ITS 421 - Tactical Perimeter Defense

Chapter 9, Physical Security and Access Control;
Chapter 10, Access Control in the Enterprise


This lesson discusses physical security issues and access controls in enterprise environments. Objectives important to this lesson:

  1. What is physical security
  2. Designing a physical security plan
  3. Physiological and biometric controls
  4. Outsourcing physical security

  5. Access Control Lists and Access Control Entries
  6. Models for enterprises
  7. Authentication factors
  8. Kerberos
  9. Layer 2 and Layer 3 controls
  10. Wireless access controls

Chapter 9

Physical Security

This chapter starts with an observation that technical staff often overlook physical security. Perhaps this is because they are too occupied managing data to think about managing a physical location. The text does not define physical security in the first section. It begins with a discussion of various components that limit or prevent physical access.

Designing a Plan
Perimeter security is concerned with placing a boundary around some area, whether it is a room, a building, a complex, or a larger site. A basic concern for any room is a door with a lock, assuming that there are walls that prevent access other than by the door. For a larger area, we might start with a fence and locked or guarded gates.

Yew treesThe text mentions landscaping, which many of us would ignore. It is better not to ignore it. Lovely trees that someone decides to plant around our fence may provide a route over that fence. The text suggests that plants with strong thorns would be a better deterrent.

I had the pleasure once of visiting a facility that took a different approach. There was no sign outside the building, no number on it, and no indication that was a secure facility. The perimeter was fenced, and gated, and the gate was operated remotely by a guard. The fence was surrounded by tall slender yews, which blocked the view of the perimeter from both sides. They were also frail enough that no one could climb them. Yes, they made it difficult for people inside to watch what was happening outside the building. However, the intention was to block the view of the building from outsiders, and to draw no attention. Huge trees with nasty thorns are unusual and they might draw the attention of someone with an eye for what looks odd. Yews are just nice landscaping. A good way to keep a secret is to never hint that the secret even exists. That perimeter followed that logic.

Visibility is what you think about when you plan lighting and surveillance cameras. Sometimes you need more lights because something you can't remove casts a shadow. Sometimes you need another camera, because you can't see through or around that thing the way it is. Your surveillance system needs to cover what your guards need to see even if they do walk around the interior or the grounds. They cannot be everywhere at once, unless you have lots of guards.

The text mentions that tracking who enters and who leaves a location are equally important. This is easier in a well run installation, where you use the same protocols to enter and to leave. In most locations, people are in more of a hurry to leave. The text suggests that keeping video records of people entering and exiting can provide a post-event record if you can live without a live stream of information. Sometimes, the exit of a person is the more important event, such as the provided example of a day care center, as well as in some hospitals and most prisons. The text warns us that exit points must be watched carefully in such cases. It should observe that we should watch known exit points, and be watchful for exits that those seeking them may discover.

If you want to allow foot traffic, but restrict the approach of vehicles, you should consider the text's recommendation to use bollards. You may not know the word, but you have probably seen these posts in parking lots or outside buildings. Follow this link to a web page that defines them as being available in several types: visual guides, physical barriers, flexible, and decorative. The text is most concerned with the physical barrier type, which may simply be a painted concrete and steel post, or it may have a decorative cover to make it look less like a barrier. Some locations that require frequent traffic with the need for restriction in emergencies may lead us to install bollards that are retractable.

The text continues with a discussion of physical access controls inside buildings. The text recommends that guards and cameras should be made visible in general work areas, to act as deterrents to unwanted behavior. Barriers between general work areas and sensitive areas should be clearly defined. The text mentions banks as a commonly available example of businesses with areas for the general public, and areas that are for staff only. Banks often have high counters, gates, security barriers, guards, and bullet resistant glass or plastic barriers between staff and customers. Data centers do not generally provide service to the public, but is not uncommon to have a data center share a building with another service from your company that does invite customer traffic. When this is the case, there must be controls to prevent access by people who should not have access.

On page 182, you will see a list of five classifications for government buildings, based on floor space, number of employees, amount of contact with the public, and shared space with other agencies. Note that the list is flawed. As we go from level I to level V, every one of the parameters increases, which will not always be accurate. We may need to increase one or two parameters, but not the others, which causes the list to fail to apply to all situations. Let's recognize this concept, but move on to the next one.

