When we think of security the image of firewalls, anti-malware protection, and the latest and greatest in network access control pops in our head. With Cisco ISE servers providing NAC services, ASAs providing firewalling on our network edge, and AMP for Endpoints providing malware protection on our laptops we think we are secure. But are we? Have we forgotten the very first line of security?
When you first learn about network security the very first topic is often about physical security. Why? Well, because you could have the most secure network in the world, but if your servers and switches aren’t locked away then anyone can take you down by simply unplugging cables, turning off servers, or unplugging network gear. A disgruntled employee, a malicious actor, or even an innocent employee who is just trying to get network access all can take down your network if they have physical access.
Best practice for physical security is simple, provide a separate space for the network and server equipment. This could be as large as a separate room (IDF/MDF), or as small as a wall mounted cabinet. Once a space is established for your equipment make sure to lock the door! Using the rule of least privilege only provide access to the room or cabinet to employees that need access, ie your network and server admins.
Now that you have your equipment locked away what happens if someone breaks in, or worst yet that disgruntled employee is in IT and has access to your closets. Video Surveillance is the answer. At the very least having a surveillance camera watching the door to your server room, or network closet will provide accountability to who entered the room at what time, while a surveillance camera inside the room will provide accountability to what that person did.
Cisco and Meraki both have video surveillance systems available. For an on-perm full featured surveillance system Cisco’s Video Surveillance Operations Manager (VSOM) provides a robust surveillance architecture that allows for Cisco and 3rd party cameras the ability to stream to redundant media servers while being centrally controlled. For a simple cloud based surveillance solution Meraki has their MV line of cameras. These cameras are for simple deployments that do not require any backend DVR servers to support them. With either solution you will be able to stream, record, and review surveillance video with either indoor or outdoor cameras.
To dive farther into Cisco’s VSOM architecture, there are three components to the surveillance system; Cameras, Media Servers, and the Operation Manager server. The cameras are self explanatory, the media servers are the on-location DVR that stores any recorded footage from the camera streams, and the Operations Manager is the central controller that manages the cameras and media servers. From the Operations Manager you can centrally watch any stream on any media server that is registered with it. This provides any centralized security officers views into each location without having to log into each media server separately.
Additionally, the VSOM architecture allows for each camera to have multiple streams to redundant media servers, providing fault tolerance in the event a media server goes down. VSOM is LDAP integrated, so you can use your existing directory store to give access to employees that need access and restrict access based on location, or role.
Optionally, a location server can be added to provide mapped locations for each camera. This aids in not only locating where a camera is placed, but to provide a visual for where any video coverage gaps may exist.
Meraki MV Cameras
The Meraki MV line of surveillance cameras have a simple architecture. Because the backend DVR services are hosted in the cloud all you need is to purchase the camera. All their current camera models are POE power capable and have onboard hard drives that store the video locally before streaming to the Meraki cloud controller for viewing. Once in the cloud you can capture events to be saved for later, or export them into a WAV file to be given to the proper authorities if needed.
With an additional license Meraki is now archiving footage stored on the on-board hard drive in the cloud. This both allows you to retain footage for longer, and to maintain the footage if the camera is stolen. Note that the license is per camera so plan ahead when deciding to purchase Meraki MV cameras.
While the Meraki cameras do not have the same full featured, robust and resilient architecture as the Cisco VSOM system, its ease of deployment and low maintenance costs make it perfect for simple and straightforward deployments.
Physical security may not bring with it the same sexy and unique characteristics as other parts of the security world, but it is a fundamental part of what makes up the entire security solution. Just as the horizontal cabling in a building is the foundation of a network solution, so too is physical security the foundation of network security.