Hi Kevin, Well I¹m happy to provide my experience. When I decided to build a new data centre business back in 2010, I started with a simple premise. That the core data centre experience must be controlled by browser and phone. That system was (and still is called) ONEDC. A key component of this is for the ability for our customers to: * Remotely lock and unlock racks from their phone (great for remote hands) * Use Facility Prox swipe cards to lock/unlock racks in facility at swipe points at end of aisle (did that back in 2008) * Needed to provide users/customers the ability to add/remove their staff (and their customers) access to racks including time of day, time of week access as well as a per rack access granular level (handy if you have 10 racks in a row with 5 different customers so you can limit their access, or a contractor with time of day access such as a tape swap out service) * Full data output allowing me to provide real time audit logs (yes audit logs for security). We did some pretty cool stuff with power management/measurement etc. and made a little video 3 years ago (my kids are playing soccer in the background ;)) https://www.youtube.com/watch?v=58vvIJOfBcE The product has come on a lot since it launched (I left the company 2 years ago now). So what did we do. I used to use a relay type system in 2007-10 in my previous data centre life. It¹s pretty good but a bit ³industrial². It¹s also so 2007 (even 1990) and doesn¹t scale well when you are trying to do 3,000 racks and 6,000 doors per facility. I looked at the APC electronic locking system, but the big issue is that some fool in product decided to remove radius authentication, allowing a decent independent command/control capability. The product I went with was TZ rack locking because: * Solid product with background in remote post office/delivery locking systems * Use ³Shape Memory Alloy² system in which the lock mechanism is a fluid type alloy that changes shape with voltage, rather than old school mechanical locking * They look really cool, fit most racks and have some great features (like delayed lock for 5 seconds in case you realise you left your screw driver in the rack :)) * Provided API Access so I can integrate it into our rack management system (ONEDC) * Full log interface They will try to ship you the entire product suite, but if you can commit to decent scale they are flexible (API access, support etc.) and let you integrate into the locks. I think NEXTDC has probably deployed about 10,000 doors and one of the old team at NEXTDC is now working for TZ and he eats this stuff for breakfast. I can pass on his details if you wish. Anyway I can definitely recommend TZ http://ixp.tz.net . In looking at their website their product set and locking systems have expanded in the last 2 years or so. Hope this helps. Cheers [b] On 21/11/2015 11:55 am, "NANOG on behalf of Jimmy Hess" <nanog-bounces@nanog.org on behalf of mysidia@gmail.com> wrote:
On Fri, Nov 20, 2015 at 2:37 PM, Kevin Burke <kburke@burlingtontelecom.com> wrote:
What kind of experience do people have with rack access control systems (electronic locks)? Anything I should pay attention to with the
Overpriced, overkill for most real-world uses? High-Tech technology for technology's sake?
Avoid them if you can. Within six months or so, at least once, there will probably be some glitch delaying or denying required prompt access. [snip]
Background We have half a dozen racks, mostly ours. Mostly I want something to log who opened what door when. Cooling overhaul is next on the list but one
It probably makes sense if there are more than a handful of people with unobserved physical access, and high frequency of access, or there's a trust issue, high-risk consideration. Or you have to satisfy a "Checkbox Auditor".
You're not going to be able to look at a log and see Joe opened it at 2:45AM 12 months ago, and ever since then, the servers are not quite right.
Consider manual procedures
Example: Electronic access control to the actual rooms. A Robo-Key system (RKS), Keyvault, or Realtor lockboxes on each server rack ^_^
Physical locks on cabinets. Key vault that supports multiple combinations. Then you don't need exotic hardware, just a good lock, and sound key control procedures.
I am imaging if you need to automate control of individual keys; that there will be more competing solutions for this than specialty rack locks.
Logging procedures for key access... Send an e-mail when someone opens the vault.
Simple magnetic reed switches on all cabinet doors. Send an e-mail when a cabinet door is opened. Quite a few standard alarm panels can do those types of things.
Assign someone to periodically check handwritten logs and check for discrepancies. ^_^
at a time. Even with cameras those janky make nobody happy. -- -JH