Slashdot Mirror
Ethernet Wiring Through Hostile Territory?
GoogleDidntFindIt asks: "I need to connect a terminal to a server which contains very sensitive information. Unfortunately, the terminal is about 200 feet away from the server. The server (which even includes a 'self destruct' device) and terminal are both in highly secure areas of the building, but the wiring will be in uncontrolled areas. What should I do to keep people from tapping or monitoring the wire?" Is there any way a conduit can be wired with an alarm which goes off when it's integrity has been violated?
"Heres a basic description of my situation:
- A new wire/fiber/cable/whatever will be run and I can use any sort of conduit I want.
- A potential attacker may have several days of undetected access to parts of the wire/conduit and may have sophisticated fiber-optic tapping equipment (which can tap a fiber without cutting it).
- I can physically inspect the conduit/cable/wire once a month.
- Ideally, the system would also notify me of a majority of successful attacks (or, even better, disconnect the line).
i believe major investment houses and large banks have little black boxes to place on both ends of a T1. they do the crypto, but they also constantly stream random bits if there is no real traffic.
do you care about someone pumping a few amps down the wire and trying to burn out the IO pins on your super-duper computer? in that case it would be prudent to pick up your soldering iron and build a serial relay with electro-optical interconnects.
your best bet may be to just go wireless, run IPSEC and keep lots of random traffic in the background. at least it would take more smarts to create an EM pulse strong enough to attack the electronics.
It seems like a good idea, but then you have one more security system to secure. How do you know someone didn't tap into the pressure monitor and override it first? Now you have to have security layered upon security.
Drilling tiny holes is easy to do, and it can be done under pressure, or under vacuums. The high pressure problems are regularly dealt with when they splice trans-oceanic cables. (These are much bigger, I know.)
Fiber is hard to splice, but it's not hard to knick just enough to bleed some signal off of, so fiber may not be good. However, it's better than copper, since someone with Van Eck equipment might be able to read the signal without actually opening the conduit.
I'd recommend making it look like something other than conduit, or hiding it inside of other pipes, like sewer pipes or steam pipes (those pipes need not be active). You might even consider using the glass waste pipe that they use for chemistry waste, as this is harder and more fragile to deal with than metal conduit. It also allows for visual inspection. The alternative is to place the conduit in a secured location, or at least in a blatantly public location (like in the middle of the ceiling in the middle of the most used hallway) so that tampering efforts are quickly noticed. Don't rule out motion/vibration sensors (including motion in the area of the conduit). If you're going to use a vacuum, there are real-time smoke sniffers I've seen that constantly pull air through pipes and sniff it for smoke (the server room here has several). One of these could probably be adapted that notices smell changes, such as adhesives or hot metal from cutting. One of those companies that are working on bomb/drug sniffers for the Feds and airports might have something.
The real problem with asking us is that the people who know may be under federal rules not to say anything.
I think your simplest solution is to make a 200' dog kennel, put the wire in there, and let a couple of mean dogs loose to guard it.
Am I the only person wondering why you can't just stick the terminal in the same room as the server? There would be 0 (zero)chance of monitored communications between the two machines. If both computers are only available in secured locations anyway, what would be the problem with this? It's cheap, easy and effective.
What if he's the one trying to break in to an already existing setup and is just looking for ideas on what kinds of defenses he might encounter?
I see even classic Slashdot is now pretty much unusable on dial up anymore.
I can't think of much data that would be sensitive enough to warrent this level of protection. AFAIK even the government feels good encryption and frequent (weekly) inspection of the fiber is good enough to protect critical military operational data.
If your worried about someone with government level resources cracking the data and the amount of data trafficing the pipe is not huge your best bet is a pad cypher (generally considered to be unbreakable). Generate completely random data (atmospheric noise is a good source), burn it to two CDROMs. Encrypt and decrypt the stream of data on each end. You can use a small embedded PC on each end if the data stream is non-standard. Never reuse the same stream of random data.
You can get cheap ipsec boxes to connect sites to each other over ethernet. Red Creek (still around, to my great surprise) makes a 6-ounce, 6x4 inch device that connects ethernet to ethernet, and runs ipsec over one ethernet link. Put one of these in each secure enclosure, and you should be in business!
sulli
RTFJ.
then string some innocent looking, dusty speaker wire in the ceiling, and use that ... the robbers will concentrate on the secure fiber.
Like having a $50,000 safe in you house, then burrying the Krugernads in the backyard; the theievs waste time on the (empty) safe.
-- www.globaltics.net
Political discussion for a new world
ignore all the comments about high pressure and other crap. pressure systems need to be maintained continously and are prone to failure.
Try this :
put a bunch of fibre optic strands into a steel pipe (large). make sure the fibre is all loose strands of single mode fibre (glass) and not encased in a protective coating. then fill the pipe completely with concrete and let it dry. attach the fibre to the terminal and the server and run something to monitor the connection 24/7. if the bad guys blowtorch thru the steel pipe they need to use a hammer to get thru the concrete. cracking the concrete cracks the fibre along with it destroying your connection (even if it is temporary and they rig something up to restore the connection your software monitoring the connection can sound the alarm). since single mode fibre is essentially very thin glass strands you will loose a few strands while pouring the concrete but at least one will work. you can use the one that works.
its messy but reliable. epoxy and other nasty stuff in layers with the concrete is also useful.
The big boys use a plastic sheet coated with carbon tracks in many layers. Goretex (yes the same one that makes boots) sells this stuff. It is generally used to protect small devices from being probed. It works by measuring the resistance of the carbon tracks and can detect sub-micron drills. Crypto units in gov/mil applicions use this technique, so it is considered to be the best method.
In your case the wire would be wrapped in this stuff and then coated in a soft epoxy resin. Any damage to the sheath and the system can take evasive action...
I've got a contact in this area - Email me and I'll put you in contact.
I am the NUL and the DEL, the beginning and the end.