Introduction and Physical Security

Welcome to the first part of Securing Your WHS & Network. We have divided this topic in to multiple parts because we want to provide comprehensive coverage.  In addition, we recognize that our members have a wide range of technical capabilities. To address this, we have decided to explain the technology in an easy to read format.  We speak from experience of attending computer and network security seminars that the standing joke is that everyone falls asleep by the end of the first hour.  Our goal is to be informative without being pretentious.  Our hope is that all who read this series will gain an increased awareness of the threats and vulnerabilities to which we are all susceptible. The mission is to become better prepared and be able to manage those threats as they relate to each environment.

The following is the contents breakdown of the topic that we will discuss:

i.     History of the personal computer;
ii.    General aspects of threats and risk assessment as it relates to a security plan;
iii.   Concept of physical security;
iv.    Criteria to identify computers and computer components that are critical from those that are merely important;
v.     Recommendations on how to protect the computing and networking environment;
vi.    Importance of surge and power conditioning as it relates to critical and essential devices;
vii.   Reality of component failure and the need for spare parts; and
viii. The essential criteria for building a Windows Home Server.

The History of the Personal Computer

The personal computer has changed how we live and communicate.  It is hard to believe that a little more than 25 years ago the personal computer was based on an 8088 4MHz CPU, had 64KB of memory, two floppy disk drives the size of a CD disc, a 13" CRT screen the size of a small television, and no hard drive.  And it cost over $5,000! 

Laptops have also evolved over time. Once upon a time Compaq was a leading edge manufacturer of personal computer clones and everyone wished they could afford the new "portable" PC.  It weighed over 25 lbs. but it was pure envy.  Compare that to the current MacBook Air that is just a tad more than ¾ " thick and weighs 3 lbs with a battery.

Today we have wrist watches with more power than the original personal computer.  We have a choice of competing manufacturers of CPUs that are 1,000 times more powerful, a choice of competing operating systems, use gigabytes of memory, terabytes of hard disk space, and have as many flat screen monitors we can afford.  We can even get our personal computer shrunk to a size that will fit in our hand and it is also a telephone!

There is no doubt that the personal computer was an instant success.  Soon people were buying their own computer for their home.  Businesses recognized that the use of personal computers made employees more productive.  Teachers and parents saw the strengths in using it as a tool for teaching children.

As the number and use of personal computers grew so did the need to share information.  What developed was the unofficial birth of the "Sneaker Net" or "Floppy Net".   When a file needed to be shared, it was written on a floppy disk and given to the person who needed it.  Many times an employee would take the floppy disk home and work with the file later in the evening.

At this time there was little concern for computer security because the personal computer was considered as being "personal" and there was a huge rebellion against all the controls and limitations invoked by the mainframe systems.  As long as the people who were swapping files knew each other, there was a feeling of personal trust and it seemed okay at the time.

Soon electronic bulletin boards evolved.  People purchased a modem, attached it their computer, and have their computer dial in to the bulletin board.  The bulletin boards had chat areas and areas to exchange files.  This was the beginning of social networking and the first time information was exchanged without actually knowing each other.  This was also the time our innocence was lost because viruses intent on destroying data were being spread.

As time passed businesses connected their computers in local area networks (LANs).  The bulletin boards were replaced by the Internet, and now just about all computing devices from telephones to personal computers to mainframe computers are interconnected by the Internet.

What is Computer Security?

Computer security is the intentional protection of a computer and its files against threats.  This means that one must determine where the computer is to be used, who is going to use it, and what type of information is it going to be retained.   One must consider factors such as how important is the computer and files in relationship to how it is used, why it used, and where it is used.  One must consider what one would do if the computer or files were no longer available or if the computer or files were stolen.

The importance of computer security increases in relationship to how the computer and files are used.  This may range from one person using only one computer to many users with many computers connected by a local area network (LAN) and/or the Internet.  As the level of usage and interconnections increase, so does the need for increased protection.

Threats come in various forms.  The computer is made up of component parts such as power supply, system board, memory, hard drives, and fans.  These parts do not last forever and will fail over time thus posing a threat.  The computer is used by people who pose threats.  The computer is a sensitive electrical device that can be damaged by static electricity and fluctuations in electrical power such as brownouts and spikes.  The computer can be physically damaged by fire, water, or accidental use and can even be stolen.  Also, files may become corrupted, accidently or intentionally deleted, or stolen. In a study conducted by Dell, Inc. and the Ponemon Institute found that more than 12,000 laptop computers are lost per week at US airports¹.  The Insurance Information Institute reported that in 2001 computer viruses caused an estimated $13 billion in damages².  These statistics demonstrate there is a real need for computer security.

To be effective, computer security must be practical and easy to use, almost like becoming a habit.  The most important part of computer security is to have the awareness of threats and understand that one must personally play a major role in protecting the computer and files.  It is like not locking the front door and wondering why someone walked out with your television set.  The Insurance Information Institute has an excellent document entitled What Should I Know About Risk Management³.  This document is written for small businesses and it applies to all who have a Windows Home Server. We recommend that this document be used as a resource.

