Forgot your password?
typodupeerror
Security

Escape from Data Alcatraz 248

Posted by CmdrTaco
from the is-there-anybody-in-there dept.
nihilist_1137 writes "Zdnet is reporting on a new information facility that is built to surive the worst.Triangular in shape, two of the sides house offices while the third, a large rectangular block if taken in isolation, contains two data centres, as well as the infrastructure to ensure that Web sites continue to function come fire, flood, natural catastrophy or foreign invasion."
This discussion has been archived. No new comments can be posted.

Escape from Data Alcatraz

Comments Filter:
  • Foreign Invasion? (Score:5, Interesting)

    by InfinityWpi (175421) on Friday December 28, 2001 @02:25PM (#2759672)
    "Remember thealamo.com!"

    Seriously, though... you're saying they can stand up to repeated shelling by artillery? Or infantry-placed demo charges? Or anything else an invading force is likely to have?

    WHY????

    If you're being invaded, you've got more important things to worry about than if your company's web site will stay up!

    The other half of this is: What if the invasion is an invasion of illegal immigrant workers? Can this thing survive having a janitor who's been slipped a hundred bucks (three weeks pay) to pull out a wire here and there?
    • Re:Foreign Invasion? (Score:5, Informative)

      by linzeal (197905) on Friday December 28, 2001 @02:47PM (#2759823) Homepage Journal
      At a certain datacenter facility which will remain nameless we had repeated attempts and successes of theft. All the cases that were eventually resolved were shown to be IT workers, yet everything was blamed on the janitors who were "decontracted" over and over to the point where they had to pay people to travel in excess of 60 miles to clean the place.

      Want to know how we caught one of the fuckers? Get some "Super Phosphorescent Pigments" [blacklite.com] make sure its NONTOXIC and coat thinly an item that has been stolen in the past and put it in a place where it is easily stolen with no video cameras. Install blacklight in a cubicle, wait till object is taken and invite people to come over and look at it with a blacklight poster. The thief is the one with the glowing hands.

      • Why not just try installing a video camera in a concealed location?

        I'm no lawyer, but I don't think the "glowing hands" argument would stand up in court.. How do you know the guy didn't just touch the coated box, previous to it being stolen? Unlikely, perhaps, but perfectly plausable.

      • by -=OmegaMan=- (151970) on Friday December 28, 2001 @03:57PM (#2760128)
        I would have personally opted for a less Scooby Doo-esque method, like the previously mentioned video cameras or the newly discovered "Security Guard," but, whatever gets ya goin.

        If you really wanted to get crafty you could have used TOXIC glow in the dark paint, then, when someone died in their cubicle, WHAM! Hit em with the black light to determine if it was natural causes or theivery.
        • Re:Foreign Invasion? (Score:3, Informative)

          by linzeal (197905)
          The problem was manifold. The managers did not want to spend money on another security guard and employees rebelled at the thought of losing their "privacy" to security cameras. The only major breach of security could of been prevented with a 60 year old physical security guard when 6 arab men almost made off with a M40 [juniper.net]. The thing was 10 feet from the door when the person monitoring the cameras finnaly wised up and realized they were not supposed to be there. Only then did we get physical security after 9:00pm (when you need it most).
      • IIRC, silver nitrate works pretty well. It's clear, but stains skin blue. The stained can't be washed off, you have to wait for the stained skin to come off naturally. Of course, you don't have the thrill of that moment of realisation, but you don't need a blacklight either.

    • Re:Foreign Invasion? (Score:5, Interesting)

      by ZPO (465615) on Friday December 28, 2001 @03:02PM (#2759902)
      Simply from the physical construction and security perspective:

      EXTERNAL---

      1 - Parking lot is too close to the building (a reasonably sized car/truck device could do serious structural damage.

      2 - "ram proof"??? Not hardly. I don't see a double berm system. Some of those nice decorative tree planters that are actually 2 foot thick reinforced concrete might help

      3 - No view of the perimeter. Does it have a ditch, double fence line, k-rails to require a zigzag entrance.

      (plenty more)

      INTERNEL ---

      1 - From what I can see all conduits are directly attached to unistrut on the ceilings. Big problem if you take a good shock to the building (ie - it's rigid)

      2 - Equipment is not isolated by springs/rubber mounts from the floor. Same shock damage possibilities as above.

      3 - No water collection trough around the sides of each room. I don't see floor water sensors either.

      4 - Water drip pans under all chilled water and condensate lines.

      5 - *1* generator? For the cost of the facility it would have been a pittance to go with two and have full redundancy when running on local generation.

      All in all it's a decently engineered place. It just needs the final touches...
      • "ram proof"??? Not hardly. I don't see a double berm system. Some of those nice decorative tree planters that are actually 2 foot thick reinforced concrete might help

        Also depends what they were thinking of it being rammed with I'm sure the people who built the Pentagon thought it was "ram proof".
    • by dattaway (3088) on Friday December 28, 2001 @03:18PM (#2759981) Homepage Journal
      Artillery? Why worry about carnage when the pen is mightier than the sword. Our laws will wipe out any data center with a series of lawsuits, lobbying, and consitutional rights fiascos. Bombs will be welcome when the lawyers get done with the victim's site.
    • "Remember thealamo.com!"
      Seriously, though..


