4.0 Security

admin

4.1 Compare and contrast physical security methods and concepts

Security objectives are written very hazily. Basically they would put the exam pursuer in the middle of the lake and tell them to swim, even though they do not know how  – there is no clear line to follow through the exam objective like in other topics… I strongly advise to check IT security training videos/concepts around the internet to grasp basics about this topic, so terms like CIA, AAA, hashing vs encrypting etc. aren’t unknown, because not everything is going to be mentioned here in a connected fashion. And in IT, security topics tend to be connected more to each other than it is usual.

  • Basic terminology – Authentication vs Autorization
    • Authentication – a process in which an identity of a person or system is proved (eg. claiming that my name is John isn’t enough, but providing ID with photo proves it).
    • Authorization – permissions and privileges to perform certain things (eg. identifying as John may be enough to enter a building, but won’t be enough to enter data center inside)
  • Multifactor Authentication – authentication based on combination of more forms, eg. password+card or fingerprint+answer to control question etc.
    • Opposite is a single factor – only one thing is required from you or one thing is enough to authenticate you.
    • Something you have – physical objects you can carry with you (ID card, RFID card, security tokens etc.)
      • Attacks – theft of the object
      • Best practice – never left your ID proving object without attention – in car etc., if you do loose your and object of this type immediately contact the respected office and tell them about it, otherwise it can be used for criminal purposes
    • Something you know – knowledge you have(passwords, pins, answers to control questions etc.)
      • Attacks – shoulder surfing, keyloggers (malwares, HW keyloggers etc.), sniffers on the network (man in the middle attack), dictionary attack (based on most used passwords), brute force (combinations of characters – increased by number of characters in passwords)
      • Best practice – use strong and complex passwords, always use at least 9 characters and bigger passwords, change your passwords from time to time, do not put the same password for various services, do not write your password down – remember it
    • Something you are – unique characteristics you have – fingerprints, face recognition (biometrics in general)
      • Attacks – force, attack on the biometric algorithm that is evaluating the biometric data
      • Best practice – combine biometrics with other factors if possible
  • Security concepts – different approaches and priciples  to secure things based on the situation, CIA triad (Confidentiality, Integrity, Availability). Confidentiality ensures that information isn’t disclosed to unauthorized individuals, entities or processes. Confidentiality often goes hand in hand with encryption, which helps a lot in achieving and providing concepts that confidentiality embraces or strives for. Integrity refers to protection of information, making proper assurance that information wasn’t changed in the transfer process and stays true at the end. Availability is about making sure that information is available when it is needed. Proper maintaining of all systems – HW and SW is the key for having this part of InfoSec triad well maintained. !This is a very brief introduction!
    • Mantrap – connected to physical security. This is a place where you enter, that locks itself up and won’t let you go further without an authenticating yourself.
    • RFID chip
    • ID card – something you have. Card providing identification of the person that is holding it – can be something simple like photo and name, but can have also electronics inside to be read by a scanner.
    • Biometric – something you are type of authentication. Can be a fingerprint, can be related to your eye, to the face and so on.
    • Keypad – mechanical devices for something you know – usually a small device positioned in front of doors to enter a PIN.
    • Access list – In general this is a list of persons/systems that has permissions to do something. Think about this as a general concept – for example in a normal world if you would like to enter a fancy club and a bouncer is out – you are either on the list and will be let in or not. Or there can be a note that as soon as the bouncer sees you he will provide you some unhealthy attention :). An Access list for network devices can look like this:  
      Extended IP access list 101
    10 permit tcp any any
    15 permit tcp any host 172.162.2.9
    18 permit tcp any host 172.162.2.11
    20 permit udp host 172.16.1.21 any
    30 permit udp host 172.16.1.22 any
      • This access list specify what IP address can contact other IP addresses by which protocol etc. and is related to the network world.
    • Security guard – acts as a precaution for prevention mostly, related to physical security. Simply just by putting someone in a visible spot and label them as security guard is enough to avoid an unauthorised access.
    • Security camera – visible or hidden. Can serve in the preventive similar way as a security guard.
    • Keys & Locks – prevents unauthorised access to certain things. This is beginning with servers themselves, that can be locked – both front panels (HDDs inaccessible) and case (everything inside in inaccessible – RAM, processor, MB, int. peripherals etc.), continues with Racks (usually both front and back of a rack has a lock – this prevents access to hard buttons on the front and cables at the back), cabinets, data center doors and on. Locks can be of many types and in offices are often magnetic and under voltage, so in case someone will interrupt the cable that is “watching” over the lock (usually it is connected to some RFID reader nearby also), the lock won’t open itself.
      • Cabinet – see above
      • Rack mount – see above
      • Server – see above
    • Safe