The text discusses data centers in a few paragraphs that give "dark" data centers more words than they need. You will not work in a dark center, because such locations are run remotely or by automated devices. You should be more concerned with data centers that employ staff if you are planning to work in one.

On page 183, the topic changes to authentication, specifically biometric authentication. We are reminded that biometrics include something you are and something you can do. The discussion starts with physical characteristics. In a way, this method works like a password, in that a user provides information for authentication, which is compared to data previously saved on the system.

  • The text refers to the process of sampling and saving the reference data as enrollment. A user must be enrolled in the system before that user can be authenticated by it.
  • Once a user has been enrolled, that user can authenticate with biometric data. The process of providing this data to a scanner to gain access is called identification.
Physiological and Biometric Controls

The text discusses several physical characteristics that are used for enrollment and identification. It reminds us that some of these characteristics change a lot between childhood and adulthood.

  • Fingerprints are characteristics that do not change with age. Two aspect of fingerprints are scanned for identification:
    • Ridges - the raised parts of a fingerprint that form its pattern of lines, called loops, whorls, and arches
    • Valleys - the lower areas between the ridges
      These characteristics may be compared to a reference photo of your fingerprint, or they may be compared to a capacitance pattern. Ridges contact a capacitance scanning device, valleys do not, which makes it possible to scan the fingerprint in this way on a sufficiently dense scanner. Capacitance scanning on some smart phones is a possibility.

      Matching with the reference data may be done on the pattern of the fingerprint, or the pattern of the minutiae. Minutiae are locations in a fingerprint where a ridge changes, such as branching into two ridges, stopping at a dead end, or joining another ridge.
  • Retina scans examine the inside, rear surface of your eye. This is the surface that receives and interprets light. The idea is to shine a light into your eye, and take a picture of the pattern of blood vessels in that area which is believed to be a unique pattern for each person. Eye surgery can affect this area, so it is not foolproof.
  • Iris scans examine the part of the eye that is usually blue, brown, green, or other such colors. The pattern of the muscle in this area can be scanned and matched. The text tells us this is less likely to be affected by eye surgery, glasses, or contact lenses that a retinal scan.
  • Hand geometry does what it sounds like: it measures the shape of a person's hand, and may measure the ridges on that hand as well. It occurs to me that changes in a hand are more likely with age, injury, and arthritis than changes in fingerprints or eyes would be.
  • Facial recognition scans the shape and location of a person's facial features. The location of a feature is measured in relation to other features, such as the distance of the eyes from each other. As usual, these measurements are compared to saved reference data.

The text moves on to behavioral recognition, the other type of biometric measurement. Several variations are discussed on pages 185 and 186.

  • Typing is something people tend to do the same way each time, given a similar console. Measurement is usually done on typing a known phrase or typing your password. Your typing rhythm is different when you are on a real keyboard from when you are trying to type on a smart phone, but if measurements are taken on the same kind of equipment each time, there can be a reliable consistency. Note that the text address the length of time keys are depressed and the time between keystrokes. This assumes a standard keyboard, either rigged for measurement or connected to software that is taking measurements. The text warns us that this measurement has a high rate of false negatives, deciding that the typist is not really the user in question. As you might imagine, there are many problems that could change the way a person types.
  • Signature analysis does not measure the shape of a signature. It measures the speed and pressure a person uses to write each letter, which means it must be done on a pad that can measure that, like most art pads. Like the typing measurement, it relies on the user being able to enter the data in the same way each time.
  • Voice recognition involves having the user speak a set phrase into a microphone, and relies on the physical shape of the user's mouth and larynx to produce sounds that have unique wave properties.

The text changes topics to discuss problems with all of these techniques. One is lack of user acceptance, which may be from lack of familiarity, or from fear of the technology being used, such as the one that scans a retina. Others have to do with the techniques themselves:

