what is equal protection (1): physical security

*The original author of this article: Yu Chen @ Mohan technology compliance research group, this article belongs to the freebuf original award program, reprint is prohibited without permission

order

I have heard the word "equal protection" since I came into contact with security work. The first contact was when I first entered the provincial evaluation center, just entered the security circle. After suffering from various projects and leaders, I finally know what equal protection is, what is required, how to do it, etc. Later, I also studied standards and systems such as information system risk assessment, ISO 27001 and COBIT 5. There's no other purpose to write this article. It's to talk about your understanding of peer protection. I hope it will be useful to you. This article is the physical security part of the technical requirements. If there is a chance, 10 parts will be updated later.

What series of articles is waiting for insurance

What is equal protection (2): network security

What is the wait for protection (3): host security

What is ISO security (4): application and data security

What is equal protection (5): system and personnel safety

What is equal protection (6): system construction management

What is equal protection (7): system operation and maintenance management part

text

There are not too many useless ones here. What are the five levels, network security law, public security record and so on, we can directly refer to the three level standard to discuss one by one.

In fact, the physical security part is not only as simple as that described in 22239, but also refers to the additional physical security standards (GB 50174 and GB / T 2887), so it is not as simple as it seems.

7.1.1 physical security

7.1.1.1 selection of physical location (G3)

a) Houses and office sites shall be selected in buildings with the ability of earthquake, wind and rain resistance;

b) The machine room site shall be avoided to be set in the high-rise or basement of the building, as well as the lower layer or next door of the water equipment.

This is about the anti-seismic, wind and rain protection of the machine room, which is actually the requirement for the building. For the B and C machine rooms, the anti-seismic standard should conform to the local anti-seismic standard. The a machine room should be higher than the local anti-seismic standard. The following table is the floor load standard of the site

The seismic resistance of class a machine room shall not be lower than class B, class B shall not be lower than Class C, and class C shall not be lower than class C. As for the selection of machine room, it is required that it should not be basement, top floor, or side by side. It is recommended to set it in the center and near center of the building. For the selection of buildings, please refer to the following table (supplementary point, not in seismic zone):

7.1.1.2 physical access control (G3)

a) The entrance and exit of the machine room shall be guarded by special personnel to control, identify and record the personnel entering;

b) Visitors who need to enter the computer room shall go through the application and approval process, and limit and monitor the scope of their activities;

c) The computer room shall be divided into areas for management. Physical isolation devices shall be set between areas, and transition areas such as delivery or installation shall be set before important areas;

d) Important areas shall be equipped with electronic access control system to control, identify and record the personnel entering.

Access control is much easier to understand, and most enterprises have done so, without special parts to explain. Here we expand the details of the requirements for the division of the machine room area.

Firstly, the area of the machine room is set. The national standard has a calculation formula, as follows:

When the specification of electronic information equipment has been determined, it can be calculated according to the following formula:

A= K Sigma S

A -- use area of electronic information system host room (㎡);

K - coefficient, 5-7;

S - projection area of electronic equipment (M2).

When the specification of electronic information equipment has not been determined, it can be calculated according to the following formula:

A= KN

K - occupied area of single equipment, 3.5-5.5 (㎡ / set);

N - total number of all equipment in the computer main room.

The area of the auxiliary area should be 0.2-1 times of the area of the main machine room; the user studio can be calculated as 3.5-4 ㎡ per person. Rooms with long-term work such as office for hardware and software personnel can be calculated as 5-7 ㎡ per person.

In addition, the work area, main machine room, auxiliary area, support area and administrative area (if any, there will be confidential equipment area in the machine room) shall be isolated from each other, and the important area shall have a separate access control system.

7.1.1.3 theft and damage prevention (G3)

a) The main equipment shall be placed in the machine room;

b) The equipment or main parts shall be fixed and marked with obvious marks that are not easy to remove;

c) The communication cable shall be laid in the concealed place, which can be laid underground or in the pipeline;

d) The media shall be classified and identified and stored in the media library or archives;

e) The anti-theft alarm system of the computer room shall be set up by using optical and electrical technology;

f) The machine room shall be equipped with monitoring and alarm system.

This part of the content is also relatively easy to understand, that is, anti-theft measures. The mark that is not easy to remove here is actually the one-time sticker label, because the equipment in the computer room is generally easy to be stolen, so the mark that is not easy to remove here refers to the situation that in the operation and maintenance management of the equipment in the computer room, it is not necessary to say that someone will specially deal with the removal of the label.