4.2 Given a scenario, apply server hardening techniques

Hardening techniques are often connected with terms like attack surface and the goal is mostly to reduce the attack surface as much as possible or make it much more durable. The more ways the attacker has to breach or damage a system the better for him. If you leave too much ports open or are not updating an application you are creating opportunities for the possible attacker. 

  • OS hardening – hardining techniques on the operating system level
    • Stopping unneeded services / closing unneeded ports – refers to unwanted services running. The possible scenario can be like this – Do you have a web server? Does it only serves as a web server? Then it doesn’t need to have a printer server role enabled at all! etc.
      • Unneeded ports – in order to communicate on a network, application need a port on which it listens. Always check if there is a no longer needed application, which has some ports it listens on. 
    • Install only required software
      • Install only the SW you really need in order to establish a service and only the SW you will use. This will make management much easier and it won’t happen that you increasing the attack surface by having more applications. For example – do you need an FTP server? Then use one SW for it, do not try to setup 3 different FTP SWs and use them. Pick the “best” (depends on requirements) one and stick to it.
    • Install latest operating system patches
      • Operating systems are very complex piece of software. Usually they have many components you are not even aware of. Therefore regular installation of system patches from the OS developer is one of the best practices for the OS hardening.
  • Application hardening
    • Install latest patches – basically the same as OS hardening – be sure to have the latest version of the application. Application developers patch numerous functions and possible security flaws in them. 
    • Disabling unneeded services/roles/features – for more complex applications containing multiple features or doing more services at one time, enable only those features you will need.
  • Endpoint security
    • HIDS (Host-based Intrusion Detection System) 
    • Anti-malware
      • Malware is general term for any harmful software. It stands for malicious software and generally aims to do you no good.
  • Remediate security issues based on a vulnerability scan
  • Hardware hardening – like SW hardening, HW attack surface can be / should be reduced as well 
    • Disabling unneeded hardware and physical ports/devices – by disabling unneeded HW and ports especially you can avoid situations where someone would plug a harmfull device into your computer. 
    • BIOS password – always setup a password to BIOS to prevent unauthorized to access to primary configuration of HW components
    • Disable WOL (Wake on LAN) – wake on LAN can wake the computer, if it is shut down, because the NIC is still working and receiving communication. By sending a magic packet one can wake up the computer. It doesn’t have to be very smart idea from security point of view.
    • Setup boot order – by setting up a boot order you can prevent users for example from booting from DVDs and reinstall your OS or running an operating system from a DVD.
    • Chassis locks / intrusion detection – especially in server environment it is good idea not only to have the rack locked up, but also the server itself. An intrusion detection system can be setup in some cases – it is about a sensor device attached to the chassis from the inside and connected to the motherboard. The BIOS is then configured to operate with the sensor device in a desired way (detect only, alarm etc.).

