Information security: physical and environmental security technologies.

Traditional physical security, also known as entity security , refers to the overall security of all hardware that supports the operation of network information systems, including the environment, equipment and recording media. It is the basic guarantee for the safe, reliable and uninterrupted operation of network information systems. And ensure that during the process of information processing, service and decision support, equipment, media and environmental conditions will not be harmed by human and natural factors, causing information loss, leakage or damage and interfering with the normal operation of network services.

Physical security in a broad sense refers to the security of cyber-physical systems that integrate people, machines, and things, including hardware, software, operators, and the environment .

Physical Security Requirements:

(1) Physical security threats:

♦ With the development of network attack technology, physical system security is facing the threat of hardware attacks. Compared with traditional physical security threats, new hardware threats are more concealed and harmful, and the attacks are proactive and non-proximate.

▶ Hardware Trojan: Hardware Trojan usually refers to a malicious circuit implanted in an integrated circuit chip (IC) . When activated in some way, it will change the original functions and specifications of the IC, leading to information leakage or loss of control. Bring unexpected behavioral consequences and cause irreversible major harm. Malicious hardware logic may be implanted in the R&D, design, manufacturing, packaging, testing, and applications throughout the IC life cycle to form a hardware Trojan.

▶ Hardware-coordinated malicious code: In 2008, researchers such as Samuel T. King designed and implemented a malicious hardware that could enable unprivileged software to access privileged memory areas .

▶ Exploitation of hardware security vulnerabilities: Similar to software, hardware also has fatal security vulnerabilities. The impact of hardware security vulnerabilities on the security of network information systems is more persistent and destructive. The "Meltdown" and "Spectre" CPU vulnerabilities discovered in 2018 are hardware security vulnerabilities. This vulnerability can be used to obtain information such as the impact of instruction prefetching and pre-execution on the cache through the side channel method. Through the relationship between the cache and the memory, the location information of specific code and data in the memory can be obtained, and other vulnerabilities can be used to exploit this vulnerability. The memory is read or tampered to achieve the purpose of attack .

▶ Attack hardware entities based on software vulnerabilities: Use software vulnerabilities in the control system to modify the configuration parameters of the physical entity , causing the physical entity to be in an abnormal operating state, thus causing the physical entity to be damaged. The Stuxnet virus is a real case of attacking physical entities.

▶ Attack computer entities based on the environment: Take advantage of defects in the external environment that the computer system relies on to maliciously destroy or change the external environment of the computer system, such as electromagnetic waves, magnetic fields, temperature, air humidity, etc., causing problems in the operation of the computer system.

(2) Physical security protection:

♦ Equipment physical security: The safety technical elements of equipment physical security mainly include equipment signs and markings, prevention of electromagnetic information leakage, anti-electromagnetic interference, power supply protection, and equipment vibration, collision, impact adaptability, etc. In addition, it is also necessary to ensure the security of the equipment supply chain and the safety quality of the products, and prevent hardware Trojans and hardware security vulnerabilities in other related aspects of the equipment. Smart devices also need to ensure that the embedded software is safe and trustworthy .

♦ Environmental physical security: The security technical elements of environmental physical security mainly include machine room site selection, machine room shielding, fire prevention, waterproofing, lightning protection, rodent prevention, theft prevention, destruction prevention, power supply and distribution system, air conditioning system, integrated wiring and regional protection, etc. aspect.

♦ System physical security: The security technical elements of system physical security mainly include storage media security, disaster backup and recovery, physical device access, device management and protection, resource utilization, etc. Physical security protection methods mainly include security compliance, access control, security shielding, fault tolerance, security monitoring and early warning, supply chain security management, and disaster recovery and backup .

♦ Physical security specifications: "Technical Requirements for Physical Security of Information Systems (GB/T21052 2007)" classifies the physical security of information systems and provides corresponding protection at all levels for equipment physical security, environmental physical security, and system physical security. requirements, the specific requirements and goals are as follows:

▶ The first-level physical security platform provides basic physical security protection for the first-level user independent protection level;

▶ The second-level physical security platform provides appropriate physical security protection for the second-level system audit protection level;

▶ The third-level physical security platform provides a higher degree of physical security protection for the second-level security mark protection level;

▶ The fourth-level physical security platform provides a higher degree of physical security protection for the fourth-level structured protection level;

Physical environment security analysis and protection:

(1) Fireproof. (2) Waterproof.

(3) Shockproof. (4) Anti-theft.

(5) Protection against rodents and insect pests. (6) Protection against lightning.

(7) Anti-electromagnetic. (8) Anti-static.

(9) Safe power supply.