      I am missing something here. What are you referencing to? If i go to thealamo.com i arrive at some hotel/casino. google only find advertisements.

      please explain.
  • One Problem (Score:5, Funny)

    by docstrange (161931) on Friday December 28, 2001 @02:25PM (#2759673) Homepage
    If we all die from nuclear fallout who will reboot the NT servers?
  • by 7608 (515533) on Friday December 28, 2001 @02:25PM (#2759675)
    I don't care if it was built to withstand a direct nuclear attack... give me FIVE customers from the last helpdesk I worked at, and I'll make sure the place is reduced to rubble by day's end.

    Never Underestimate The Power Of Human Stupidity.

  • Thank god that freecreditreport.com and anything associate with the X10 camera would still be available if a nuke wiped out my neighborhood.
  • by webword (82711) on Friday December 28, 2001 @02:27PM (#2759681) Homepage
    I read the article. It is fine. Plenty of interesting points and all that jazz. However, I have the ask the obvious questions: Is it secure from hacking? Seriously. I read the article and it seems like a physically secure place, but is it secure electronically? From "real" attacks? From the kinds of attacks that happen all of the time?

    (start sinister laugh)
    I can just see some script kiddie taking the place down. That would be too funny.
    (end sinister laugh)
    • Ahh, but that's probably not their concern! The clients, who are using the machines, should be responsible for the electronic security of the machines. This facility covers the physical security of the machines.
    • Making a big, strong safehaven like this and telling everyone negates its effects. Telling everyone about how great your security is gives it a shorter lifetime than the completely not-scure (either from hacking or from "foreigh invasion") computer I'm using to type this. A shitload of physical defences and paranoid geeks are great for security, but not nearly so good as keeping a secret.

      I say build it in the middle of a desert, six feet underground, under cover of night.
      • To pick a nit, you mean "security through obscurity", not obfuscation. Obscurity means "nobody knows it's there." Obfuscation is creating confusion.

        I say build it in the middle of a desert, six feet underground, under cover of night.

        To which I say, satellites can see in the dark (the better to watch your construction, my dear), and they can also see these sorts of facilities six feet underground from the rather notable heat signature. Keep in mind, even if the facility is properly cooled, all that heat has to go somewhere, and the bleedoff point will give away the operation. It's the same method employed to find military bunkers in the desert. When a satellite looks down and sees a heat plume coming from nowhere, it's short work to investigate why.

        Virg
  • by ptrourke (529610) on Friday December 28, 2001 @02:27PM (#2759683) Homepage

    Built initially to house currency, the Hostworks data centre in the suburb of Kidman Park, Adelaide is a tribute to the profligacy of Timothy Marcus Clark, [snip] Nestled in a semi-industrial area, with minimum road signage, it is at once unassuming, virtually impenetrable and to this day an inspirational feet of excess engineering.

    Unassuming feet? What, size 5 1/2 D?

  • by AixGE (536006)
    "And, of course, we spared no expense with our software, either: We installed the latest versions of IIS, Windows XP and Outlook on every machine in the datacenter to make absolutely sure that no one can get unauthorized access to anything on our servers! Everybody knows that software you pay a lot for is more secure than that free stuff. Microsoft says so!"
  • Odds.. (Score:2, Insightful)

    by dj28 (212815)
    I would much rather have a data center that concentrates more on getting patches and other server-based security issues applied rather than chasing the very slim chance of a foreign invasion. I think it's more likely for someone to crack my colo than it is for a fire to melt it.
  • Interesting... (Score:4, Interesting)

    by Ricky M. Waite (544756) on Friday December 28, 2001 @02:32PM (#2759719) Homepage
    "The Ministry of Truth -- Minitrue, in Newspeak -- was startlingly different from any other object in sight. It was an enormous pyramidal structure..." [George Orwell, 1984]

    Kinda scary.
  • Yeah, very nice. However if you're big enough to house servers there you should be big enough to have servers in multiple smaller/less available locations and have Akamai or some other internet wide distributed provider load balance between them.

    Looks like a big basket to me. Would you put all your eggs there?
  • What for? (Score:2, Insightful)

    by chrysalis (50680)
    This is nice, but it protects a single point of failure. If you want to take these servers down, just attack the provider they depend on...

    • Re:What for? (Score:3, Informative)

      by davidesh (316537)
      http://www.hostworks.com.au/networks.html

      2 Connections to Telstra and 2 to Optus at different exchanges

      "Hostworks Control Centre features over half a gigabit per second of connectivity. This is delivered via four high capacity divergent path links connected to Optus and Telstra.

      As a matter of policy, Hostworks ensures that it always has four times the capacity of its peak traffic loads."
      • Re:What for? (Score:3, Insightful)

        by foobar104 (206452)
        http://www.hostworks.com.au/networks.html

        Remember back in 2000 when an accident [ireland.com] took out a huge fraction of Australia's international bandwidth? Better make sure those "divergent path links" don't just end up in the same undersea cable....
    • Re:What for? (Score:2, Insightful)

      by SerpentMage (13390)
      Exactly. The problem with this kind of thinking is that it is mainframe thinking all over again. The key to keeping things up and running is to make it redundent.

      I find it so sad in the information world we keep thinking single data point and single information point. And people keep thinking things like FreeNet, GNUTella, etc are just "copyright" violators. In fact they are the future of the Internet. But the suits would much rather sell single point of failure systems.