4.3 Explain basic network security systems and protocols

  • Firewall – first line of defense network wise. Firewalls inspect network traffic and doesn’t let any kind of harmful traffic in. Firewalls can operate on multiple layers and can block traffic based on ports, on IP addresses and protocols themselves.
    • Network-based – network based firewalls are usually physical machines, usually called appliance, which do just the firewall stuff and nothing else. Today these systems are usually modular – providing more functionalities with more modules enabled (these firewalls are also called as next generation firewalls and are very intelligent in the way of traffic inspecting).
    • Host-based – host based firewalls usually a piece of software installed on a server machine. For example Windows Firewall – firewall present inside Windows Operating systems is a type of host-based firewall.
  • Port security / 802.1x / NAC
    • Ports – should be meant here as physical switch ports (not TCP / UDP ports) – ports on a network switch to which you are connecting your computer
    • 802.1x – refers to IEEE standard providing authentication mechanism for devices wishing to attach to a LAN or WLAN.
    • NAC – Network Access Control – the whole idea about NAC is that you are not allowed inside a network (even though you are physically connected to a switch) unless you meet certain conditions (providing username and password) and possibly some sub-conditions (like updated Anti virus software or installed some security application etc.)
  • Router access list – routers are devices used to route network traffic – they “know” how to get from one network to another. Access list definition is mentioned above with an example of how can an access list on a router look like. Such access list then defines if a host with some kind of IP address is able to reach some specific network.
  • NIDS – Network Intrusion Detection System
  • Authentication protocols – protocols used for authentication phase – to prove the identity of a person or system that tries to access some resources
    • LDAP – Lightwight Directory Access Protocol – is a protocol tied to a database of client information. It basically describes the communication with the actual database (eg. Active Directory) holding information about clients / users (usernames, groups etc.) – what data can be retried, under which conditions, how to form the “question” etc.
    • RADIUS – Remote Authentication Dial In Service  – is a protocol that provides triple A (Authentication, Authorization and Accounting). For Authentication it supports multiple protocols like PPP, PAP, CHAP, for the authorization part it can decide whether the user is accepted or rejected and accounting part refers to the possibility of having user account stored locally on the RADIUS server – it itself then ensures proper mechanisms to search through the database etc. ?Security of the RADIUS should be considered weak for this exam? (but it depends on the implementation and also internet sources are not united regarding it), so far what I was able to dug out is that RADIUS encrypts just the password, rest of the payload is unencrypted. RADIUS works on top of UDP (UDP:1812 and UDP:1813).
    • TACACS – Terminal Access Controller Access-Control System – the original protocol, similar to RADIUS (also Triple A protocol), but obsolete.
    • TACACS+ – Terminal Access Controller Access-Control System Plus – newer version of TACACS developed by CISCO. Works on top of TCP (TCP:49). Encrypts everything – authentication part and rest of the payload also.
  • PKI – another heavy topic. Invest a little bit of time to research on this topic. 
    • PKI is a very broad term which consists of set of roles, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryption (quote from Wikipedia as this is a very nice definition of PKI).
    • The digital certificate is a data structure in PKI based on x.509 standard that contains various information regarding the public key – its owner, who has issued the certificate (Certificate Authority), the date till which it is valid, based of which algorithm the public key is generated and how long in bits it will be etc.
    • The purpose of certificate can vary – it can be used for code signing, email communication or to secure web communication ( HTTPS), but it works on the same principle every time.
    • The principle here is based on asymmetric cryptography. Basically we have a pair of keys and  pair is very important term here. One key cannot work without the other – if a message is encrypted with the public key, it can be decrypted only with the private key and vice versa.
    • Private key – this key is private and should remain only on the system it is meant for. The best practice is also not to leave the system – export it or anything. 
    • Public key – this key can be kept on public place or provided on-demand.
    • Certificate authority – this is the management unit of the certificates. This is the entity that will be issuing certificates to various subjects. You can have your own CA installed on your premises, but you have to count with the fact that nobody outside your company will know your CA and moreover will trust it. Public CAs that are trusted by various systems (Operating Systems, Web browsers etc.) were validated throughout the time – no security compromises etc. Among the most reliable CAs are Symantec’s Verisign, GoDaddy, Thawte, Comodo, GeoTrust and so on.
    • SSL/TLS – Secure Sockets Layer / Transport Layer Security. SSL is a predecessor and although we are still talking about SSL (and you will hear it more than TLS term), the TLS (version 1.2) is in use in fact (and should be as it is more secure). The purposes of TLS are basically two:
      • ensuring that you are talking to the server you think you are talking to
      • provide a secure channel between you and that server (no one can hear what you are talking about).
      • This all is done without changing anything to the application protocol (above) – eg. HTTP – if you are accessing a website through HTTPS, the TLS will provide you a secure connection and ensures that HTTP data is delivered unchanged.
      • The communication is secured by a symmetric algorithm – by a pre-defined and acknowledged key on both sides. Because the key is one and is used for both encryption and decryption of the data as well, it’s delivery has to be secure and that is time when asymmetric algorithms come into play – to ensure the key is delivered in a secure way.
  • VPN – Virtual Private Network – is a way how to connect to internal network from remote location. A VPN tunnel is established (between both ends – firewall / VPN concentrator on one end and client in your device) in this case and all traffic going through that tunnel is encrypted allowing one to use internal company resources (file share etc.) from remote places.
  • IPSEC – Internal Protocol Security – possible to use inside your network or outside (you can use it to strengthen your inner security for critical information in Transport mode), for the outside use, you will have to use IPSec in Tunnel mode you are using IPSec for VPN – to tunnel between networks and ensure that everything going through this tunnel is encrypted.
  • VLAN – VLAN (Virtual Local Area Network) – is a way how to segment networks on one or more devices. On a switch all physical ports can “see” each other (or better attached devices can communicate with each other) if they are on the same VLAN. If you change VLAN for these physical ports, they will act like they would belong to different physical device.
  • Security zones
    • DMZ Demilitarized Zone (also called Perimeter network – often by Microsoft) is a part of internal network which is accessible from the Internet, publicly. DMZ is often protected by a different (second) firewall that can ensure extra protection, but more often it is just a logical configuration on existing firewall, which let’s traffic inside the network on specified port to a specified IP address, but nowhere else.
    • Public and private – Public zone should be accessible from both sides – publicly and privately, eg. DMZ. To private zones you are able to get just from your private network – Intranet.
    • Intranet and extranet
      • Intranet is a private network that is accessible only internally and contains internal IT systems that are not accessible from the internet.
      • Extranet is a private network usually created for partner, cooperating vendors etc. which is available for them publicly. 

