Slashdot Mirror

← Back to Stories (view on slashdot.org)

Securing Your Facility?

Posted by Cliff on from the doing-more-than-keylocking-your-door dept.

krahd asks: "We, at the CS department of our University, in Uruguay, are evaluating different ways of securing the access to our floor. Until now we have used just a traditional door lock, but its's time to delpoy a new, more geeky solution. So, after reading this Ask Slashdot, I figured I'd pose this question as a follow-up. What would be the best way to do it? We've already evaluated biometric technologies like iris-scanning and fingerprint-scanning, and more traditional ways like intelligent cards but, what others possibilities exist, and which would you choose? Yes, price does matter."

24 of 61 comments (clear)

  1. biometric!!! by m00by · · Score: 2, Interesting

    I'd say, go biometric. your thumb, or eye don't cost anything, and it should provide some good security. that, and it's way cool, and should work for a long time, unlike other things like smart cards which wear, and other card based solution.

    1. Re:biometric!!! by smoondog · · Score: 3, Informative

      We have fingerprint scanners to get into a computer room and they are very flaky. Lots of false negatives, dunno on the false positive rate (haven't tried). They also require a 4 digit pin number. Kinda defeats the purpose, huh?

      -Sean

    2. Re:biometric!!! by Hanashi · · Score: 4, Informative
      They also require a 4 digit pin number. Kinda defeats the purpose, huh?

      That does not defeat the purpose at all. The concept of using two different authentication mechanisms together is called two-factor authentication. Not only is it a well-established Information Security principle, it's also considered a Best Practice.

      After all, if someone steals your finger, at least they won't know your PIN!

      --
      Check out my eclectic infosec blog at InfoSecPotpou
    3. Re:biometric!!! by missing000 · · Score: 2, Informative

      Yes, fingerprint scans often can be defeated easily.

    4. Re:biometric!!! by PerlGuru · · Score: 2, Interesting

      I had trouble with dns for that link but was able to find this one. Probably to the same ZDNet article about fooling biometric scanners with Jello.

    5. Re:biometric!!! by Hard_Code · · Score: 3, Funny

      Also, presumably if someone steals your finger, you will be aware of the security breach rather quickly!

      --

      It's 10 PM. Do you know if you're un-American?
    6. Re:biometric!!! by skinfitz · · Score: 3, Insightful

      After all, if someone steals your finger, at least they won't know your PIN!

      ...Well not unless they put a gun to your head and say "give me your PIN".

      To tell you the truth where I work they would be better simply asking the staff for their PIN and "would they mind letting them in".

      Actually - I just remembered - we do have some doors that need those electro-magnetic induction keys to open.

      They are always propped open. The problem is that people can't be bothered with too much security - make it a hassle, and they will use the simplest method of bypassing the system to suit their own lazyness. This is where transparent biometric authentication will clean up - let the door know who you are without bothering you. By this stage though we will be at the same technology level as a guy on the door who knows you and opens it for you.

    7. Re:biometric!!! by MrResistor · · Score: 3, Insightful

      After all, if someone steals your finger, at least they won't know your PIN!

      I'm fairly certain that that anyone who's willing to steal my finger would be able to get my PIN without too much additional effort. The amount of pain I'd be willing to endure for the security of any of my previous or current employers, all of whom have proven to be willing to lay me off at the drop of a hat, is vanishingly small. A believable threat would likely be sufficient, especially if my cooperation meant I got to keep my finger!

      Then again, if I ever where employed by someone who actually showed any loyalty at all to their employees, I probably would endure a fair amount for them.

      The lesson here is: all the technological security measures and all the best practices in the world amount to precisely dick if you've done nothing to foster loyalty in your employees. And, of course, you can't get loyalty without giving it.

      --
      Under capitalism man exploits man. Under communism it's the other way around.
  2. Armed Guards by missing000 · · Score: 4, Funny

    Are cheap and effective. Keep a list of people allowed in and out, and check ID's religously.

    Not what you were looking for? I suggest implimenting a system involving some kind of 'frikin lasers'

    1. Re:Armed Guards by erpbridge · · Score: 3, Funny

      Or sharks... yeah, All I want are frickin' sharks with frickin' lasers on their foreheads.