      C'est la vie, maybe one day
  • Good Investment (Score:5, Insightful)

    by Rebel Patriot (540101) on Friday December 28, 2001 @02:33PM (#2759736) Journal
    At first this seems almost like a joke. Who would invest this much time and energy into such a fortress just to house data? Well... banks for one. Imagine banks from around the world storing their data here in a highly encrypted form, updated at least daily. it would require alot of bandwith to say the least, but wouldn't that security be worth it to investors?

    Less crucial information that needn't be updated regularly could find a home here at a discounted price. Take for example, building plans. Every city, county, and State in America has a plan somewhere for every building its ever built that lists (among other things) the locations of all wiring and plumbing. This isn't terribly confidential information (though it very well may become so for large buildings with a realistic threat of terrorist attacks) and could be modestly encrypted with read access only granted to the owner.

    Copyright owners might be interested in it as a way of saving back-ups of their paper-work that cannot be destroyed by some freak accident.

    I for one don't like these ideas because they represent too many eggs in one basket. When information security is required, it is my personal belief that having it stored in a known location that every hacker in the world would drool over to get inside is a bad idea. History has shown, however, that not everyone (indeed few people) listen to me.
    • Re:Good Investment (Score:3, Insightful)

      by Nelson (1275)
      Has a bank's data security been compromised lately?
      That's how I'd temper the worthiness of something like this.
      • In the US, banks are robbed at the rate of about 8,000 a year. Assuming most of these happen during the time the bank is open that's about 2 bank robberies an hour somewhere in the US. I'd call that a breach of security. So, how many bank robberies have you seen reported in the news lately?
    • Re:Good Investment (Score:5, Insightful)

      by 2Bits (167227) on Friday December 28, 2001 @03:06PM (#2759925)
      Copyright owners might be interested in it as a way of saving back-ups of their paper-work that cannot be destroyed by some freak accident

      That's easy. Publish it on the usenet. Short of total Earth destruction, that piece of work will never get lost.
    • One more place where you would WANT this is a hospital. They have to work through tornados, hurricanes, Earthquakes and everything. Sometimes a server being up or down can save someone's life! ALOT of hospitals in Florida have this kind of a Data Center. NO single points of failure...EVER. Be it air conditioning, power, internet, computers, water supply and even food. Yes even FOOD. Remember admins and operations folks need food especially in a danger type situation (you'd have you folks come in before if you know a hurricane is going to hit....besides the center is safer then your house anyway).
      • What? are you kidding, we've already lost HUGE chucks of old usenet. Its taken major work to find them again and put them online in archives. Usenet is not permanent by no means, things get old is simply dissapear frequently.
  • History (Score:5, Insightful)

    by legLess (127550) on Friday December 28, 2001 @02:34PM (#2759742) Journal
    Remember the Maginot Line? Impregnable? How easy was it to get around that? Data is useful in direct proportion to its accessibility - cut the connections into this place and it's toast. No frontal attack necessary.

    Also, the article says they can expand capacity 300%. Frankly, that sounds like pretty short-term planning to me. In my experience, it's a rare data store that doesn't double in size every year or two.

    Still, it sounds like a cool place, and probably has a better climate than Sealand :)
    • Re:History (Score:3, Insightful)

      Also, the article says they can expand capacity 300%. Frankly, that sounds like pretty short-term planning to me. In my experience, it's a rare data store that doesn't double in size every year or two.

      Right you are, but of the giant space they've already allocated for racks, how much is currently used, like 5%? Your comment seems to assume that 100% of their racks are already full.

      I'd imagine they set up a giant space for 24 months worth of business growth to fit in, and put in a contingency for 300% above *that*. That way they can see how the demand acts over the next year or two, and react accordingly by adding more physical space.

      That's just my SWAG*, though.

      *For newbies, that's "Scientific, Wild-Assed Guess."
    • Build your datacenter as an 802.11 linked beowulf cluster mounted on the back of squirrels. Safe from everything but Hawks and Bicyclists. [chainreact...cycles.com]
    • Also, the article says they can expand capacity 300%. Frankly, that sounds like pretty short-term planning to me. In my experience, it's a rare data store that doesn't double in size every year or two.

      You seem to be implying that the physical space required to store data doubles...that doesn't seem reasonable. I've seen top-of-the-line IDE hard drive capacity grow from 2.1GB to 100GB in my 5 years in this industry; I'd think the amount of physical space required to store data could actually shrink over time, even if the amount data is doubling every couple of years.

      I am, of course, talking through my hat, as I've never managed a large data store. Let me know if I'm drawing all the wrong conclusions...
  • I was close to being in charge of a small-scale version of this concept last year (financing fell through) - we had the bunker/air raid shelter staked out and all. We were going to offer secure web hosting but mostly going for the off-site data backup and storage market - kinda like an underground Sealand, without the AAA. :-)
  • The article is pretty high level, but interesting none the less. I'm skeptical that is really as secure as they say it is. It would seem that any building which relies on outside connections would be vulnerable if those connections were cut. Not to mention that the air towers that were mentioned could be closed off, etc.

    It seems to me that the best defence would be geographically distributed datacenters synced up on a regular basis. Of course you would have to deal with data syncing, and perhaps a master-slave relationship amongst the datacenters, but these are relatively simple problems to solve, compared to preparing for a nuclear or other attack...