4.4 Implement logical access control methods based on company policy

  • Access control lists – when setting any access control list one should always follow the least privilege best practice – only give to someone an access they need. For example should a user need only to read a file, he or she gets read permission and nothing else. This basically can be applied to any type of access control.
    • Users – user has to have some kind of identity within the accessed system. User identity usually has some kind authentication mechanism attached to it – password, biometric information etc., in order that the user can prove that this identity is his (him). 
    • Groups – gathers together number of users by some common ground (department, project etc.) for better manageability 
      • Roles – very nice read about roles in context of groups can be found here. In context of this certification I believe it is mentioned to highlight the difference, that can be that as groups are meant to gather subjects (users), roles are meant for gathering of permissions over these objects. For example a role of an administrator can have all permissions over the object, while a user role has just a subset of these permissions.
    • Resources – objects to which we can attach permission – access them under 
      • File system – within file system we can define access to files, folders and shares.
      • Network ACLs – acess from some network to other network, example mentioned above.
      • Peripheral devices – permissions attached for example to printers – who is able to print or manage the printer.
      • Administrative rights – Administrative permissions over the resource. Administrators are allowed to do anything with the resource and can be limited only by the OS itself (in some cases). It is mandatory to properly manage who can be an Administrator as Administrators cant only do anything with to resource – they can set up the permissions for others as well. Best practice (at least in Identity management) for administrators is to have two users – one admin for administrative tasks and second for normal accesses.
      • Distribution lists – Here I hope CompTia wants to know difference between distribution group and security group – the only context I can think for something called distribution list. Distribution group is a type of group with a restriction that it cannot be used for setting up permissions. You are not able to add a distribution group as a group with some kind of permission above a resource. In Windows world you won’t be able to find such a group while adding through the Security tab. Distribution group is only meant for sending email messages to all members that are inside it.
    • Permissions – say what can be done with resource (object). Permissions can be combined – user can have multiple permissions over an object or can be a member of different security groups  – one for reading, another one for writing. In general for the permissions you are either allowed to do something or denied and this is important. When someone is denied from doing something he won’t be able to do it no matter what. Let’s say you have a text file and group of members that are allowed to read it and write to it. But from that group a John is very problematic user – if you deny John permission to write, he won’t be able to do is even though is a member of group that is able to do both. (of course you do not have to explicitly define a John as a user, you can create a group of problematic users and deny the permission to write for it). 
      • Read – allows viewing or accessing file’s content. For folders allows listing of files and subfolders. 
      • Write/Modify – allows writing to a file or adding files / subfolders to a folder. Modify adds deletion on top of that on Windows.
      • Execute – allows running an executable file (executes it, puts it into the memory etc.).
      • Delete – ?allows deletion?
      • Full control/Superuser – all permissions – you can do anything with the resource plus you can set permissions for the other users
      • File vs share – I can only guess that this means files in context of shares. In Windows world and NTFS, one is able to set special type of permissions for access over the network in order to work with files/folders remotely. These type of permissions have to be set separately from local permissions and they are also evaluated separately. Because of the need of the separated evaluation the final evaluation of what the user is permitted to do with the file can be very messy (especially when explicit denies come into the game).

