What kind of experience do people have with rack access control systems (electronic locks)? Anything I should pay attention to with the products? Hope this questions hasn't already been answered. Not to picky about what/who. The APC solution seems to start getting pricy with multiple racks. I see arduino has an RFID reader but haven't found the door opener. The racks in question are standard APC (SX?) racks. Background We have half a dozen racks, mostly ours. Mostly I want something to log who opened what door when. Cooling overhaul is next on the list but one at a time. Even with cameras those janky make nobody happy. If someone knows a better place to ask this that would be nice too. Thanks for your time! Kevin Burke 802-540-0979 Burlington Telecom - City of Burlington 200 Church St, Burlington, VT 05401
On Fri, Nov 20, 2015 at 2:37 PM, Kevin Burke <kburke@burlingtontelecom.com> wrote:
What kind of experience do people have with rack access control systems (electronic locks)? Anything I should pay attention to with the
Overpriced, overkill for most real-world uses? High-Tech technology for technology's sake? Avoid them if you can. Within six months or so, at least once, there will probably be some glitch delaying or denying required prompt access. [snip]
Background We have half a dozen racks, mostly ours. Mostly I want something to log who opened what door when. Cooling overhaul is next on the list but one
It probably makes sense if there are more than a handful of people with unobserved physical access, and high frequency of access, or there's a trust issue, high-risk consideration. Or you have to satisfy a "Checkbox Auditor". You're not going to be able to look at a log and see Joe opened it at 2:45AM 12 months ago, and ever since then, the servers are not quite right. Consider manual procedures Example: Electronic access control to the actual rooms. A Robo-Key system (RKS), Keyvault, or Realtor lockboxes on each server rack ^_^ Physical locks on cabinets. Key vault that supports multiple combinations. Then you don't need exotic hardware, just a good lock, and sound key control procedures. I am imaging if you need to automate control of individual keys; that there will be more competing solutions for this than specialty rack locks. Logging procedures for key access... Send an e-mail when someone opens the vault. Simple magnetic reed switches on all cabinet doors. Send an e-mail when a cabinet door is opened. Quite a few standard alarm panels can do those types of things. Assign someone to periodically check handwritten logs and check for discrepancies. ^_^
at a time. Even with cameras those janky make nobody happy. -- -JH
On Nov 20, 2015, at 20:55, Jimmy Hess <mysidia@gmail.com> wrote:
You're not going to be able to look at a log and see Joe opened it at 2:45AM 12 months ago, and ever since then, the servers are not quite right.
And I would have got away with it to, if it wasn't for you kids and your pesky logs. Joe
http://www.netbotz.ca/rackbotz.htm Just make sure you put one on both the front and back. Otherwise one could just open the back and unplug the Ethernet cable. -- Joe Hamelin, W7COM, Tulalip, WA, +1 (360) 474-7474 On Fri, Nov 20, 2015 at 6:06 PM, Joe Abley <jabley@hopcount.ca> wrote:
On Nov 20, 2015, at 20:55, Jimmy Hess <mysidia@gmail.com> wrote:
You're not going to be able to look at a log and see Joe opened it at 2:45AM 12 months ago, and ever since then, the servers are not quite right.
And I would have got away with it to, if it wasn't for you kids and your pesky logs.
Joe
On November 20, 2015 at 21:06 jabley@hopcount.ca (Joe Abley) wrote:
On Nov 20, 2015, at 20:55, Jimmy Hess <mysidia@gmail.com> wrote:
You're not going to be able to look at a log and see Joe opened it at 2:45AM 12 months ago, and ever since then, the servers are not quite right.
And I would have got away with it to, if it wasn't for you kids and your pesky logs.
Possibly NSFW-language depending on your W but just an image no audio: http://www.soveryfunny.com/wp-content/uploads/2014/09/too_many_fucking_secur... or http://tinyurl.com/ngnvs4s -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 617-739-0202 | Login: 617-739-WRLD The World | Public Access Internet | Since 1989 *oo*
Hi Kevin, Well I¹m happy to provide my experience. When I decided to build a new data centre business back in 2010, I started with a simple premise. That the core data centre experience must be controlled by browser and phone. That system was (and still is called) ONEDC. A key component of this is for the ability for our customers to: * Remotely lock and unlock racks from their phone (great for remote hands) * Use Facility Prox swipe cards to lock/unlock racks in facility at swipe points at end of aisle (did that back in 2008) * Needed to provide users/customers the ability to add/remove their staff (and their customers) access to racks including time of day, time of week access as well as a per rack access granular level (handy if you have 10 racks in a row with 5 different customers so you can limit their access, or a contractor with time of day access such as a tape swap out service) * Full data output allowing me to provide real time audit logs (yes audit logs for security). We did some pretty cool stuff with power management/measurement etc. and made a little video 3 years ago (my kids are playing soccer in the background ;)) https://www.youtube.com/watch?v=58vvIJOfBcE The product has come on a lot since it launched (I left the company 2 years ago now). So what did we do. I used to use a relay type system in 2007-10 in my previous data centre life. It¹s pretty good but a bit ³industrial². It¹s also so 2007 (even 1990) and doesn¹t scale well when you are trying to do 3,000 racks and 6,000 doors per facility. I looked at the APC electronic locking system, but the big issue is that some fool in product decided to remove radius authentication, allowing a decent independent command/control capability. The product I went with was TZ rack locking because: * Solid product with background in remote post office/delivery locking systems * Use ³Shape Memory Alloy² system in which the lock mechanism is a fluid type alloy that changes shape with voltage, rather than old school mechanical locking * They look really cool, fit most racks and have some great features (like delayed lock for 5 seconds in case you realise you left your screw driver in the rack :)) * Provided API Access so I can integrate it into our rack management system (ONEDC) * Full log interface They will try to ship you the entire product suite, but if you can commit to decent scale they are flexible (API access, support etc.) and let you integrate into the locks. I think NEXTDC has probably deployed about 10,000 doors and one of the old team at NEXTDC is now working for TZ and he eats this stuff for breakfast. I can pass on his details if you wish. Anyway I can definitely recommend TZ http://ixp.tz.net . In looking at their website their product set and locking systems have expanded in the last 2 years or so. Hope this helps. Cheers [b] On 21/11/2015 11:55 am, "NANOG on behalf of Jimmy Hess" <nanog-bounces@nanog.org on behalf of mysidia@gmail.com> wrote:
On Fri, Nov 20, 2015 at 2:37 PM, Kevin Burke <kburke@burlingtontelecom.com> wrote:
What kind of experience do people have with rack access control systems (electronic locks)? Anything I should pay attention to with the
Overpriced, overkill for most real-world uses? High-Tech technology for technology's sake?