Communication cables are generally placed under the anti-static floor or in the ceiling trunking, and now few people will directly walk obvious, so there is no need to specifically explain.

Media is the storage of disk array, hard disk, tape, U disk and so on. At present, most companies do this part of work in general, without classification, without labels, or some media will be labeled with some simple labels, which are hidden dangers for later management. The most common is that the staff leaves, the handover is not clear, there is no explanation document, and later people take over the work face muddled, asking No one knows. At last, we have no choice but to check one by one, or just muddle along. It's better if we don't have problems.

At present, the anti-theft alarm is basically installed in a class B computer room, and there is a perfect alarm system or platform; finally, as for the monitoring, here's a point, it's not OK to say that there is monitoring at the door and in the computer room. According to the standard, the vertical and horizontal cross monitoring is required, and compliance is calculated only when there is no dead angle.

7.1.1.4 lightning protection (G3)

a) The machine room building shall be equipped with lightning protection device;

b) Lightning protector shall be set to prevent inductive lightning;

c) The machine room shall be equipped with AC power ground wire.

This part is more about the lightning protection requirements of the building. For details, refer to GB / T 50343 (when the building is used as an independent machine room). Generally, buildings that can be used as machine rooms should have lightning protection measures that meet the requirements. Therefore, we should focus on the grounding of strong and weak current.

Strong electricity has not been done, so it is not nonsense here; weak electricity will be explained in the anti-static part later.

7.1.1.5 fire protection (G3)

a) The machine room shall be equipped with automatic fire-fighting system, which can automatically detect the fire, automatically alarm and automatically extinguish the fire;

b) The machine room and relevant working rooms and auxiliary rooms shall be made of building materials with fire resistance rating;

c) The machine room shall take the regional isolation and fire prevention measures to separate the important equipment from other equipment.

There are 3 requirements for fire prevention. One is the automatic fire fighting system, which can automatically detect, automatic early warning and automatic fire extinguishing. Generally it is froth and dry powder. When it detects a fire, it will alarm early, evacuate personnel, and then carry out fire fighting (if you want to know more about it, you can see GB 50116 and GB 50016). In addition, it requires that the fire hydrant in the engine room be set up, that is, the kind of dry powder or foam that is on hand, and people should conduct regular inspections to check whether the fire extinguishing equipment is out of date, whether the pressure value is in the green range and fill in the inspection record.

The second point is the requirements for refractory materials. This is purely a national standard requirement. There are not many things that can be really achieved. According to the requirements, the fire resistance rating of the machine room should not be lower than grade II. When class A or class B machine room is located in other buildings, the fire resistance limit between the main machine room and other parts shall not be less than 2H The partition wall and the door on the partition wall should adopt class a fire door (explain 2h, fire resistance limit is the damage time when the general 100 degree ignition point, H represents hour, that is to say, the fire resistance limit of the wall should be able to withstand more than 2 hours under the condition of 100 degree high temperature). The ceiling, wallboard (including sandwich material) and partition of the main engine room shall be non combustible, and organic composite materials shall not be used.

The third point is the requirement of area division and isolation. In case of fire, priority can be given to ensure the safety of important equipment.

Let's say more here. For the evacuation of the main engine room with an area of more than 100 ㎡, there should be no less than two emergency exits, which should be distributed. For the main machine room with an area of no more than 100 ㎡, a safety exit can be set and evacuation can be conducted through the doors of other adjacent rooms. The door shall open in the direction of evacuation and shall close automatically, and shall be able to open from the machine room under any circumstances. Corridors and staircases shall be unblocked, and obvious evacuation signs shall be provided.

7.1.1.6 water and moisture resistance (G3)

a) Water pipes shall not be installed under the roof and raised floor of the machine room;

b) Measures shall be taken to prevent rainwater from penetrating through the windows, roofs and walls of the machine room;

c) Measures shall be taken to prevent the condensation of water vapor in the machine room and the transfer and infiltration of underground water;

d) Water sensitive detection instruments or elements shall be installed to detect and alarm the machine room.

The first requirement is that there should be no water running pipes in the machine room, including the walls around the machine room.