¹ Used by permission.  Larry Ponemon,  Airport Insecurity: The Case of Missing & Lost Laptops, June 30, 2008, sponsored by Dell, Inc. and Ponemon Institute.

² Used by permission.  Computer Security Related Insurance, May 12, 2008, Insurance Information Institute.

³ Used by permission. What Should I Know About Risk Management, May 12, 2008, Insurance Information Institute. 

Developing a Security Plan

A security plan is the identification of a threat and what one is going to do to manage the threat.  Threat management is a combination of prevention and mitigation.  This means that the person who accesses the computer has a legitimate reason to use it and its files, that the computer is physically protected from hazards, and that the files are always available without alteration.  

As more homes and small businesses connect more than one computer together by a local area network (LAN or network), there are more incidents that can pose a threat.  As a result, an additional level of computer security is needed to protect the computers and servers.  Furthermore, as more homes and small businesses connect their LAN to the Internet the level of security is further compounded.  Once connected to the Internet, one can no longer ignore protecting their computer from attack.

We recommend that the What Should I Know About Risk Management document be read and used as a guide to developing a security plan.  We will have an in-depth discussion of both environmental and cyber-related threats and how to manage them in this and subsequent blogs.

Physical Environment

The easiest part of the threat and risk assessment is the physical environment.  This is because one can see where each computer is located and how it is used.  Identify the physical protection of the computer and take an inventory of what is connected to it.  The authorized user should be able to use it safely.   We recommend that you make sure that the computer and wiring are out of the way from traffic, so that objects cannot fall on it, there is sufficient ventilation, it is not near water sources, that it is protected from electrical surges, and out of reach of pets and small children. 

It is extremely important to identify all the potential sources of electrical power spikes and surges.  The most obvious source is the electrical system.  However, spikes and surges can originate from the telephone company's copper wiring, coax cable from the cable company or terrestrial or satellite antenna, plumbing, even an in-ground sprinkler system, swimming pool, electronic pet fence, and exterior lighting including low-voltage systems.  All these sources share a common ground and any device that is not protected can be damaged and spread the surge to and damage other devices.

Next, prioritize each computer and device that is being used.  Identify computers and devices that provide files or services to other devices as being critical. The remaining devices on the network are classified as being important.

Critical computers include the Windows Home Server; computers that share printers; and computers that share word processing, spreadsheet, presentation and media center files. Critical devices include the ISP interface, routers, switches, hubs, and wireless access points.  The ISP interface includes DSL and Cable Modems and the FiOS network interface. 

Because other computers depend on these resources, special attention is needed to ensure that they are always available.  We recommend that these devices be protected by electrical power fluctuation by UPS devices.  The cable that connects the ISP interface to the router should be protected by a surge protector to guard against high voltage spikes being transmitted by the ISP's wiring.

All other computers and devices are classified as being important because if not properly protected could affect other computers on the network.  It is possible that an unprotected device can transmit surges through the network cable.  Also, if these are damaged they represent a cost of both money and lost time.  We recommend surge protection for all these devices, including the telephone wire for all modems.

Other considerations would include moving the Windows Home Server, the ISP interface, and router to a separate room.  Also, consider the humidity, carpets, and the plastic chair mat for the office chair.  During those times when humidity is low, the chance of damaging your equipment by static electricity increases.  Consider methods of adding humidity to those low humidity areas.

For many homes and small businesses, having a Windows Home Server is the first time server based software and computer dedicated to running server software has been introduced.  This means that the server computer is running all day, all night, all the time.   Since the computing power required by WHS is moderately low, many are using an older computer as a server.  The alternative is to purchase a preconfigured computer or build one using a combination of new and/or used parts.  Regardless of the option you choose, be prepared for some component to fail. 

The manufacturers of computer component parts attempt to determine how long the part is designed to last.  This is known as lifespan and is represented in mean time before failure (MTBF).  For example, a power supply can be rated with a MTBF of 100,000 hours or just under 11 ½ years.  In contrast, the warranty period offered by the manufacturer may only be three years.  Does this mean the part will last at least three years?  Not really, it just means that you can get a replacement during the three year period.  You still will have to pay to ship the part back and have to wait until a replacement arrives.  In many ways the warranty period represents the manufacturer's confidence of how long that the majority of products will last.

Granted the vast majority of components can last for years but when one of your components dies it is natural to think it is the most worthless product in the world.  The hard drives and power supply are most likely to fail first.  The life of hard drives is affected by the number of "spin-up" cycles and the frequency of reads and writes.  The life of power supplies is affected by the number of on-off cycles, power brownouts and spikes, and internal power demand of hard drives, optical drives, RAM, graphic cards, etc.   Using surge protection and UPS devices that can condition or smooth out the power can help, but eventually a component will fail. 

