> From: "Bevan Slattery" < bevan@slattery.net.au >=20
> To: "Mike Hammett" < nanog@ics-il.net >=20
> Cc: "North American Network Operators' Group" < nanog@nanog.org >=20
> Sent: Friday, February 12, 2016 4:44:34 PM=20
> Subject: Re: Shared cabinet "security"=20
>=20
> In a past life we worked with our supplier to create physically separate =
sub-enclosures.1/2 and 1/3. Able to build in a separate and secure cable pa=
th for interconnects to the meet-me-room and connection to power supplies.=
=20
>=20
> Can be done and I think there are now rack suppliers that do this as stan=
dard. Been out of DC space for a few years now.=20
>=20
> [b]=20
>=20
>> On 13 Feb 2016, at 6:58 AM, Mike Hammett < nanog@ics-il.net > wrote:=20
>>=20
>>=20
>> That moment when you hit send and remember a couple things=E2=80=A6=20
>>=20
>> Of course labeling of the cables.=20
>>=20
>> Maybe colored wire loom for fiber and DACs in the vertical spaces to go =
along with the previously mentioned color scheme?=20
>>=20
>>=20
>>=20
>>=20
>> -----=20
>> Mike Hammett=20
>> Intelligent Computing Solutions=20
>> http://www.ics-il.com=20
>>=20
>> Midwest-IX=20
>> http://www.midwest-ix.com=20
>>=20
>> ----- Original Message -----=20
>>=20
>> From: "Mike Hammett" < nanog@ics-il.net >=20
>> To: "North American Network Operators' Group" < nanog@nanog.org >=20
>> Sent: Friday, February 12, 2016 2:53:17 PM=20
>> Subject: Re: Shared cabinet "security"=20
>>=20
>>=20
>> I am finding a bunch of covers for the front. I do wish they stuck out m=
ore than an inch (like two).=20
>> http://www.middleatlantic.com/~/media/middleatlantic/documents/techdocs/=
s_sf%20series%20security%20covers_96-035/96_035s_sf.ashx=20
>>=20
>> It looks like these guys stick out 1.5=E2=80=9D. That may be workable=E2=
=80=A6 http://www.lowellmfg.com/tinymce/jscripts/tiny_mce/plugins/filemanag=
er/files/1717-SSCV.pdf=20
>>=20
>> I guess those covers are really only useful for servers. That really wou=
ldn=E2=80=99t work with a switch\router. Switches and routers are going to =
be the bulk of what we=E2=80=99re dealing with.=20
>>=20
>> I am finding locking power cables, but that seems to be specific to the =
PDU you=E2=80=99re using as it requires the other half of the lock on the P=
DU.=20
>>=20
>> I did come across colored power cords. I wonder with some enforced cable=
management, colored power cables, etc. we would have =E2=80=9Cgood enough=
=E2=80=9D? You get some 1U or 2U cable organizers, require cables to be sec=
ured to the management, vertical cables in shared spaces are bound together=
by customer, color of Velcro matches color of the power cord? Blue custome=
r, green customer, red customer, etc. Could do the cat6 patch cables that w=
ay too, but that gets lost when moving to glass or DACs.=20
>>=20
>> I thought about a web cam that would record anyone coming into the cabin=
et, but Equinix doesn=E2=80=99t really allow pictures in their facilities, =
so that=E2=80=99s not going to fly. Door contacts should be helpful for an =
audit log of at least when the doors were opened or closed.=20
>>=20
>> Financial penalty from the violator to the victim if there=E2=80=99s an =
uh oh?=20
>>=20
>> I=E2=80=99m not trying to save someone from themselves. I=E2=80=99m not =
trying to lock the whole thing down. Just trying to prevent mistakes in a s=
hared space.=20
>>=20
>>=20
>>=20
>>=20
>> -----=20
>> Mike Hammett=20
>> Intelligent Computing Solutions=20
>> http://www.ics-il.com=20
>>=20
>> Midwest-IX=20
>> http://www.midwest-ix.com=20
>>=20
>> ----- Original Message -----=20
>>=20
>> From: "Mike Hammett" < nanog@ics-il.net >=20
>> To: "North American Network Operators' Group" < nanog@nanog.org >=20
>> Sent: Wednesday, February 10, 2016 8:59:08 AM=20
>> Subject: Shared cabinet "security"=20
>>=20
>> I say "security" because I know that in a shared space, nothing is compl=
etely secure. I also know that with enough intent, someone will accomplish =
whatever they set out to do regarding breaking something of someone else's.=
My concern is mainly towards mitigation of accidents. This could even appl=
y to a certain degree to things within your own space and your own careless=
techs=20
>>=20
>> If you have multiple entities in a shared space, how can you mitigate th=
e chances of someone doing something (assuming accidentally) to disrupt you=
r operations? I'm thinking accidentally unplug the wrong power cord, patch =
cord, etc. Accidentally power off or reboot the wrong device.=20
>>=20
>> Obviously labels are an easy way to point out to someone that's looking =
at the right place at the right time. Some devices have a cage around the p=
ower cord, but some do not.=20
>>=20
>> Any sort of mesh panels you could put on the front\rear of your gear tha=
t you would mount with the same rack screw that holds your gear in?=20
>>=20
>>=20
>>=20
>>=20
>> -----=20
>> Mike Hammett=20
>> Intelligent Computing Solutions=20
>> http://www.ics-il.com=20
>>=20
>> Midwest-IX=20
>> http://www.midwest-ix.com=20
>>=20
>>=20
>=20
>=20
>=20
>=20
>=20
>=20