  • False acceptance - This can also be called a false positive or a Type II error. It means that the system accepts someone as a known user who is not a known user. The text explains that this can be caused by too little sensitivity in the scanner, which could cause an iris scanner to see all users blue-eyed scans as belonging to a known user with blue eyes.
  • False rejection - This can also be called a false negative or a Type I error. It means that an enrolled user is not recognized. The text offers an example of a fingerprint scanner rejecting a user because there is something on the user's finger obscuring it. This could happen on a capacitance scanner if something on the finger changed its electrical properties, like a conductive fluid.
  • Crossover Error Rate (CER) - Now for the really good news: all of these systems produce Type I and Type II errors. We can reduce the rate of either type, but that will increase the rate of the other type. The image on page 187 shows both error rates plotted on a graph's vertical axis, and the sensitivity of the system plotted on the graph's horizontal axis. More sensitivity give us more type I errors. Less sensitivity gives us more Type II errors. Users don't like Type I errors, and security staff don't like Type II errors. The Crossover Error Rate is the point on that graph where the rates of the two kinds of errors are equal. Note that the graph in the text is pretty symmetrical. This is not always the case: actual system performance may be skewed toward one side or the other for the CER. In any case, the CER rate gives us a way to measure a system on two scales at once.
  • Failure to enroll rate - This sounds like a fault of the user, but it is not. The failure in this case is the failure of the system to save a sample data set for a user. The total number of such failures divided by the total number of attempts to save enrollment information is the Failure to Enroll Rate.
  • Failure to capture rate - This refers to a failure of the system to create a useful data set for a user, such as not being able to scan the user's face due to a lens problem. The number of such failures divided by the total number of attempts to create enrollment information is the Failure to Capture Rate.
The text continues with some material that discusses what characteristics make good choices for biometrics. As it has already discussed, the characteristic being measured must be something that all users have, that is unique to each user, that will not change over time, and that can be scanned quickly enough to operate an automated entry system. The section is repetitive, so we will move on.

On pages 192 and 193, the text changes topics to discuss technological access control systems. It is a short list, so let's consider the items on it. This article on Wikipedia discusses some of the same physical locks.

  • pin tumbler lockWarded locks use wards which, we are told, are permanent projections inside a key operated lock that prevent a key from turning unless it is cut so that it avoids the wards. This sort of lock is the simplest one in the list and it can be picked easily, even with a thin key cut to miss most wards.
  • Tumbler locks are more common, and harder to pick because they require the key to push several pins, that are attached to springs, up to different correct heights. When the two-part pins are in the right position, each will allow the cylinder of the lock to turn. The picture on the right shows this kind of lock.
  • Combination locks - The combination locks most of us have used operate on a different system that makes them much harder to pick. Wheels inside the lock must align to make it possible to open the lock. The text warns us that electronic versions of these locks do not work the same way. They are really just password systems that use a number as the password.
  • Cipher locks - You can run a Google search on this kind of lock to see that there are many styles. The typically have several buttons that can stand for numbers or letters, and they can be set to open to most any combination of key presses that the user wants. The text explains that they can also work with swipe cards and with biometric sensors.

Image of a SecurID deviceA more interesting concept is in the middle of page 183, about fobs and tokens. Typically a fob may also be called a hard token, and I showed you a photo of one back in the notes for the first chapter. The text refers to the physical device as the fob and to the number it generates and displays as the token. This is also correct. This system can also be implemented in software on a computer, but the same concept is used: a one time only password is generated for an account, usually once a minute, on a device the user has and on a device on the periphery of a network that authenticates users. Different users have different passwords, so having one person's fob will not let you in as someone else.


The chapter ends its new material with some thoughts about outsourcing physical security. Like other security issues, it may be best to outsource when your company is not big enough or experienced enough to do it right. It is also possible that the text is correct when it says that a guard from an outside company may have an easier time being strict about rules than one who works directly for your company. This may not be the case, but it is possible. The text offers a list of criteria that should be part of your evaluation process for an external security vendor on pages 194 and 195. You should review this list, and think about what else belongs on it.

Chapter 10

Access Control Lists and Access Control Entries

The chapter open with some definitions:

  • Access Control List (ACL) - a list of entities and the rights they have for a particular object. Each object will have its own ACL.
  • Access Control Entry (ACE) - a record in an object's Access Control List. Each ACE will include a security identifier (SID) (e.g. a user name) and the security authorizations that SID has been granted to the object in question.
Models for Enterprises

We discussed this in week 6, so it should still be familiar to you. This chapter takes a different slant on the subject, talking about four access control models, each of which has a different approach to using ACLs.

