13_Safeguarding_the_Servers

advertisement
Dr. Natheer Khasawneh
Sara Ismail


This chapter presents access control options for a Data
Center and recommends standards of operations for people
working in the room.
The chapter also provides best practices for equipment
installations and suggested guidelines when touring visitors
through a server environment.


1.




It is important to physically protect your environment from intentional
theft or vandalism, from accidental damage by personnel not trained to
work in a Data Center, and from unauthorized personnel obtaining
sensitive information.
The most fundamental way of physically protecting the items housed in
a Data Center is control over who can enter:
Door controls:
Data center doors might be equipped with sturdy locks. Keep a log of
who has such access and prohibit copies of the keys from being made or
the combination from being further distributed.
Most businesses choose a more automated approach known as: a card
reader or badge access system.
There are even biometric security features that scan the shape of a
person's hand or fingerprints or focus on their voice, facial features, or
iris patterns.
It is also possible to install a revolving door mechanism that allows only
one person to enter at a time, this prevents tailgating.
2. cages:
Pros:
 It is an easy way to provide a restrictive
barrier within a server environment.
 Fencing prevents unauthorized personnel
from entering a given space.
 It is cheaper to build and generates less
of a mess during construction than
a traditional wall.
Cons:
 A cage still enables people to look in and know that something of value
is inside.
 It attracts more curiosity than a regular room with walls.
 A cage also can't protect what it doesn't surround.
 A break in the conduit or cabling can cause downtime to equipment
within a cage, no matter where the damage occurs.
If you do cage in a portion of a Data Center, take the following precautions:
 Extend cage walls below the raised floor and above the false ceiling.
 Cover cage walls with a hard, opaque surface.
 The more electrical conduits, structured cabling, and source equipment
feeding them that are located outside of a cage, the easier it is for
someone to cut, break, or shut down power and connectivity into the
space.
3. Locking cabinets:
 These locks come in several forms—key, combination, or even card
reader.

The use of locking cabinets requires you to administrate their access
controls as you do the controls for the Data Center itself.
4. Closed-Circuit Television Coverage:
 can be installed to monitor and record who enters and leaves the Data
Center, and point at the room's most important servers and networking
devices.
 You might install cameras under a raised floor to view the condition of
infrastructure there.
5. Access Policies and Procedures:

Establish a Data Center access policy that defines who is allowed to
enter the room and under what circumstances based on job
classifications.

Apply policies that distinguish between long-term and short-term
access.
 Among the questions that should be addressed by your company's
Data Center access policy are:
 What job functions qualify someone to enter a Data Center?
 How does an employee request Data Center access?
 Is badge access provided for vendors, contractors, or other nonemployees?
 How is access granted during an emergency?
 How often are access privileges reviewed and by whom?
 What are the penalties for access violations?



The point is that, as valuable as the rules are, it is more important
that anyone entering the Data Center simply understands the
sensitivity of what is inside the room and treats those items
accordingly. Requiring people to have a certain minimum knowledge
of the server environment and its rules can reduce downtime caused
by user errors.
Implement Change Management: Change management is a method
of planning, coordinating, and communicating about activities in
and around a company's vital facilities—the Data Center, Network
Room, areas that house primary and standby electrical
infrastructure—that are vital for the business to remain operational
and serve its customers.
Change defined: Change is an alteration of any Data Center
element—an infrastructure component, a server application, power
availability, or connectivity status—that might affect a client or
hamper the ability of a company to provide its regular services.







Typical Data Center-related activities that do require a change request
include:
Any event known to require downtime by servers or networking devices
accessed by customers
Work on major electrical infrastructure supporting the Data Center, be it
a power distribution unit, uninterruptible power source, or standby
generator
Work on a Data Center air handler, chiller, or other cooling component
Any activity involving Data Center emergency power off controls
Work on infrastructure within the network room where Data Center
connections terminate.
Change Request Essentials: Under change management, plans for
upcoming activity in a Data Center are spelled out in a document called
a change request. The requestor must explain the work that is to be
done, justify why it needs to occur, provide specific start and end times,
define what systems are to be affected, state potential risk by doing the
work, and provide a plan to stop and return things to their prior
condition in the event a problem occurs. Write change requests in plain
language and include as much detail as possible.

•
•
•
Examples:
Change request for infrastructure maintenance.
Change request for a server repair.
Change Request for Minor Electrical Infrastructure Changes.