    Take care,

    Brian
    --
    Only a few Free Palm m100's left... [assortedinternet.com]
    --

  • Looks nice, but... (Score:2, Insightful)

    by inerte (452992)
    ... traditionally, data is not cracked by attacking its physical form. Kevin Mitnick :-) always said the easier way to get information was only some small and simple conversations with people who work where one wants to crack.

    "So, where do you go on vacations? Are you married? What's your spouse's name? What's your favorite sports team? Any music style preferred?", etc...
  • Most 'good' datacenters have the same things. Multiple connections to power, water, electricity - good physical security et al. I've worked at and visited many datacenters, and nothing here outside of the ability to withstand explosives is all that different from anything else I've seen stateside. The big difference is that they're dumb enough to advertise it.

    I'm glad ZDNet has the time to waste on stories like this. Physical security is nothing without a secure network to run in. All the `dead man zone's` in the world mean nothing if it isn't backed up on the network side by a good solid firewall.
    • And software security is nothing without physical security.

      Besides, a firewall is not a solution, a pure capability system like EROS [eros-os.org] or Vapour [sourceforge.net] is.
  • by EaglesNest (524150) on Friday December 28, 2001 @02:39PM (#2759776)
    When I worked the overnight shift at one of Qwest's many hosting centers, I loved to give early-morining tours. We'd impress everyone with all our layers of redundancy. The more expensive a system, the more impressed our tourists would be with it. Still, having three different diesal engines - each the the size of a locamotive, or having triple UPS protection, or dry localized fire-retardent, or triple redundant air conditioning and filtering, or three different OC-48 lines isn't the most important thing about redundancy.

    By far, the cheapest and most effective method of redundant systems is to just safe your money and not buy fancy equipment for one place, but to spend it on cheap equipment is several places. That way, who cares if someone takes out an entire hosting center, leaving only a 100 ft dep crater. You still have servers running in California and Asia.

    The Domain Name System doesn't rely on a huge Fort Knox-like system. It simply has 13 (?) different places throughout the world where amazingly cheap (for its importance) equipment resides. Even if North America sinks to the bottom of the Ocean, DNS should still happily resolve.

    Expensive (but impressive) measures are not the answer to reliability. Geographic diversity of cheap systems is the answer most most applications. Today, we have incremental transfer protocols such as rsync that will even transfer massive databases back and forth by only sending the changes. It's largely marketing, unwarrented by technical considerations, that make companies spend so much money on these extra sigmas of reliability.

    • This isn't really insightful. There are quite a few posts here talking about the foolishness of puuting all of one's eggs in one basket. This may be true for real eggs and baskets, but in the world of data centers, not quite so.

      Imagine at the two extremes, this secure facility and a small building in an industrial park. For the cost of this facility you could build many smaller less secure facilities, but each of them would be trivially destroyed.

      While it is certainly true that three secure hosting facilities is better than one secure hosting facility, one secure hosting facility is still better than three less secure ones.

      Geographic diversity of cheap systems is the answer most most applications.

      A server that costs one third as much and fails three times as often isn't a bargin. Even if said cheap server only fails twice or one and half times as often you will still end up paying more in the long run.

      As for DNS, I believe that the root servers run on E10K's and similar, if you consider that equipment cheap then I's like to have your job.

      • Depends upon what kind of attack you plan on defending against. If your enemy is joe with a back-hoe, then you're better off with three geographically dispersed, less secure sites. Wouldn't you agree? Check this out:
        http://www.info-sec.com/abuse/abuse_062097a.html -s si

        I was touring one of these secured data sites once and (being the shit I am) I asked the techie-sales dude there if they'd secured the site against tempest. He hadn't heard of the technology. Thick bullet-proof glass but no sign of gounded chicken wire.

        The roof wasn't shielded as far as I could see either, and there were other businesses on floors above.

        So ymmv.
        • If your enemy is joe with a back-hoe, then you're better off with three geographically dispersed, less secure sites. Wouldn't you agree?

          No, I wouldn't agree. What we are talking about is a battle of probabililties. The most likely vulnerabilities can be protected against at one site more cheaply than multiple sites. The "backhoe" attack is easily defended against with seperate entry points to different wire centers.

          One very good reason for disparate location is regional events out of your control. It is difficult to protect yourself from a massive power outage affecting most of Califonia, or natural disaster. Even if your facility has power, etc required support services may not be available. Your site may have 14 days of diesel fuel in the basement, but how long are your NOC monkeys going to watch the screens if they can't be relieved because all the roads are closed?

          I fully support having multiple redundant locations, but that is no excuse for doing them cheaply.

          On the other hand, if you have two locations and each one is not able to seperately withstand foreseeable negative events what do you do when they are both affected? What if a hurricane takes out you east coast and an earthquake hits the west? Each facility still needs to be as independatly survivable as possible, otherwise you don't really have redundancy, you just have "extra".

      • Imagine at the two extremes, this secure facility and a small building in an industrial park. For the cost of this facility you could build many smaller less secure facilities, but each of them would be trivially destroyed.

        But it is a far more difficult task to attack many different targets at once. Regardless of if you are using commandos, missiles, bombers or human guided improvised cruise missiles.
        Also I don't recall any mention of this building having anti air and anti tank capability.
        • But it is a far more difficult task to attack many different targets at once.