  • Discretionary Access Control (DAC) - Weeding through the text, it tells us that rights that are granted to a subject under this system may be granted by that subject to other subjects in the system. This means that the owner of an object can assign rights to other subjects (users) without needing the intervention of an administrator.
  • Mandatory Access Control (MAC) - In this one, there is more restriction. The text explains that objects are assigned to security classes, and that subjects (users) are assigned security clearance levels. The result is that a user who has a clearance only for Confidential (and below) information cannot be assigned rights to an object classified as Secret or Top Secret.
  • Role-based Access Control (RBAC) - Roles are like groups. Users can be assigned to either and rights can be inherited from the group or or role by the user. The text explains:
    • that subjects must be assigned to roles,
    • that the role a subject is assigned to must be allowed (authorized) for the subject, which is not usually done with groups,
    • and that transactions must be authorized for the role a subject is in, else the subject cannot perform them.
  • Attribute-based Access Control (ABAC) - In this system, rights are not authorized for subjects unless a particular attribute of the subject matches a criterion set for the right, such as having an address in the right city or zip code
Authentication factors

The text returns to a discussion of authentication factors that are typically used, offers some advice about them, and generally tells us nothing new about such things.


On page 215, the text starts several pages about Kerberos, a network protocol that is used in Microsoft networks for the encryption of passwords before they are submitted to the system for authentication. Microsoft classes usually describe how Kerberos is used for several purposes associated with authentication.

Kerberos uses the concept of tickets. A ticket is small amount of encrypted, session specific data issued by the domain controller. When a client needs to access a server on the network, it first obtains a ticket from the domain controller for that server. The ticket and other data supplied by the client vouches for the client's identity and provides a way for the client to authenticate the server as well, which means Kerberos provides mutual authentication of both client and server. Using time stamps and other techniques, Kerberos protects tickets from cracking or replay attacks by eavesdroppers on the network.

Some of the weaknesses of a Kerberos system are listed on page 219. Despite this long list, this is still a system that Windows networks depend on. Administrators should plan their networks carefully to provide coverage in case of failures.

Layer 2 and Layer 3 controls

On page 220, the text turns to access controls that are implemented by network devices. You should know that the ISO-OSI network model has seven layers, and that Layer 2 is associated with communication inside a network, while Layer 3 is associated with communication from one network to another network.

Layer 2 is the layer associated with MAC (Media Access Control) addresses, the addresses that are assigned to network interface cards. MAC addresses may be written several ways, but a common notation is shown on page 221: six pairs of hexadecimal digits, each pair separated from the others by colons. A typical address might look like this:

In case you are not aware of it, the first three pairs, reading from left to right, stand for the manufacturer of the NIC. The last three pairs are the serial number of the NIC. Each MAC address is meant to be unique. The text tells us that switches take note of two things when they receive messages. The port on which the message is received is stored in an address table, along with the MAC address of the sending device. In this way, the switch learns which port to associate with particular devices. The switch uses this table as a reference when deciding what port to use for any message it needs to forward. Managed switches can be programmed to allow access to certain ports/paths through a network by filtering MAC addresses. The text warns us that a hacker may spoof (impersonate) a MAC address on the approved list in order to gain access to the protected network segment.

The text is not very specific about its recommendations for Layer 2, but it is a bit better in the section about VLANs, Virtual LANs, that are used to artificially separate devices into separate networks. Your switches can be set to do this by MAC address, or by the port used by the device. There is a better lesson on this web site. It is only six short "pages", so look it over.

Layer 3 controls are discussed on page 223.

  • Note the method of configuring access control lists on routers to allow or block traffic based on IP address or protocol being used.
  • Route maps are another method used on routers to send traffic to specific addresses, usually gateways to internal networks or resources. Route maps can also drop traffic that does not meet the criteria for being forwarded.

The text moves on to wireless network material on page 224. It is a bit light, and a bit silly. It spends several lines explaining Wired Equivalent Privacy (WEP) before finally getting around to advising us not to use it. It is no longer considered to be secure. This will happen to all security protocols over time. Presently we are advised to use WPA or WPA2 protocols to encrypt data on wireless LANs. These will fall out of favor eventually and be replaced by other protocols.

Assignments for Chapters 9 and 10

  1. Complete the Review Questions posted for these chapters in the Review for Test 3, numbers 1 through 14.
  2. Pick one of the case studies at the end of either chapter. Briefly explain what you see as right and wrong about the situation and the solution proposed by the authors. Is there another recommendation you would make?