Monday, July 5, 2010

Protect Your Network Ports

I generally sleep pretty well, especially in a tent in a light rain. But one of the things that sometimes wakes me up and keeps me up in the middle of the night is the physical security of my network ports. The prospect of someone having their own piece of equipment, with their own tools, on my wired network is scary, especially in the dark.

What could happen? A user may simply plug their notebook into a port they find available, thinking it's OK to do so. They may be infected with malware clever enough to inspect the local LAN and infect whatever it may find there. But this isn't so bad. We already have to protect ourselves against ourselves getting infected, and infecting the rest of our LAN.

What if you have a malicious user? If the user is interested in getting information, then having access to your LAN is more than half the battle. Generally the information kept by libraries is boring and of little interest to others, but some of it is private and we are bound to protect it. The most obvious, easiest, and best way to keep curious hackers out of your data is simply to keep them physically away from your LAN.

Or if a user can get access to the back of one of your PCs they can put a key logger on. A key logger is a device about the size of a thumb drive (memory stick, USB drive, whatever you want to call it). It gets plugged into a USB port on the back of your PC when you aren't looking. It's small and innocuous and how often do you look back there anyway. It records every keystroke you make on that PC. They come back days later and remove it, when you aren't looking. They take it home and find all the passwords keyed in while it was attached. It takes 3 seconds to install and 3 more to remove.

It gets worse. What if the user is not interested in grabbing data, but instead is a simple vandal? They may wire together a power cord and a network cable, walk into the library, find a spot with a power outlet near a network drop, and game over! All of a sudden, all network devices and PCs, potentially everything on your wired network, needs to be replaced. How do you stop this? Not easily.

So what is the action plan to protect ourselves as best we can from these situations?

  • Leave no network port available for a patron to plug into. This is frequently much easier said than done. But it is important.
  • If your network uses patch panels, make sure that any unused drop is unplugged back at the patch panel.
  • If you have a particularly seculded PC and network drop, consider getting an RJ45 lock (Google "rj45 lock"), so that a user cannot unplug the PC and plug their own equipment into the port.
  • Make the back of a PC inconvenient for a patron to access and insert a key logger. Put the PC under a desk, or put some kind of cover over the back of the PC.
  • Be wary about your patron's behavior around your computers and network ports. Some patrons here seem to expect access to a network port. I know some places do provide that service. We may too someday, but only under carefully controlled conditions.
I hope your summer is going well, and I'm not disturbing your sleep patterns. And by the way, did you hear we were selected to receive the BTOP grant? The Montana State Library rocks!


No comments: