Solved

Ban Wifi broadband & 4G in datacenters to protect against data leaks & unauthorized remote access

Posted on 2016-08-09
10
102 Views
Last Modified: 2016-08-10
I've seen engrs who plug in a USB dongle or have a way of enabling wireless on Windows
servers to allow remote access or download patches as the servers are blocked from
Internet access by firewalls.  Some servers (esp Linux) do not join AD, so can't enforce from GPO

Q1:
Is there any datacenter or audit policy docs out there (NIST, SANS) which spells out that
4G/broadband Wifi should be banned including PDA phones which has 4G hotspots?
Can point me to links that provide such docs

Q2:
If there is such a practice / audit best practices out there, how do datacenter auditors
go about scanning for the presence of such SSID (esp those that are non-broadcast)?

Q3:
Within what vicinity should we ban such broadband Wifi / 4G ?  50m or what's the
usual distance these signals can't be connected to?
0
Comment
Question by:sunhux
  • 5
  • 4
10 Comments
 

Author Comment

by:sunhux
ID: 41748690
> Linux) do not join AD, so can't enforce from GPO
I mean without joining AD, the engrs could enable back USB ports
(that were disabled by hardening at OS level)
0
 
LVL 93

Accepted Solution

by:
John Hurst earned 500 total points
ID: 41748701
The engineers should not be allowed access to the servers so then they cannot use wireless on the servers. You can stop this with using standard security.

The servers should be in a locked and separate environment and only server admins have access.

If need be, remove the keyboard and monitors on the servers and run headless. Account security will prevent other that legitimate access.

I do not usually see written policies. Secure the servers and secure access as noted above. That will keep people  out

If authorized people are mis-behaving, fire them.
0
 
LVL 35

Expert Comment

by:Kimputer
ID: 41748713
And that's all besides the point that jammers are illegal in most countries.
0
3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

 

Author Comment

by:sunhux
ID: 41748868
John,  by engrs, I meant server admins (who hold root/administrator access).

Kimputer, what's "jammers"?  I'm not native English
0
 
LVL 93

Assisted Solution

by:John Hurst
John Hurst earned 500 total points
ID: 41748872
After I posted, I realized that. But these people should have Job Descriptions that require them to behave.  People who have root admin access can do and defeat whatever they want.

So control these people.
0
 

Author Comment

by:sunhux
ID: 41748875
Think I've seen one link by Cisco Networks that recommends  Wireless Broadband
AP should be banned in a DC environment
0
 

Author Comment

by:sunhux
ID: 41748876
Or do most servers' hardware comes without a wireless LAN adapter?

Think I've seen a couple from HP that comes with one
0
 
LVL 93

Expert Comment

by:John Hurst
ID: 41748879
Servers (the ones we have) do not have Wireless Access. In spite of any security, it would remain a security breach.
0
 
LVL 93

Assisted Solution

by:John Hurst
John Hurst earned 500 total points
ID: 41748926
To summarize:

Remove all wireless access from servers. Connect only by Ethernet.
Have strong root security on the servers.
Have a Job Description for Administrators and explain the facts of life to them. Discipline if necessary.

I do small business consulting along with a client. Only he and I have access and no one else does. We know what we are doing.
0
 
LVL 93

Expert Comment

by:John Hurst
ID: 41750696
@sunhux - Thanks and I was happy to help.
0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Ensuring effective and secure communication in the age of healthcare BYOD.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question