          It's only difficult if you make it difficult. If your datacenter is in your garage it hardly takes an infantry division to wreck it. If you only need one bomb/commando/missle per target you only need 10 bomds to take out ten targets. On the other hand of you need ten bombs, commandos and missles to take out each target you will probably have a difficult time taking out just one or two.

          • If your datacenter is in your garage it hardly takes an infantry division to wreck it.

            How many garages could you buy cost of one of these "data forts". Let alone the sort of weapons you need to mount on them and shielding everything. Wouldn't do to sucessfully shoot down a missile and have the fire control radar crash all the computers.

            If you only need one bomb/commando/missle per target you only need 10 bomds to take out ten targets. On the other hand of you need ten bombs, commandos and missles to take out each target you will probably have a difficult time taking out just one or two.

            Putting 10 bombs on 10 targets and putting 10 bombs on *one* target are somewhat different tasks. Not only do you need 10 delivery systems vs one unless the attacks are very closely coordinated expect quite a bit of resistance after the first attacks. Also using garages has the useful "difficult to see the wood for the trees" attribute. So maybe they blow up a few of your data centres and some garages :)
            You could go one state further and put the actual computers on trucks...
  • by Xaleth Nuada (516682) <dwm5842@n j i t . edu> on Friday December 28, 2001 @02:41PM (#2759786)
    It's an impressive building designed to withstand all sorts of disaster movie ideas. So what?

    As we've all seen time and time again the real threat to computer systems does not come in the form an earthquake, tidal wave, or random highjacked 767. The real threats rear their ugly heads when some idiot user doesn't update his M$Outlook security package, or takes his password out of the dictionary.

    I'm not trying to say that physical threats to computer systems aren't important. By all means they are usually the last thing people think about. But the data here is only being protected from physcially being damaged and or lost. There's nothing in that article about firewall's, encryption, open access ports, faulty software, defective hardware, etcetera ad naseum.

    The protection of data by the building is just one part of the problem of everything becoming digital. It's by no means the end all solution.
  • by isdnip (49656) on Friday December 28, 2001 @02:42PM (#2759798)
    I don't care how secure they think it is. Give Danny Ocean three weeks and he'll get anything he wants from there.

    (Or George Clooney, in a pinch. Yeah, I liked the movie. Cash vault, sure.)
    • For any number of movie villians, simply typing the password "override" will get them full access to the system, including the parts of the building that aren't even connected to the network!
  • by Peridriga (308995) on Friday December 28, 2001 @02:44PM (#2759809)

    Simple way to take down the site....

    3 Letters.... E M P

    Haha!!...

    • Or ECM.
      Decommissioned ECM pods now sitting in Russian Aerodromes and/or US Military Surplus sites from the 60's had the power to fry radar electronics from a mile or so away.
      FCC regs don't require shielding from this type of high power frequency.

      Heck - a good electromagnet or a junkyard magnet could do a similar number on the place.
    • Not So Easy (Score:3, Insightful)

      by virg_mattes (230616)
      > 3 Letters.... E M P

      Two words in return: Faraday Cage. This deals with the big electromagnet as well. As for the junkyard magnet, you could just arrest or disable the crane operator before he could get it near the building.(bfg)

      Virg
    • Actually, the reinforced concrete (crossed steel bars within the concrete) usually creates a sort of makeshift Faraday cage which effectively negates most EMP within. The guys over at NORAD and ze Pentagon have known this for a long time.

      But it does depend on whether the building is reinforced, and how long the steel cabling is within it, etc. But the effect should not be so severe, reguardless. And remember, the EMP only affects unshielded electronics. They could simply invest $100 in wiring and build a giant Faraday cage around their server farm.
  • by Tony Shepps (333) on Friday December 28, 2001 @02:52PM (#2759854) Homepage
    And as long as the dot-com boom continues to revolutionize the way we all shop, work, and live, these kinds of 99.999% reliable sites will be very important to us! Because there will be sites other than Amazon and Ebay that cannot withstand even an hour of down time without endangering the very existence of the companies with those sites!

    The future lies in big buildings paying big money for big reliable redundant systems with big corporations paying big rent to make sure their big connectivity is almost permanent! Luckily the new pop-up ads will pay for it all!

    Why, the only thing stopping people from getting to the completely-reliable sites located there is the fact that 99.99999999% of the routers on the net aren't in that building! But the last two nodes of any traceroute will be absolutely rock-solid! As long as there is some money left to pay bright, qualified network engineers, including 24x7 manned duty! Way to go!

    (Phew. I didn't think I had a reserve of enough sarcasm to complete the post.)
  • So 1999 (Score:3, Interesting)

    by Fnkmaster (89084) on Friday December 28, 2001 @03:02PM (#2759905)
    This is very 1999. Back several years ago I was looking at several colocation facilities for my company, including Frontier GlobalCenter in NYC and the Exodus data center in Waltham, MA. They spent so much money on whiz-bang protection from invading armed forces, etc. etc. Not to mention the slick electrically opaque glass between the conference room and the NOC, so they can press a button and you watch the "opaque" glass at the end of the room fade away to see the ridiculous NOC with way too many flashing lights and screens with little bandwidth bars that was all for the benefit of potential customers.


