Home > Resources > System Admin Guide to a Secure Network > Physical Security Controls

Simple Physical Security Controls to Secure Your Network

Securing your network is not all about setting up an access control list on your firewall, installing the latest and greatest anti-virus software, or staying on top of your patching. These are all important of course. But we have seen from time to time small businesses not exercising best practices to physically secure their network equipment. Most of the time, it is due to the lack of available office space to dedicate a room for an equipment rack. Other times, it's a lack of appreciation or understanding on the importance of making sure your mission-critical network equipment is secure.

In the article, we'll cover some keys points that we feel system administrators should consider. Depending on your situation, some of these may already be in place while some may take some effort to implement. For the most part, these do not require significant funding to put in place.

Dedicated Secure Room for Mission Critical Devices

Network servers, network switches, firewalls, and other mission critical devices should all be located in dedicated rooms that are secured behind a door with a physical lock and/or an electronic keypad. Only essential personnel should have the key and the combination to enter this secure room. Under normal operating conditions, only I.T. staff requiring access to these devices for their job function are given access.

The choice of using either a physical lock, an electronic lock, or both will be dictated by your situation. What I mean by physical lock is a deadbolt that requires a key to lock and unlock. An electronic lock is where you use a badge or a key fob, in combination with your PIN that you enter in onto a wall-mounted keypad, to gain entry. There are advantages and disadvantages to both.

Lock Types Advantages Disadvantages
Physical Locks
  • Cannot be hacked
  • You have to remember to lock it when existing the room
  • If you lose a key, you may need to replace the deadbolt
Electronic Locks
  • Automatically locks itself in several seconds after someone unlocks it to gain entry
  • Most systems records a history of entries including the person making the entry along with the date and time.
  • Option to have a third-party a security company monitor and alert you on off-hour entries
  • May automatically unlock in the event of a power outage
  • Susceptible to being hacked

In addition to having locks, you want to make sure your server room does not have windows. Someone could potentially break into your space in the middle of the night and cause havoc. This may be obvious for some, but we come across such cases.

Lastly, at the risk of sounding paranoid, the walls of your server room should extend all the up to the floor above. For a good design, you do not want to have a partial wall. Meaning a wall that extends up to only where your drop ceiling hangs. This potentially can leave enough crawl space for someone to gain entry into your server room by going over you wall. If you are fortunately enough to be working on building out a new office space, talk to your contractor to make sure your server room walls extend all the way up. Contractor worth their salt should know how to design/build this room if you tell its going to be your sever room.

Fire Extinguishers

You should have fully charged portable fire extinguishers in your server room that is stored in a clearly visible area where it can be easily accessed. Alternatively, if space is limited, you can place them right outside the doorway. These portable fire extinguishers should be rated for class A, B, and C fires. If you decided to deploy fire extinguishers in your office space, be sure to add to your annual to-do list to inspect them. Many fire extinguishers have a pressure gauge built-in by the handle to let you easily identify if it is still in good operating condition. If the pressure is low, you need to replace them.

Amerex ABC Dry Chemical Fire Extinguisher

Along with smoke detectors, fire extinguishers are your first line of defense for your home or office. They play a major role in fire protection as they can dramatically reduce the damage caused by a fire. Install them throughout your home or office. It can be the difference between a minor fire and total destruction.

See this on Amazon.com

UPS/Battery Backup

Electrical battery backup units should be used on mission critical devices. Known as universal power supply (UPS), these units “clean” electrical street power before delivering it to networking devices. Electrical power sometimes has voltage sags or surges that can be damaging to electronic devices. A UPS unit will stabilize the voltage to provide a consistent and safe voltage level for any devices connected to it.

UPS Battery Backups

An uninterruptible power supply (UPS) provides power protection for your mission-critical equipment. Protect your sensitive devices from power surges, power sages, brown outs and other power anomalies. If there's a power loss, your UPS will continue to power your equipment long enough to allow you to properly perform a shutdown.

See this on Amazon.com

In the event you lose street power, these UPS units will automatically continue to provide electrical power to any connected devices. These devices typically can provide enough electrical power to allow time for a system administrator to gracefully shutdown network servers and other mission critical devices. The amount of battery runtime a unit provides depends on the "size" of the UPS unit and the electrical load place on it.

We recommend at least 10 minutes of runtime. However, if you end up needing to purchase UPS units for your environment, you don't want to simply purchase the capacity to cover the load you currently have. Instead, you want to purchase higher than what you need now to allow you the flexibility of providing coverage for any addition equipment you may add to your network in the future. Many rack-mount versions are scalable where you can simply buy and attached extra external battery units to extend your run-time. For our clients, we like to put in place a UPS solution that provides a minimum runtime between 15 to 30 minutes.

Security Cameras

While having controlled access to your sever room is great, it is sometimes not enough to provide full protecting. In particularly, if you have more than a couple of staff persons that have permission to access your server room, it will be difficult for you to identify if something suspicious is happening. We'll use an example of a rouge employee to illustrate a point. You may have an employee that's gone bad. He/she may steal equipment, steal data, or perhaps sabotage your network. Installing security cameras to monitor sensitive areas such as inside your server room, the door to your server room, your I.T. storage area, I.T. office space and similar will help serve as a deterrent and as a witness if something foul has occurred.

Security Camera System

Many security camera systems today are easy to install and easy to use. With NVR (network video recorder) systems, they plug right into your network that enables you to receive email alerts when motion is detected in the middle of the night and to allow you to remotely log in to watch live feed. With support for multiple cameras and hours of storage capacity, security camera system serves as a great deterrent and as an investigative tool.