Second, generally speaking, I don't meet very much, but I have met an enterprise. The upstairs of the machine room is leaking, and the ceiling is not waterproof. Several large basins and buckets in the machine room are placed on the cabinet to receive water, and there are regular watchmen on duty to pour it. This scene is really unspeakable. Therefore, when selecting the location of the machine room, it is best not to use water rooms around.

Third, it should refer to the previous computer rooms (or the computer rooms of some small companies), but the general computer rooms that can cut corners like this will not care about this problem. Now most computer rooms will be equipped with precision air conditioning to control the temperature and humidity in the computer room, so this kind of situation is becoming less and less (after all, it's on the cloud, how can the hosting cloud data center computer room even control the temperature and humidity).

Article 4 is almost the same as Article 3. At present, they are all under the unified control of the system. But let's also talk about the requirements of the standard:

First of all, heating and air conditioning should not be used;

Water pipes unrelated to the machine room should not pass through the machine room;

The machine room shall prevent structural seepage, front condensation and external overflow;

Water leakage alarm system shall be set in important machine rooms.

7.1.1.7 anti static (G3)

a) Necessary grounding and anti-static measures shall be taken for main equipment;

b) The machine room shall adopt anti-static floor.

There are a lot of terms and required parameters in the standard. In fact, it's a brief summary. The main concern is that firstly, the cabinet should be well grounded and anti-static. Important equipment will have lightning protection modules, which are connected to the cabinet with wires; the cabinet should be equipped with anti-static bracelets, which should be worn before operation. In this way, the electrostatic protection can be ensured in most cases.

Here's a little bit of the standard stuff.

1. The floor or ground of the main machine room and auxiliary area shall be provided with electrostatic discharge measures and grounding structure. The surface resistance or volume resistance of the anti-static floor or ground shall be 2.5 x 104 ～ 1.0 × 109 Ω. It shall be fire-proof, environment-friendly, pollution resistant and wear-resistant.

2. Equipotential connection and grounding must be carried out for all equipment in the electronic information system room, including conductive metal shell, all kinds of metal pipes, metal trunking, building metal structure, etc.

3. The connecting line of electrostatic grounding shall have enough mechanical strength and chemical stability, and it is better to use welding or crimping. When using conductive adhesive to bond with grounding conductor, the contact area shall not be less than 20cm2.

PS: another point is added here. As for the generic cabling, the key requirement of the equal protection part is that the strong current and weak current cables should be laid separately, and the distance should not be less than 0.5m, and each cable should have a label.

7.1.1.8 temperature and humidity control (G3)

The machine room shall be equipped with automatic temperature and humidity adjustment facilities to make the temperature and humidity change within the allowable range of equipment operation.

What is not mentioned in this part is controlled by the system. Here is the requirement for the temperature and humidity of the machine room. There are corresponding requirements for the startup and shutdown.

7.1.1.9 power supply (A3)

a) Voltage regulator and over-voltage protection equipment shall be equipped on the power supply line of the machine room;

b) Short term standby power supply shall be provided to at least meet the normal operation requirements of main equipment in case of power failure;

c) Redundant or parallel power cable lines shall be set to supply power for the computer system;

d) Standby power supply system shall be established.

According to the requirements of the national standard, this is also a tedious one B. to summarize it briefly (from the perspective of safety, it does not involve construction and strong electricity).

First of all, the most basic one is ups, which has overload protection and lightning protection module;

Secondly, UPS should be powered by two ways at least, which can maintain the power supply of important equipment in the computer room for at least two hours;

Finally, the machine room shall provide multiple redundant power supply, not only one cable power supply; the generator shall be prepared for the machine room for emergency in case of long-term power failure under special circumstances. If conditions permit, two generators shall be prepared to prevent accidental failure of the generator. Refer to GB 50052 for detailed requirements.

PS: to add a little bit, it is also required to use the special power strip for the cabinet in the machine room, that is, the black one on the cabinet.

7.1.1.10 electromagnetic protection (S3)

a) Grounding method shall be adopted to prevent external electromagnetic interference and equipment parasitic coupling interference;

b) Power line and communication cable shall be laid separately to avoid mutual interference;

c) Electromagnetic shielding shall be applied to key equipment and magnetic medium.

The content of this part is a little broad, but as the requirement of equal protection and the safety protection of daily computer room, it is not so deep, so it is not necessary to over study. Here I will share my research data and make a brief summary.