Example: Change request for a server repair.
CHANGE TITLE: Replace faulty CPU on PRODSERV1
CHANGE REQUESTOR: Jane Systemadministrator
NOTIFICATIONS: systemadministrators@company.com, clientgroup1@company.com
CHANGE REQUEST ID#: 000002
START TIME: Tuesday, Aug-16-2005 14:00
STOP TIME: Tuesday, Aug-16-2005 16:00
HOSTS AFFECTED: PRODSERV1
APPLICATIONS AFFECTED: APP4, APP6, and APP8
DESCRIPTION OF ACTIVITY: PRODSERV1 has a faulty CPU that caused the machine to crash
recently. We have arranged for the manufacturer to come out and replace the failed
component. It will take about an hour to replace the CPU and boot the machine back up.
Once this is done, we will confirm that the system is functioning normally.
RISK ASSESSMENT: This work requires bringing PRODSERV1 offline, but no other hosts in
the Data Center will be affected.
BUSINESS BENEFIT: The new CPU will restore the server to its normal working condition
and reliability.
INSTALLATION IMPACT: The server will be off line while the CPU is replaced. Downtime for
this event has been scheduled with the client group, so they are prepared to not have
access to this machine and its applications for two hours.
BACKOUT PLAN: If a replacement CPU is unavailable, this work will be postponed.
NOTES: None.

1.
2.
When to Make Changes:
One approach is to conduct all work outside of traditional business
hours. This has the advantage of eliminating intentional downtime
during peak usage hours for customers. The main drawback of this
approach is that it can significantly increase the labor costs for a project.
Contractors for certain trades need to be paid time-and-a-half or even
double-time to work late or weekend hours. If all Data Center activities
are restricted to after business hours, company employees might also
face long workdays during times of great activity.
The second approach is performance of Data Center work during the
regular business day. If a company has customers around the world,
there aren't really any off hours during which downtime is more
palatable. This approach has the benefit that, if something unexpected
occurs during the work, the company's normal personnel are at the site
and able to respond immediately. Employees might be harder to reach
after business hours, potentially lengthening downtime that occurs.




1.
the things that they aren't supposed to do:
Don't Leave Trash in the Data Center: A clean Data Center can also
reduce confusion and the loss of valuable items. Prohibit food and
drink.
Don't Steal Items or Infrastructure:. No one should take data ports,
electrical receptacles, and other tools without permission.
Don't String Cables Between Cabinets:
Stringing cables between cabinets unintentionally binds them
together. If someone needs to relocate one cabinet, they are unlikely
to know that devices from other cabinets are tethered to it. When
they move the cabinet, they can easily yank the connecting lines free
and cause unexpected downtime. If cables crisscross among
multiple cabinets, this can affect dozens of servers in a row.
2. If the cables that are strung to another cabinet are plugged in to the
infrastructure at that second location, there is an additional danger
of overloading the provided components. If the practice involves
patch cords, the problem is simply one of occupying data ports that
should be available.
3. Stringing cabling across cabinets leads to unanticipated
vulnerabilities.

The best way to prevent Data Center users from stringing cables
between cabinets: is to make sure that an adequate amount of
electrical receptacles and data ports are provided at each cabinet
location and that anyone working in the room is thoroughly
educated as to what is available.


A fundamental way to protect both the Data Center itself and the
servers and networking devices it hosts is equipment installed
deliberately and strategically. That is, reduce exposure to accidental
downtime by following good installation practices.
Manage cabinet space: For example, If a server environment has
limited floor space, servers should be installed as tightly as possible
to maximize how many can fit in to cabinets. Finally, reserve space
at the bottom of server cabinets for the largest devices. Putting the
most weight at the bottom of a cabinet makes it more stable. This
practice can also save a Data Center user's back, because it is easier
to install or remove a bulky item that is closer to the ground than
one that is at eye level or above.
Properly Use Rack Units:
No matter how you want to install equipment into
server cabinets you need to understand how the
screw holes on a cabinet's vertical rails are configured.
The screw holes on most server cabinets and
Data Center devices follow a deliberate pattern,
an Electronic Industries Alliance (EIA)standard
that delineates rack units. A rack unit is the
measurement of installable space
within a server cabinet.
Figure. Screw Hole Pattern on a Cabinet Mounting Rail



The Balance of Power: when you install multiple servers into a
cabinet, don't plug all of their power cables into one power strip,
Alternate between the two strips. When a server cabinet contains
only servers with single power supplies, balancing power between its
power strips reduces the number of devices that go off line in the
event that a power strip, electrical receptacle, or power distribution
unit fails. Only half of the servers can be affected when power cables
alternate between power strips.
Route Cabling Neatly: Threading cables—both patch cords and
power cables—so that they are well organized and carefully
arranged eases troubleshooting. When plugging a server in to
cabinet power strips, connect them to the power strip outlets that
are at the same height as the device. Plugging cords in to outlets
that are significantly higher or lower leads to tangled cables.

Label Thoroughly: is essential when equipment is inventoried and
can greatly reduce the time it takes to find a machine's owner in the
event of a problem.





customers or employees might be interested in touring your server
environments. Whatever the reason and whoever the guests, follow a
handful of guidelines when conducting Data Center tours:
Keep visitors together, preferably in main aisles— don’t allow people
to wander throughout the room without supervision.
Don't touch.
Designate a demonstration area: If you consistently highlight certain
Data Center features during a tour, consider creating a dedicated
area to showcase these details.
Use tacky mats: The mats are meant to stop dirt from being tracked
in.
Download