Computer room security analysis and protection:

(1) Composition of functional areas of the computer room:

♦ According to the provisions of the "General Specifications for Computer Sites (GB/f2887-2011)", the following rooms can be used in the computer room (rooms are allowed to be used multiple times or increased or decreased as appropriate) ;

▶ Main working rooms : main computer room, terminal room, etc.;

▶ The first type of auxiliary room : low-voltage power distribution room, uninterruptible power supply room, battery room, air conditioner room, generator room, gas cylinder room, monitoring room, etc.;

▶ The second type of auxiliary rooms : reference room, maintenance room, technician office;

▶ The third type of auxiliary room : storage room, buffer room, technician lounge, alliance washing room, etc.;

(2) Classification of computer room safety levels:

♦ According to the "Computer Site Security Requirements (GB/T 9361 2011 )", the security level of the computer room is divided into three basic levels: A, B, and C. The characteristics of each level are introduced below:

▶ Level A: If the computer system is interrupted, it will cause serious damage to national security, social order, and public interests; it has strict requirements for the safety of the computer room and has complete computer room security measures;

▶ Level B: If the computer system is interrupted, it will cause great damage to national security, social order, and public interests; it has stricter requirements for the safety of computer rooms and has relatively complete computer room security measures;

▶ Level C: A situation that does not belong to Level A or B; it has basic requirements for the safety of the computer room and has basic computer room security measures;

(3) Computer room site selection requirements:

♦ Environmental safety:

▶ Avoid dangerous source areas;

▶ Environmentally polluted areas should be avoided;

▶ Salt spray areas should be avoided;

▶ Avoid lightning strikes areas;

♦ Geological reliability:

▶ Do not build on mixed fill, silt, quicksand and geological areas with fractured strata.

▶ Computer rooms built in mountainous areas should avoid areas with unstable geology such as landslides, mudslides, avalanches, and caves.

▶ Computer rooms built in mining areas should avoid mining collapse areas and mining areas with mining value.

▶ Avoid low-lying, wet areas.

♦ Site resistance to electromagnetic interference:

▶ Avoid or stay away from strong electromagnetic field interference places such as radio interference sources and microwave lines, such as radio and television transmitting stations and radar stations;

▶ Avoid places with strong current surges and strong electromagnetic interference, such as more than 200m away from electrified railways, high-voltage transmission lines, high-frequency furnaces, large motors, high-power switches and other equipment;

♦ Strong vibration and noise sources should be avoided:

♦ Avoid being located on the upper floors of buildings and on the lower floors or next door to water-using equipment :

▶ The computer room should be a dedicated building . If the machine room is a part of the building, the second floor should be selected, and the first floor is used for power, power distribution, air conditioning, etc.

(4) Data center construction and design requirements:

♦ A data center usually refers to a building that implements centralized processing, storage, transmission, exchange, and management of data information and provides an operating environment for the operation of related electronic information equipment;

♦ Data centers can be divided into three categories according to their size: ultra-large data centers, large data centers, and small and medium-sized data centers ;

▶ Ultra-large data centers refer to data centers with a scale greater than or equal to 10,000 standard racks;

▶ A large data center refers to a data center with a scale greater than or equal to 3,000 standard racks and less than 10,000 standard racks;

▶ Small and medium data centers refer to data centers with a scale of less than 3,000 standard racks;

♦ " Data Center Design Specification (GB 50174 2017)" (hereinafter referred to as "Design Specification") is a national standard and will be implemented from January 1, 2018. The mandatory provisions are as follows :

▶ 8.4.4 The metal shells of all equipment in the data center , various metal pipes, metal trunking, and building metal structures must be equipotentially bonded and grounded ;

▶ 13.2.1 The fire resistance rating of the data center should not be lower than Class 1,000 ;

▶ 13.2.4 When the data center and other functional rooms are in the same building, the data center and other functional rooms in the building should be separated by fire partition walls with a fire resistance rating of not less than 2.0h and floor slabs of 1.5h. , Class A fire doors should be used to open doors on partition walls;

▶ 13.3.1 A host room that adopts a pipe network gas fire extinguishing system or a water mist fire extinguishing system should be equipped with two independent fire detectors at the same time, and the fire alarm system should be linked with the fire extinguishing system and video surveillance system;

▶ 13.4.1 The main computer room equipped with a gas fire extinguishing system should be equipped with a special air respirator or oxygen respirator .

♦ The "Design Specification" requires that data centers should be divided into three levels: A, B, and C. The design level should be determined based on the nature of use of the data center and the economic or social losses or impacts caused by data loss or network interruption.

(5) Internet data center:

♦ Internet data center (IDC for short) is a type of data center that provides users with basic resource leasing services and related additional services, and provides online IT application platform capability leasing services and application software leasing services.