Avoid them if you can. Within six months or so, at least once, there will probably be some glitch delaying or denying required prompt access. [snip]
Background We have half a dozen racks, mostly ours. Mostly I want something to log who opened what door when. Cooling overhaul is next on the list but one
It probably makes sense if there are more than a handful of people with unobserved physical access, and high frequency of access, or there's a trust issue, high-risk consideration. Or you have to satisfy a "Checkbox Auditor".
You're not going to be able to look at a log and see Joe opened it at 2:45AM 12 months ago, and ever since then, the servers are not quite right.
Consider manual procedures
Example: Electronic access control to the actual rooms. A Robo-Key system (RKS), Keyvault, or Realtor lockboxes on each server rack ^_^
Physical locks on cabinets. Key vault that supports multiple combinations. Then you don't need exotic hardware, just a good lock, and sound key control procedures.
I am imaging if you need to automate control of individual keys; that there will be more competing solutions for this than specialty rack locks.
Logging procedures for key access... Send an e-mail when someone opens the vault.
Simple magnetic reed switches on all cabinet doors. Send an e-mail when a cabinet door is opened. Quite a few standard alarm panels can do those types of things.
Assign someone to periodically check handwritten logs and check for discrepancies. ^_^
at a time. Even with cameras those janky make nobody happy. -- -JH
So what did we do. I used to use a relay type system in 2007-10 in my previous data centre life. It¹s pretty good but a bit ³industrial². It¹s also so 2007 (even 1990) and doesn¹t scale well when you are trying to do 3,000 racks and 6,000 doors per facility. Part of the scaling issue was the door locks on that system were conventional solenoids, which from memory needed about 1A @ 12VDC to fire. If a customer had 30-40 racks (and a couple did in that facility), you'd need to potentially fire 60-80 doors, or need 60-80 amps available (I have a recollection we used a 12V SLA battery to ride out those peaks). Additionally, monitoring lock status would have needed separate wiring and separate inputs. Cabling was a star topology (each rack directly back to the controller). The TZ locks use a fraction of that power - from memory, only a few amps to do a pod of 30 or so racks. Firing a lock is measured in milliamps, not amps. The locks are controlled over RS485, so you get lock control and monitoring over a single cat-5. From memory the cable topology is technically hierarchical, but you could loosely consider it to be a bus. Overall, vastly superior to the 'industrial' style system. I looked at the APC electronic locking system, but the big issue is that some fool in product decided to remove radius authentication, allowing a decent independent command/control capability. At the time the available version of the product didn't deal with too many racks, which also meant a lot of under-floor power outlets to feed the controllers). I think they were coming up with a denser version, but I didn't see it.
Our datacenter build used RCI rack locks/handles and over the last year of production since going live haven't had any issues. http://www.rutherfordcontrols.com/en/products/electric-locks/3525/ We used the non-RFID model and put a standard card reader at the end of every row. Our Access control system handles the locking and unlocking as well as log generation (HIPAA compliant facility). These handles would work just as well with some form of relay controller. Locking the rack level also removed the need to allow building cages ( which would be a waste of space in our facility). Mike Poublon Senior Datacenter Network Engineer 269-375-8996 Main Secant Technologies 6395 Technology Ave. Suite A Kalamazoo, MI 49009 On 11/20/2015 3:37 PM, Kevin Burke wrote:
What kind of experience do people have with rack access control systems (electronic locks)? Anything I should pay attention to with the products?
Hope this questions hasn't already been answered. Not to picky about what/who. The APC solution seems to start getting pricy with multiple racks. I see arduino has an RFID reader but haven't found the door opener.
The racks in question are standard APC (SX?) racks.
Background We have half a dozen racks, mostly ours. Mostly I want something to log who opened what door when. Cooling overhaul is next on the list but one at a time. Even with cameras those janky make nobody happy.
If someone knows a better place to ask this that would be nice too.
Thanks for your time!
Kevin Burke 802-540-0979 Burlington Telecom - City of Burlington 200 Church St, Burlington, VT 05401
participants (8)
-
Bevan Slattery -
Bob Purdon -
bzs@theworld.com -
Jimmy Hess -
Joe Abley -
Joe Hamelin -
Kevin Burke -
Mike Poublon