      Oh, wait. You said you wanted this for a FLOOR... not a pool.

      Maybe call in Kevin McCallister, from Home Alone. He might be able to rig up a good butane torch at head level so whoever enters that door... well, let's just say they won't want to go in again. That, among other such traps.

  3. What are the requirements? by Hanashi · · Score: 3, Insightful
    n.b. the dangers of relying on Slashdot for critical security decisions...

    You didn't specify what your requirements for this project are, but I'd say that in order to make an informed decision, you should at least know this much:

    • Where you want/need access control (how many doors, for example)
    • How many people need access, and which ones need 24 hour access vs. time-limited access
    • How critical is the space that you will control access to? For most uses, biometrics are probably overkill. Keycards work well for many applications and are usually much more reliable.
    My advice is to think seriously about what you actually need, and don't try to solve problems you don't have. Make sure you get something that meets your real requirements, is stable and reliable, and fits in your budget.
    --
    Check out my eclectic infosec blog at InfoSecPotpou
  4. Maybe... by Hard_Code · · Score: 3, Funny

    ...get a bridge and position a guard to ask:

    What is your favorite color?

    --

    It's 10 PM. Do you know if you're un-American?
    1. Re:Maybe... by InsaneCreator · · Score: 2, Funny

      Just make sure he doesn't ask what is the air-speed velocity of an unladen swallow. I hear it might cause some problems.

  5. Use an electronic key pad lock by smoondog · · Score: 3, Informative

    Use an electronic keypad lock where users need a special 4 or 5 digit key to get in. Make sure it is smart enough to have many keys, so each user (or special group of users) gets their own unique key. Everytime someone leaves, just remove them from the list. Biometric methods are flaky and expensive. They sound cool, but, IMO, it will just make people want to break them.

    Appropriate Google search.

    -Sean

  6. Sadly the Solution Is... by Inexile2002 · · Score: 4, Insightful

    Whatever, any security system will do.

    Just manage it properly. I chimed in on the last conversation on securing your network and made basically a related point. You can implement biometrics (I wouldn't recommend), proximity cards (which seem very popular and have some advantages that I'm sure others will discuss), keypad locks etc. But, if you don't manage the access, that is track who has a card, who used to have access but shouldn't now etc everything else is just there for appearance's sake. Security is a process, NOT one time thing.

    Say you go with proximity cards, the real security in those is that you can regularly check who has access to what, who USED their access and so forth. (While also true of a keypad or biometric system, proximity card systems relatively cheap, reliable and ubiquetous on the market.) Regular reviews of access and access privileges are MUCH more important than which technology you choose.

    That said, you should define very clearly who should and shouldn't have access to your secure areas. Once you've defined who should and shouldn't, then define what levels of security will exist for those who should have security privileges. THEN, regularly review security privileges to see if the actually privileges out there jibe with your security definitions. Finally, if possible, design your system based on layers of security, where the most secure areas cannot be reached without first passing through less secure areas.

  7. Keep it simple.... by denubis · · Score: 2, Informative

    As a student at the IT dept at RIT, I've had a chance to observe our security firsthand -- it's really quite simple. The easiest security measures are "scramble pads" -- everyone has an ID code, but the numbers on the pad are displayed in random order, so other people cannot observe the code you enter. It seemed to work really well.
    We use ID card/code right now, and there's quite a lot of grumbling over it.

    Either way, they are simple and secure -- don't bother with anything fancy, it isn't worth your time.

  8. iButton by fille · · Score: 2, Informative

    Maybe you can use iButtons? They're more robust than plastic cards and you can add a keypad for extra security. You can also hook them up to a pc to keep a log. However, the buttons are quite expensive so let the students/staff pay for them or they'll lose them frequently..

    --
    History matters..
    1. Re:iButton by deque_alpha · · Score: 2, Interesting

      We use iButtons on keychain fobs in my school district, and they work quite well, until someone loses a fob or we actually need to do an access audit. I don't know if this is typical of other ibutton based systems, but we have no central way to track / change access and the fob-locks require batteries which need to be replaced pretty regularly (every 6 months or so.
      If someone loses a fob, then the lock person (luckily not me) has to go to every lock and remove that fob from the list of fobs that lock will recognize. We probably only have 14 fob-locks in the district, but it still is time consuming.
      If you get an ibutton system (which seem like they would be good if they were properly implemented) make sure you can centrally manage it and that the locks don't use batteries as their primary power source.