♦ IDC is generally composed of six logical functional parts: computer room infrastructure, network system, resource system, business system, management system and security system ;

♦ "Internet Data Center Engineering Technical Specifications (GB 51195-2016)" stipulates that IDC computer rooms are divided into three levels: R1, R2, and R3 . Among them, the requirements for IDC computer rooms at all levels are as follows:

▶ The main parts of the computer room infrastructure and network system of the R1-level IDC computer room should have certain redundancy capabilities , and the availability of the IDC business that the computer room infrastructure and network system can support should not be less than 99.5% ;

▶ The computer room infrastructure and network system of the R2-level IDC computer room should have redundant capabilities , and the availability of the IDC business that the computer room infrastructure and network system can support should not be less than 99.9% ;

▶ The computer room infrastructure and network system of the R3 level IDC computer room should be fault-tolerant , and the availability of the IDC business supported by the computer room infrastructure and network system should not be less than 99.99%;

♦ "Internet Data Center Engineering Technical Specifications (GB 51195-2016)" shall come into effect on April 1, 2017. Articles 1.0.4 and 4.2.2 are mandatory provisions and must be strictly implemented. The mandatory provisions are as follows:

▶ 1.0.4 The main telecommunications equipment used in IDC projects in areas with a seismic fortification intensity of 7 degrees or above (including 7 degrees) in China must pass the seismic performance test of telecommunications equipment .

▶ 4.2.2 Before the start of construction, a comprehensive inspection must be carried out on the safety conditions of the machine room, which shall meet the following requirements:

① The computer room must be equipped with effective fire-fighting and fire-fighting equipment . The fire-fighting system engineering in the computer room infrastructure should be completed and should have the conditions to maintain good performance and meet the requirements for IT equipment system installation and commissioning construction.

② The reserved holes in the floor slab should be equipped with safety covers made of non-combustible materials, and the used cable routing holes should be sealed with non-combustible materials;

③ It is strictly forbidden to store flammable, explosive and other dangerous items in the computer room;

④ The power supply equipment and power sockets of different voltages in the computer room should have obvious distinguishing signs;

(6) Physical security control of CA computer room:

♦ The State Cryptography Administration issued the "E-Government Electronic Authentication Service Business Rules and Regulations", which put forward normative requirements for the physical security of the CA computer room.

Network communication line security analysis and protection:

(1) Security analysis of network communication lines:

♦ Common physical security threats to network communication lines are:

▶ The network communication line is cut off ;

▶ Network communication lines are subject to electromagnetic interference ;

▶ Network communication lines leak information ;

(2) Security protection of network communication lines:

♦ In order to achieve network communication security, security measures are generally taken from two aspects: one is network communication equipment; the other is network communication lines .

Equipment physical security analysis and protection:

(1) Equipment physical security analysis:

▶ Security threats associated with device entities and environments ;

▶ The physical device is stolen or damaged;

▶ The equipment entity is subject to electromagnetic interference;

▶ Equipment supply chain interruption or delay;

▶ The firmware part of the device entity is attacked;

▶ The device is subject to hardware attacks;

▶ Security threats to the control components of the device entity;

▶ Equipment illegal outreach ;

(2) Equipment physical security protection:

♦ According to the national standard GB/T 21052 2007, the physical security protection technical measures for equipment entities mainly include:

▶ Equipment markings and markings;

▶ Equipment electromagnetic radiation protection;

▶ Equipment static electricity and electrical safety protection;

▶ Equipment magnetic field immunity;

▶ Equipment and environmental safety protection;

▶ Equipment adaptability and reliability protection;

(3) Equipment hardware attack protection:

♦ The main security measures against potential hardware attacks are as follows.

▶ Hardware Trojan detection: Hardware Trojan detection methods include reverse analysis, power consumption analysis, and side channel analysis;

▶ Hardware vulnerability processing: Hardware vulnerabilities are different from software vulnerabilities, and their repair is irreversible. The usual method is to destroy the conditions for exploiting the vulnerability to prevent the vulnerability from being exploited by the attacker;

Storage media security analysis:

(1) Storage media security analysis:

▶ Storage management is out of control ;

▶ Storage data leakage ;

▶ Storage media and storage device failure ;

▶ Storage media data is not securely deleted ;

▶ Malicious code attack ;

(2) Storage media security protection:

Strengthen storage security management ;

Data storage is encrypted and saved: Important data with high use value or high confidentiality in the system should be stored encrypted;

Fault- tolerant and disaster-tolerant storage technology : Take comprehensive security measures such as disk arrays, dual-machine online backup, and offline backup for important systems and data resources;

Study books: Information security engineer tutorial...