    This sort of excess overspending and the lack of emphasis put on _real_ security (i.e. data security rather than physical security) ignores the vastly more likely threat to most company's web servers and database servers (and frankly that's what most of the boxen in these places are - huge rooms full of Yahoo and eBay machines). I'm not saying that a certain degree of security isn't appropriate, but withstanding foreign invasion? Please. The invaders are looking to break in with their armored brigade to the Exodus data center!!! Oh no!! Come on. A modest degree of armed guard presence, a low profile, some generators and massive UPS system - fine, this all makes sense. But you can go overboard.


    Anyway, don't take my word for it. Just look at Exodus' stock. Their excesses seemed to ignore the fact that the service they provided just wasn't worth the outrageous amount of money they were charging for it, and these days, the more budget conscious hosting/data center/colo companies are the ones left standing.

    • You are so right. I work for a clec that is surviving this time and picking up customers from the chapter 11's and chapter 7's. One of our switch rooms is a leased space in an industrial building and looks pretty ugly. Our datacenter for our internal network for nt and exchange is in a small room in a non-descript building. Nothing fancy. Even the testing lab where we take the potential customers to is nothing special. Just another room in a bland suite in a bland building.
  • Here's the weak link (Score:2, Informative)

    by owlmeat (197799)
    "Doors throughout the complex are secured with a Honeywell Access Control System, and staff working at the facility are supplied with a proximity card."

    US national labs rejected proximity cards years ago because they could be surreptitiously read out and cloned.
  • "...is built to survive the worst."

    You got to be kidding. I don't think *anything* can survive the: "/. effect"
    • All data centers are designed to impress customers, and the true level of security is never as high as the hype/promise.
    • The only true data center survivability lies in redundancy

    I've been a customer at Exodus, and I've toured a number of other data center sites. The centers are generally designed to impress visitors - the "dead man zone" room being a perennial favorite - and to suggest a level of security that isn't truly there. There's a reason that the government doesn't build secure sites in the middle of an industrial park, yet that's often where you find colo/data centers. Also, the number of "sales prospects" triapsing through the data center should suggest that the true security level is lower than advertised.

    As far as survivability goes, no matter how much work you put into the power, the redundant data lines, the physical security, there is no true survivability in a single site. (Look at 9/11 - how many WTC companies basically said "we'd have been dead if we didn't set up off-site disaster recovery after the '93 bomb"). Any single building can be disrupted by a determined attacker. You have to use multiple sites to be truly survivable (again, look at the Internet - the whole idea was a distributed, survivable network.

    • Any single building can be disrupted by a determined attacker

      Also it's harder for someone to attack multiple targets at the same time. An invading army would probably be more concerned with securing actual communications systems than those simply housing data anyway...
  • Wouldn't the best security (or at least pretty good) be to NOT advertise it on one of the most heavily trafficked sites on the net? I mean, if you want to physically destroy servers and the hardware that supports them, don't you need to know where they are? Thanks to ZD's article, now we and all other nefarious types know. Thanks John Dvorak! :)
  • Well, the building seems as secure as anything I've ever heard of, but they never mention what their communication lines are. This is ok if they are primarily concerened with data safety (which they obviously are!), but this kinda falls down if they are trying to provide data accesibility (sp?). Of course, they might (probably?) have the standard fibre plus wireless and satellite. At least I would hope so, otherwise you just have this impenatrable mass in the middle of muck that can't move and can't talk to anyone, but you can't touch without getting your ass blown off.
  • by Wag (102501)
    It's reassuring to know when the world is enduring The Apocalypse an outlet for pornagraphy will exist for future generations.
  • Amazingly, for a country originally populated by convicts, Australia seems to be outpacing the US for the honor of being the worst western country in terms of individual liberty (UK, US, AU...it's a three horse race I think). If it were me in that part of the world, I'd pick New Zealand. Unless I were serving AU-domestic customers specifically, I see no reason anyone would colo there; they might as well at least use the US where things are cheap.

    Nice specifications, though. A single generator for on-site power is probably a bad idea, though, even with 2 substation feeds; any outage which could take down a substation could easily be system-wide, and some of those take a long time to restore. Witness the 9-11 situation where 111 8th and 60 Hudson (2 of the 3 important NYC carrier facilities) were on extended generators). 111 8th's generator 1) ran out of fuel 2) didn't start due to dust clogging the air filters. And powering up a 2MW diesel every 6 weeks for testing is also bad; should be done weekly or better.

    I think it's rather telling that no one is building out bare colos like Exodus, Frontier GlobalCenter, etc. did back in the mid-1990s; there's a glut of raw space except in very specific markets. Managed services or differentiation (by security, expansion of over-capacity carrier hotels, low pricing, etc.), but not by massive up-front capital spending.
  • The real solution is to house the data in multiple facilities in different countries; and the only security focus should be on protecting the data from theft, not from destruction.