See this on Amazon.com

For most organizations, particularly small businesses, it doesn't make sense to hire a full-time person to stare are surveillance monitors all day. Instead, what you want to do is install a network video recorder (NVR). Just like your home DVR, it will record video feed from your security cameras onto its internal hard drive. Depending on the number of cameras you have and the capacity of the NVR hard drives, you can store weeks of camera footage. This gives you the ability to look back in time to review movement and activities of a particular day and time.

For off hour monitoring, more sophisticated NVRs can be configured can detect movement and send email alerts to you with a still image of what your camera captured. If you have remote access to your organization's network, you can log in to your NVR to review footage to identify if something suspicious is indeed occurring.

Environmental Control

As many of you know, servers and network equipment generate a good amount of heat. Put them in a small enclosed room and you could run into excessive heat issue if the room is not tied to your HVAC system. Even if it does, it might not be enough to cool your server room as the temperature sensor might not be zoned to monitor that room specifically. An option to consider to overcome this is to install a ductless air conditioning unit. As its name implies, these air conditioning units do not need duct work. They are wall-mounted and plug into a standard AC outlet. The only thing you need to figure out when installing these is how to drain the water that it produces as a result of cooling the air. Many come with a remote temperature controller that you can wall mount at an easy to access location to adjust the room's temperature. Typically, you simply set your desired room temperature and the ductless air conditioning unit will work to maintain that 24x7.

Environment Monitoring

Having the ability to cool your server room is great. With that, you want to have environmental sensors installed either on your server rack or somewhere in your server room to continuously monitor the temperature. If your HVAC or cooling system malfunctions, your small enclosed server room will become very warm quickly. It goes without saying that this not something you want to go unchecked for a long period of time. By installing an environmental monitoring system with the ability to send you email alerts when temperature exceeds a pre-defined threshold, you'll have a window on opportunity to address the situation before the excessive heat causes data loss or physical damage to your equipment. Some systems can even monitor the humidity as well. These are typically easy to set up. Once configured, there is very little you need to do to maintain it. At most, you may want to have run quarterly test of the built-in email notification to make sure there are no network issue, email server issues, and similar.

AVTECH RoomAlert - Environment Monitoring System

Monitoring the temperature of your server room with RoomAlert. Mount on your rack, configure for automatic notification and RoomAlert will email you when water, excessive temperature and humidity are detected.

See this on Amazon.com

Disable Unused Network Jacks

Unused network jacks throughout your office space poses a risk if not secured. You do not want devices other than your company's own to plug into your network. Doing so exposes you to malware that may be on those devices. Or worse, a rogue device that is plugged in for a long period of time (perhaps by the cleaning crew or a rogue employee), hidden away in a corner, that gives a hacker remote access to your network. Fortunately, there are a few simple options available to mitigate this. These options vary in effectiveness and in the administrative effort to implement and maintain. If you are a one-man I.T. team for a small company, these are worth implementing without having to spending thousands of dollars on a dedicate network access controller to accomplish the same thing.

RJ-45 Block-Out Device

This easy to install device blocks authorized access to your network jacks. Use this to help prevent data security breaches and network downtime. This device can only be removed using a special tool. Available in different colors to match your jack modules.

See this on Amazon.com

  1. RJ-45 Block-Out Device - These are small plastic clips that get snapped into your RJ-45 wall jacks. This blocks access by preventing someone from plugging in a network cable to the jack. To be able to use that jack, the plastic clip will need to be removed using a special tool.
  2. Unplug Cables From Patch Panel - If you keep good documentation on your premise wiring and your network is small, an effective way to prevent rogue devices onto your network is to unplug the network patch cord from your patch panel or network switch. This effective makes that cable run dead.
  3. Disable Network Switch Ports - Similar to unplugging a network cable from your patch panel, you can alternative disable a cable run by turning off the network switch port that cable connects to. Some network switches feature the ability for you to disable/enable ports individually. How this is accomplished varies between make and model. Some may provide an easy-to-use web interface, while other may require you to use a command-line interface.

Privacy Screen

On workstations where sensitive information is accessed, a privacy screen can be installed over the computer monitor. These helps prevent any sensitive information from being viewed by people nearby. They work by limiting the viewing angle to around 30- to 60-degrees. Someone looking at the monitor outside of this viewing angle will effectively see a black screen. As an added benefit, some privacy screens have an anti-reflective coating to reduce glare. They are great to use if you are an insurance firm, a tax preparation office, a doctor's office, or any business where you need to prevent the unintended disclosure of sensitive information.

Computer Privacy Screen

Privacy screen, also known as privacy filter, keeps confidential information on your monitor from prying eyes. It is a thin plastic that is placed over your computer monitor or laptop screen that restricts viewing angles. It is your responsibility to protect your customer's private information from getting into the wrong hands.

See this on Amazon.com

Studded Security Door Hinge

If the door to your server room opens outward, then you would want consider replacing the door hinges. The problem with outward swinging doors is that the pin on the hinge is exposed. A person who wants to break into your server room can pop the pins to gain entry. Once the pins are removed, the two leaves of each hinge become separated. Even if your door is locked, it can be swung open from the hinge side. To resolve this without having to re-frame your door, you can replace your hinges with stud hinges. Stud hinges, as its name implies, have studs built-in that prevents the door separating from the door frame if the hinge pin is removed.

Security Tab / Stud Hinge

These door hinges have a security stud that locks the two leaves of the hinge together when the door is closed. The stud on one leaf mates with a matching hole on the other. This keeps the door in the door frame even if the hinge pin is removed.

See this on Amazon.com