  9. Post a guard by MarkusQ · · Score: 3, Insightful

    There is only one physical security system worth squat (IMHO): a single door and some old, cynical guy with a gun.

    -- MarkusQ

  10. Ummm... Security guards? by poofmeisterp · · Score: 3, Insightful

    Nobody wants to hire a few decent-quality security guards anymore. I mean you'll want to lock the facility down with a nice little card access system, but there's a lot to be said for face recognition and random inspections/stops. Spend money on a person.

  11. Physical security by rice_burners_suck · · Score: 2, Funny

    Incoming telephone, cable and electric lines should be protected from the moment they enter your building. All lines should enter into a protected equipment room in the basement, which should be a concrete room with a strong, locked steel door. From there, all lines that run to your networking areas should be enclosed in protected ducts that are difficult to saw into. Each networking area should have walls of concrete with thick chicken wire on each side, over which the drywall and plaster is installed. All doors entering into these areas should be of the metal variety. No windows should allow looking into these areas. Inside the networking area should be a concrete room containing the high end servers and other expensive equipment that provides frequent services but is accessed infrequently. These should be locked behind strong doors. Guards should be posted by each door, including the one to the basement and to each networking area. Each member of personnel should have an ID badge that is difficult to counterfeit as well as a five digit entry code. The ID badge should be verified by the guard as the security code is entered into the system. This allows the door to unlock. Guards carry keys that unlock only a deadbolt on each door. The security code opens the other lock. Thus it is necessary for both the guard and the other person to participate in unlocking the door. Guards carry weapons to fight anybody who attempts to enter by force. Inside the networking areas, all computers are secured by digital means outside the scope of this post. This security setup can then be touted as 100% secure and unbreakable. Management is stupid enough to believe a claim like that.

  12. Depends by Glonoinha · · Score: 4, Insightful

    I would say it probably depends on how important locking down the facility is to him.

    If you only need to keep honest people honest then locks and keys are really the best bang for your buck, and are going to be equally as effective as any high dollar thermal / visual / biometrics system.

    Given that many buildings are built to residential spec's (meaning 18" between studs with drywall) or have glass windows I can circumvent most door locks with a razorblade (cut through the drywall anywhere except where the door is, generally from a neighboring room,) a hammer (break glass, climb in,) or a ladder (false hung ceilings are made of something only slightly more substantial than cardboard, move the ceiling tile in the hallway, climb up, move 6 feet in, move another tile, drop down.

    None of the above are particularly effective vs. an armed guard with an attitude.

    --
    Glonoinha the MebiByte Slayer
  13. Drywall is cheap. Don�t forget the basics� by (H)elix1 · · Score: 4, Funny

    Make sure your walls go all the way to the top. Sounds silly, but way back when I was in college, the company I worked at installed all sorts of card readers and magnetic locks. What they did not do was actually run the wall beyond the suspended ceiling. On the bright side, the doofus's id card triggered the reader on the other side when he hopped the wall.

    --
    +++ UGUCAUCGUAUUUCU
  14. Where I used to work by Judg3 · · Score: 4, Interesting

    We used a combo of Proximity/Smart cards and some biometric stuff.
    All the workstations for the operations department used smart cards that also acted as proximity cards.
    You'd plug in your card to the PC, enter a password, and you have access.
    It also doubled as the proximity card, which we used for all the datacenters we had in the building, as well as for some of the cabinets.
    For the critical NASDAQ stuff we had a seperate room with a mantrap, proximity card and hand scan. Once again all those cabinets in the room also used proximity cards.

    This way, while most of us had access to the datacenters, we could only access the cabinets that we were supposed to. Network guys could only access cabinets that where needed by them, etc etc.

    Worked pretty well, especially the combo smart card/proximity card. This way, you had to grab the card and take it with you when you went anywhere, which locked the workstation and prevented an inhouse people from tampering with anything.

    --
    Looking for hardware (Currently need: Large Etch-a-Sketch) Have one? See my journal!