    If someone really wants to blow up a builiding, they can do it. It is a lot harder if that building is only part of a redundant network.
  • What I'd like to see is this:

    • An operating system with machine-checked proofs of correctness down to the hardware (VHDL) level.
    • Passwords are not used. Security is based on physical access to secured terminals, plus biometrics.
    • All crypto is in hardware, and meets NSA standards.
    • All apps have minimal, and I mean minimal, privileges. Anything run from the outside, like a servlet, runs in a jail.
    • Separate red (insecure) and black (secure) systems, interconnected by an upgrader/downgrader that parses everything and only permits a very limited set of transactions, such as the usual credit card operations. The red system doesn't need the heavy security stuff, but the black system does.
    • Proof of correctness on the upgrader/downgrader.
    • The red machine boots from CD-ROM, and the memory protection hardware supports "make this read-only until the next boot".

    The software development for this would be expensive, and performance would be modest, but highly secure, limited-purpose back-end systems would be far better than what we have now.

  • Designed as a southern Fort Knox, the structure is earthquake proof, bomb resistant, and provides anti ram capabilities.

    From the movie Strange Days by James Cameron:

    MACE
    Take it easy. The glass is bullet resistant.

    LENNY
    Bullet resistant? Whatever happened to bullet proof?
  • A Beowulf Clus--aarrruugh!

    Drops dead and dies as a mob of angry /.'ers begins lynching him
  • by strags (209606) on Friday December 28, 2001 @03:38PM (#2760060)
    While having your servers nice and secure in a physically impenetrable fortress is all very well and good, it's sort of the physical equivalent to cryptographic security-by-obscurity. It provides a false sense of security, and doesn't address critical vulnerabilities.

    Let's face it - someone who wants to take your website down isn't going to do it by physically storming the building! Unless, of course, they're the government - in which case they'll also cut off your internet feed. What good is your 7-week's worth of diesel going to do you then?

    Furthermore, it doesn't make any difference how physically secure your boxen are, if you're running an OS with networking vulnerabilities, or are vulnerable to DOS attacks.

    The most secure solution is complete redundancy/distribution, in both physical and network space. The most obvious example is Freenet, which sadly isn't quite mainstream-useable yet.

    Store your documents in a distributed fashion across thousands of machines. Encrypt them, so even the individual user doesn't know what his cache contains. Cryptographically sign each piece of content you produce. How is anyone going to fuck with your site when it's in a thousand different places?
    • Let's face it - someone who wants to take your website down isn't going to do it by physically storming the building! Unless, of course, they're the government - in which case they'll also cut off your internet feed. What good is your 7-week's worth of diesel going to do you then?

      If the building isn't as secure as you think it is the 7 weeks supply of diesel may simply help it burn better. IIRC WTC 7 contained a large store of fuel...
  • The weak point in any security setup is normally the human element.

    Nothing here changes that.

  • So if Slashdot relocates to Australia, does that mean we can still rely on Slashdot to give us live up-to-date information as the country is being invaded and bombed back to the stone age?

    More importantly, can it survive a DDoS?

    Can it survive the /. effect?
  • I don't mean to be morbid, but from reading the article it seems clear that this building couldn't handle a fully fueled passenger jet being crashed into it.

    It's all well and good to defend against those who want to steal, but beyond a certain point, you can't really defend against those who wish to destroy.
  • The big players in the hosting market have tried this already - and have failed. Exodus and NaviSite both have very physically secure facilities, but these types of setups cost a lot of money to build and maintain.

    If you can't convince clients that it's worth the extra money to have all of this physical security, you can't make money.

    In the midst of a global slowdown, are companies going to want to spend that extra money, rather than investing in distributed data warehousing approaches?

  • Anyone else think this is teh 21st Century version of the Titanic?

    It was built to secure the data of the world.
    It was built to withstand natural disasters.
    It was built to withstand armored assault.

    One man would bring it down.
    One man would free the information.
    One man - Lord Legba!

    Coming to a theater near you this summer.
  • how quaint (Score:3, Insightful)

    by markj02 (544487) on Friday December 28, 2001 @04:22PM (#2760202)
    Physical security--how quaint. Even if you greatly overengineer it, a widely distributed network of nodes using cryptographic techniques is likely to be much cheaper and no less secure. And it's also likely to be more resilient.
  • It matters *where* your redundancy is.

    At least one firm in the World Trade Center had what they thought was a very safe backup procedure: Their data center in one tower was backed up to the second. In their minds anything that would take out *both* towers would obliterate Manhattan, and therefore was considered too remote to worry about...
    • At least one firm in the World Trade Center had what they thought was a very safe backup procedure: Their data center in one tower was backed up to the second. In their minds anything that would take out *both* towers would obliterate Manhattan, and therefore was considered too remote to worry about...

      FWIW Manhattan was virtually obliterated. A significant (large) percentage of the office space outside of the WTC is unuseable and will remain so for quite some time. Services to lower Manhattan are not fully restored and will remain problematical for quite some time. Denial of Service (Mission Kill) is every bit as effective as outright destruction.
  • Not so unique... (Score:4, Interesting)

    by Biolo (25082) on Friday December 28, 2001 @05:30PM (#2760468)
    I remember about 10 years back taking a tour of a major financial institutions data centre based in Edinburgh, (Scotland). The place had been built for mainframes, but they were in the middle of replacing them with a "more modern" client server paradigm (I'm spending _far_ too much time listening to my boss!). This meant that they had collosally huge rooms, chilled to about 10 degrees C, virtually empty.