Depending on your budget and technical capabilities one should consider having a spare power supply and hard drive available.  This may save both time and money rather than making an emergency trip to the local computer parts store or pay for expedited shipping from the on-line computer retailer.

Stay with us, because in later blogs we will give you some ideas on how to use that spare hard drive in case your WHS system drive fails.

We have not discussed data backup and anti-virus software because we will address it in later blogs.  Of course, performing a backup of your data and having anti-virus software installed on every computer is important.  WHS is designed to perform backups of computers connected to it well.  However, have you considered making a backup of the data that is stored on the WHS?  Again, stay with us because we have plenty more about computer security to talk about.

Home Server Land's Recommendations:

1.)     We at Home Server Land recommends the following configuration for your WHS computer.  Whether you feel technically confident to roll up your sleeves and do it yourself or you are purchasing a pre-configured solution, you can use the following criterion as a baseline for your WHS computer.  To view different home server solutions, click this link to the Microsoft Windows Home Server "Buy One" page.

• A mid-ranged CPU like an Intel E8400 or AMD 4850e;
• The motherboard should support the CPU that you have chosen, one that should support hardware assisted virtualization, have an on-board graphics processor, at least one on-board gigabit LAN connector, is capable of addressing at least 8GB of RAM, and at least four SATA II ports;
• a 64-bit capable system is recommended (for future proofing)
• 2GB of RAM that is certified to work with your motherboard configured to expand to 4GB;
• At least 500W power supply, 650W if using graphic card and more than three hard drives. One that is 80%+ efficient;
• Two 500GB SATA II hard drives, two 1TB SATA II hard drives if storing DVDs and TV programs;
• A DVD/CD burner SATA interface, IDE if you plan to use four SATA hard drives; and
• Rackmount: ARC 4U 500-CA, Mid-Tower: Antec Three Hundred.

It is possible by timing purchases to take advantage of sales; taking advantage of manufacturer rebates, and using spare parts, such as a burner or hard drive, this configuration can be built for around $400.  It is important to think of the future when configuring the WHS computer.  Presently WHS can address up to 4GB of RAM, but in the future it could address more.  The speed of CPUs, motherboards, RAM, and SATA will increase.  Another part of the security plan is to factor obsolesce and new enhancements.

2.)     We recommend that every critical computer, the ISP interface, router, and switches be protected by a UPS.  In addition, the RJ-45 connection between the ISP interface and network router be protected from surges. Many UPS devices have built-in surge suppression for RJ-45 connections.

3.)     We strongly advise that Grid Junction be installed on the Windows Home Server.  Grid Junction should be configured to initiate a shutdown of the WHS and to run a script to shutdown all the remaining computers.  We will discuss the functionality of Grid Junction in detail later in these blogs.

4.)     It is essential that the electrical power of all other computers and every device that is physically connected to the computer be protected by a surge protector.  This includes but is not limited to monitors, printers, scanners, TVs, home entertainment and audio systems, media extenders, network switches and hubs, and wireless access points.

5.)     We recommend surge protection capable of the following specifications.

• Greater than 1,000 joules;
• Greater than 40,000 amps;
• Clamping voltage of 300 volts or less; and
• Response time less than one nanosecond.

6.)     All modems that are connected to computers have their RJ-11 cable also need to be protected from surges.  Many UPS and surge suppression devices have a built-in RJ-11 jack to protect from spikes.

7.)     Every coax wire that enters the building should be protected by an in-line surge suppression device.  It is possible that the building could have more than one source, including external antennas and cable companies.

There are many options available that range from whole house protection to individual device protection.  Even if whole house surge protection is used, the Underwriters Laboratory (UL) strongly recommends additional secondary surge protection be used for individual electrical devices.  This is because surges can originate from sources such as from inside the building or yard.

We at Home Server Land have developed a Threat and Risk Assessment of the Physical Environment guide and a Threat and Risk Assessment Worksheet that can be used to assist with the identification threats or vulnerabilities and methods to prevent or mitigate them.

Summary

This concludes Part 1 of Securing Your WHS & Network.  In this section we followed the growth of the personal computer from its birth to its use as a mainstay in today's communication and computing culture.  In many ways the first practical use of the personal computer is as important to our generation as was the telephone in 1876.  In both cases, both were embroiled in a controversial start as to who really originated it.  But there is no doubt that that both evolved from technical wonders to must have necessities.

We also discussed in this part the concept of security awareness and developed a worksheet to aid in the implementation of a threat and risk assessment.  We also made recommendations on ways to secure your Windows Home Server and the network.

In Part 2 of our Securing Your WHS & Network series, we will continue with a discussion of different ways of building a network.  We will delve deeper into ways to enhance the security plan to manage the threats and vulnerabilities as they relate to network topologies.

In the meantime, we invite your discussion in response to this blog in the forums.

Attachments

• Physical Security Risk Assessment
• Threat and Risk Assessment Worksheet

Continue to Part 2 - Network Topology and Security