The physical network infrastructure encompasses both the selection of the appropriate media type and the path of the physical cabling (the network topography). You want to ensure that no intruder is able to eavesdrop on the data traversing the network and that all critical systems have a high degree of availability.
Physical Media Selection
From a security point of view, the type of cable chosen for various parts of the network can depend on the sensitivity of the information traveling over that cable. The three most common cable types used in networking infrastructures are twisted pair, coax, and optical fiber. Optical fiber is most often used in high-bandwidth and long-haul environments. Unlike either twisted pair or coax, optical fiber does not radiate any energy and, therefore, provides a very high degree of security against eavesdropping. Optical fiber is also much more difficult to tap into than either twisted pair or coax cable.
Wire taps can sometimes be detected by using tools to measure physical attenuation of cable. Typically, a time domain reflectometer (TDR) tool is used to check coax cable, and an optical time domain
reflectometer (OTDR) tool is used for optical fiber cable. These devices are used mainly to measure signal attenuation and the length of an installed cable base; sometimes, however, they can also detect illegal wire taps.
Let's take a look at how you can detect taps in fiber optic cable using an OTDR. One of the things an eavesdropper needs when tapping into an optical cable is an optical splitter. The insertion of an optical splitter into an optical cable allows the tap to be made, but it also affects the signal level in the media.
This level can be measured. If a benchmark optical signal level is observed at several points along the topology of an optical media network, any conventional optical tap inserted into the network should be observable. Figure 6-1 shows an initial OTDR fiber optic cable trace between two buildings.
Figure 6-1: A Baseline OTDR Measurement
Figure 6-2 shows the fiber optic trace taken after an optical splitter was inserted into the length of the fiber cable.
Figure 6-2: The OTDR Measurement After the Fiber Optic Splitter Is Inserted
Although these types of traces can be an indication that an illegal tap might be in place, they are most useful in detecting cable degradation problems.
Note An expert can insert a tap in a way that isn't easily detectable by a TDR or OTDR. However,
it is good practice to initially take a baseline signal level of the physical cable infrastructure
and periodically verify the integrity of the physical cable plant. Even if it doesn't detect unauthorized media taps, the measurement will provide you with some confidence in the integrity of the cable infrastructure.
When choosing the transmission media to install for various segments of the network infra-structure, it is important to ensure that eavesdropping on the physical wire is proportionally more difficult as the data on that wire becomes more sensitive. In addition, if it is important that the transmission media be secure, the entire data path must be secure (see Figure 6-3).
Figure 6-3 shows a large medical facility with two buildings connected by a FDDI ring. Because the server holding the patient records is located in the administrative building, and the doctor retrieving the information is located in the hospital building, both the backbone segment and the LAN segments of the network use optical fiber. It is very difficult for someone to gain access to patient information by tapping into optical fiber.
NOTE Although it is useful to keep the possibility of tapping in mind, in today's typical corporate network, there is very little need to use an "unauthorized" tap. Why bother with all the
cloak-and-dagger stuff when there are all these PCs and workstations already attached to the network? All the thief has to do is run a program on any authorized workstation/PC to put its network controller into promiscuous mode; then the thief can "sniff" the network at his or her leisure.
Several shareware programs can do this now; they are available for Windows, Linux, Solaris, and others. There is no need for a thief to set up an actual sniffer on the network anymore. Because there is no way to prevent anyone from running such a program on a Macintosh or a PC running Windows 95/98, there isn't much point in actually worrying about restricting the ability to sniff. Even a policy stating that anyone caught sniffing the corporate network will be fired probably won't be very helpful because this is very hard to detect.
The issue therefore is reversed: The question you ask now is, "How do we prevent people who are sniffing the network from reading the contents of the packets they've sniffed?" The answer is obviously some form of encryption.
Network Topography
The physical path of the media, also known as the network topography, is a concern for the availability of the network and its attached devices. It touches on the reliability and security of the infrastructure. It is important to have a structured cabling system that minimizes the risk of downtime.
Imagine a large campus environment with multiple buildings. If the topography of the backbone network infrastructure is not a true starred network with common conduits at the base of the star, a construction worker with a backhoe could bring down large portions of the network (see Figure 6-4). However, if alternative physical paths are made available (that is, if you create a true starred network), only small portions of the network might become inaccessible if the physical cable fails (see Figure 6-5).
Figure 6-4: A Sample Physical Topography
The cable infrastructure should also be well secured to prevent access to any part of it. If cables installed between buildings are buried underground, they must be buried a minimum of 40 inches, although local regulations might dictate other guidelines. Sometimes, cables can be encased in concrete to provide maximum protection. The International Telecommunication Union has a number of recommendations (the Series L Recommendations) that cover the construction, installation, and protection of cable plants. These guidelines can be found at
http://info.itu.ch/itudoc/itu-t/rec/l.html.