Meaning of electromagnetic shielding

EMC (electromagnetic compatibility) abbreviation refers to an electronic device that neither interferes with other devices nor is affected by other devices. EMC is one of the most important indicators of product quality, just like the safety we are familiar with. Safety is related to people and property, while electromagnetic compatibility is related to personal and environmental protection.

The interference of electronic components to the outside world is called EMI (electrical interference); electromagnetic wave will interact with electronic components and produce the phenomenon of being interfered, which is called EMS (electrical interference). For example, the common "snowflake" on the TV screen means that the received signal is interfered.

Because the shield plays the role of absorbing energy (eddy current loss), reflecting energy (interface reflection of electromagnetic wave on the shield) and counteracting energy (electromagnetic induction produces reverse electromagnetic field on the shield layer, which can counteract part of interference electromagnetic wave), the shield body has the function of absorbing energy (eddy current loss), reflecting energy (interface reflection of electromagnetic wave on the shield body) and counteracting energy (electromagnetic induction produces reverse electromagnetic field on the shield layer, which can counteract part of interference electromagnetic wave) The function of reducing interference. (1) when the frequency of interference electromagnetic field is high, the eddy current generated in the metal material with low resistivity is used to form the counteraction effect on the external electromagnetic wave, so as to achieve the shielding effect. (2) when the frequency of interference electromagnetic wave is low, the material with high permeability shall be used, so as to limit the magnetic field line in the shielding body and prevent the diffusion to the shielding space. (3) in some cases, if it is required to have good shielding effect on both high-frequency and low-frequency electromagnetic fields, different metal materials are often used to form multilayer shielding body.

principle

Many people don't understand the principle of electromagnetic shielding. They think that as long as a box is made of metal and then the box is grounded, it can play the role of electromagnetic shielding. Under the guidance of this concept, the result is failure. Because, electromagnetic shielding and shielding body grounding or not has no relationship. There are only two factors that affect the shielding effectiveness of the shield: one is that the whole shield surface must be conductive and continuous; the other is that there is no conductor that can directly penetrate the shield. There are many conductive discontinuities on the shield, the main one is the non-conductive gap formed at the junction of different parts of the shield. These nonconductive gaps create electromagnetic leaks, just as fluids leak from gaps in containers. One way to solve this kind of leakage is to fill the gap with conductive elastic material to eliminate the non-conductive point. It's like filling a gap in a fluid container with rubber. This kind of elastic conductive filling material is electromagnetic sealing gasket. In many literatures, electromagnetic shielding body is compared to liquid sealed container. It seems that only when the gap is sealed to the level of water tight with conductive elastic material can electromagnetic wave leakage be prevented. In fact, this is not true. Because whether the gap or hole will leak electromagnetic wave depends on the size of the gap or hole relative to the electromagnetic wave length. When the wave length is larger than the opening size, there is no obvious leakage.

Mechanism

a. When the electromagnetic wave reaches the surface of the shield, it reflects the incident wave due to the discontinuity of the impedance at the interface between air and metal. This kind of reflection does not require a certain thickness of shielding material, as long as the discontinuity on the interface is found;

b. The energy entering the shield without being reflected by the surface is attenuated by the shielding material in the process of forward propagation in the body. That is the so-called absorption;

c. When the residual energy which has not been attenuated in the shielding body is transmitted to another surface of the material, it will form a re reflection and return to the shielding body when encountering the discontinuous interface of metal air impedance. This kind of reflection may have multiple reflections at the interface of two metals. In a word, the attenuation of electromagnetic shield is mainly based on the reflection and absorption of electromagnetic wave.

From the perspective of equal protection, these three requirements can be summarized as follows:

a) The cabinet and equipment shall be grounded and anti-static shall be done well. (generally, the electromagnetic shielding has been considered in the design of the cabinet purchased by our computer room, so as long as the cabinet door is closed, it will play a shielding role.)

b) The strong and weak electric cables mentioned above are laid separately with a distance of more than 0.5m;

c) Place the equipment in the professional cabinet and fix it in the specified slot position.

Ending

The above is a summary and personal understanding of physical security in peer-to-peer protection. I hope it will be useful to you. In fact, the real physical security is not only these contents, but also from the perspective of equal protection level III. if it is expanded, it is a discipline, and it also involves the requirements of lighting, dust, air flow, channel and other aspects. If there is time in the future, we will continue to update the next part, the network security part of the technical requirements.