    There were essentially two data centres in one building, each with its own exceptionally large UPS system with rooms full of wet-cell batteries, and each with two backup generators. Naturally there were separate power feeds into the building (three separate sub-stations if memory serves). The most memorable part tho' was walking through the separating wall - 10 feet thick re-inforced concrete which, we were told, had been designed to withstand an impact from a 747. They were under the local airports flightpath - an airport whose runways will never take a 747, but anyway. The wall runs diagonally to the flightpath, but if it lands right on top they've still lost the facility.

    The thing that always strikes me about all these types of centres is that they seem to ignore (or just don't talk about) the human factor. Most disaster recovery plans are just as bad. Picture the scenario - half of your facility has just been taken out by some disaster, you probably just lost half of your collegues. I won't describe the scene, but you can imagine what horrors might be going on on the other side of the 10 foot concrete wall from you - how well will the average person be able to cope emotionally, never mind how well they'll be able to do their job? I imagine a lot of people simply wouldn't be able to face coming into work in those situations.

    All that said of course, from what I hear those who survived the WTC proved me wrong, but then they were making a stand against the terrorists, and I really admire that. What if though, for the sake of this scenario, the disaster had been caused by human error, natural disaster or whatever. How would people have coped and done their jobs under those circumstances. I think a lot more people would have refused to come into work, even in the disaster recovery site, and those that did would probably have been a lot more distracted and lack motivation, at least once the immediate response to the disaster was over.
  • by Faust7 (314817)
    as well as the infrastructure to ensure that Web sites continue to function come fire, flood, natural catastrophy or foreign invasion.

    Okay, good structure, check.

    Anyone remember what happened to CNN, MSNBC, etc. after the WTC thing? The sheer number of accesses brought them right down. It was a perfect testament to the fragility of the Web. This ought to be addressed as well; we may not always have Google's famous cache to fall back on.

  • Okay, I'm going to preface this by admitting I've never been inside the Amadeus facility. I have however lovingly devoured the Amadeus coffee table book on the history of their facility, as well as spent plenty of time talking with the folks from Amadeus about their facility. Now I've searched and searched for publicly available info on the ADP, but can't find anything. Google pulls up obscure references to it, but nothing that describes the facilities in detail.

    My issue with the Hostworks facility is that it's designed to handle physical currency, not data. You can fit a hell of a lot more electronic currency in 1 square foot than you could ever fit physical currency.

    The Amadeus Data Processing Facility (aka the ADP [no relation to the ADP you see on your paychecks]) in Erding Germany is the Fort Knox of data facilities. It's designed to not only protect the servers physically, but to also protect the transactions within the facility

    Amadeus is the European equivalent of Sabre in the US. They have roughly a 90% market share of the European market, 10% of the US, and a lot of the rest of the world to boot.

    Their facilities are oriented towards traditional transaction processing systems (Tandem/Himalaya machines) rather than "normal" servers. While there is overlap in methodology there are a *lot* of differences. For the most part, they manage all the machines.

    This facility supports all of the Amadeus traffic (both queries and bookings for hotels, cruises, airlines, car rentals, even travel insurance.), as well as the data processing for a number of international airlines (British Airways is one), and supposedly several international banks as well.

    The facility is oriented around (roughly triangular) firecells, of which there are 3 for machines. These are massively over built. They were originally designing for hundreds of mainframe style machines, and (literally) tons of copper cabling in each firecell.

    Each primary walkway is secured at multiple points. You're escorted at all times by a guard who doesn't have the ability to open any doors. Doors can only be opened by a guard remotely. At every point a guard can verify what he's seeing on the camera by direct visual observation.

    Cooling is completely isolated from electrical which is completely isolated from network cabling which is completely isolated from the machines. Machines are the at the center of the firecells with corridors for cooling, electrical, and other support systems surrounding it. Each of the corridors is physically secure from all of the others.

    ADP has enough generator power to run the entire town of Erding in the event that Erding loses it's main power source(s). Rumor has it that this has happened on numerous occasions.

    Geographically isolated in a "easily defensible location". (One of those comments that kinda sticks in your mind when you hear it)

    If they don't know you're coming you are stopped by armed guards before you're in sight of the building.

    There is a No-Fly zone around their facility. (How this is enforced I don't know...)

    Every Tandem is actively mirrored by another in a seperate firecell on a seperate floor. If your Tandem in cell-1 floor-2 goes away, the mirror in cell-3 floor-1 keeps the transaction from being lost.

    The list goes on and on. Someone out there in the /. universe has to have heard of this facility and can probably fill in or correct details, but the Hostworks facility is by no means truly unique.

  • by billstewart (78916) on Friday December 28, 2001 @08:51PM (#2761101) Journal
    There are some kind of applications that work fine in isolation, and if this is one of them, cool. But most real-world businesses need to be connected to the rest of the world - either the Internet, or privatge networks (e.g. bank data centers talking to ATMs). The article doesn't mention physically redundant communications, though I assume they probably did use a fiber ring of some sort, which means it takes *two* backhoe hits before they're off the net and not just one. But if they're this paranoid, and not just hyping themselves, they need some radio or satellite connectivity, enough voice diversity (or cell phones) so they can talk if their phone connection gets cut, and ideally geographical diversity so that if something does go seriously wrong (flood, earthquake, etc.) they can run from their other location.

"If John Madden steps outside on February 2, looks down, and doesn't see his feet, we'll have 6 more weeks of Pro football." -- Chuck Newcombe

Working...