4.5 Implement data security methods and secure storage disposal techniques

  • Storage encryption – by reflecting the type of the storage media, you can choose the appropriate type of encryption.
    • File level encryption – encryption on file system level (specific files or folders) – MS Windows OS has an EFS (encrypting file system) as a part of NTFS – in case of switching that on in a folder or file options, the data will become encrypted by a pre-generated key stored in Windows Certification store. This method is not that much popular due to the key handling – you have think about the fact that the key resides locally and in case of migrating the folders/files somewhere else you have to also migrate the key.
    • Disk encryption – encryption of the whole disk meaning that every data (OS things as well as your data) on the disk is encrypted and the disk cannot be read in case of theft outside of that computer without a proper authentication.
      • For these purposes a TPM (Trusted Platform Module) chip can be used – TPM can be found on motherboard and helps in a lot of ways around the encryption – can do calculations for encryption, can store keys needed for encrypting / decrypting etc. As with EFS – in case a motherboard is changed the TPM data are lost with it so one should be aware of that.
    • Tape encryption – nowadays tapes support encryption or better – hardware that cooperates with tapes support it. After compression task an encryption is done if it has been selected in the software that operates with the backup.
  • Storage media – refers to a location where you are actually storing the data – it can be a hard drive, flash drive, DVD or a tape. The storage media can be found on different devices – servers, SAN, NAS, PCs, mobile devices etc.
    • Soft wipe – is a type of wipe when we do not actually delete the data – after the delete is performed the data are just marked for deletion or the file system looses track of a data written to the specific location.
      • File deletion – file deletion is a good example of soft wipe – unless you overwrite that physical location again, the file will still be present on the media and is recoverable through a special software (SW that can read whole disk physically, sector by sector, and recover whatever it finds there – it can make a sense or not)
    • Hard wipe – is a type of wipe when data are actually destroyed and non-recoverable – overwritten many times. This is a long process and take several hours to complete.
      • Zero out all sectors – means complete wipe of data on a hard drive. The data on the drive are overwritten with zeros.
    • Physical destruction – although one could think that zeroing out all sectors would be sufficient for data to be non-recoverable it doesn’t have to be entirely true and there might be techniques how to even recover a data that has been zeroed-out of a drive. For these purposes and based on the confidentiality of the data you can (and should if the data were confidential and especially when the HDD were not encrypted) perform a physical destruction of the drive. Usually this done by a vendor that will use a drill on the HDD, incinerate the platters or use some way to destroy the magnetic field (or all in connection) and serve you a completion certificate confirming the destruction of the drive.
    • Remote wipe – is a technique associated with mobile devices especially (mobile phones, tablets and sometimes even laptops) – if these devices are somehow centrally managed (usually a Mobile Device Management software is taking care of that), there is a possibility to remotely wipe all data on these devices in case the device was stolen or lost. This way it is ensured that no data leak will occur in case an employee lost a device or is robbed of one.

4.6 Given a scenario, implement proper environmental controls and techniques

  • Power concepts and best practices
    • UPS
      • Runtime vs capacity – runtime says how long the UPS is going to support all attached devices with current battery capacity. It depends also on current load – the more devices you attach to the UPS up to the maximum load, the less runtime will be with 100% battery capacity.
      • Automated graceful shutdown of attached devices – smart UPS devices are able to shutdown attached devices in case of power loss. In order to enable it you will need few things – physical devices can be connected to the UPS via serial or USB cable OR if your UPS has a management interface, it usually comes with a server software and then you are able to get it work over TCP/IP (you just specify client IP address). On the clients you will install an agent coming from the vendor of the UPS (for example APC has its PowerChute for this) and it will handle the shutdown in the moment when UPS will start working on batteries = the power is down.
      • Periodic testing of batteries – batteries should be tested periodically. Most of the UPS systems has automatic test, which can reveal problems with batteries. If a problem is discovered batteries should be replaced in the shortest time possible – expired/malfunctioning batteries can lead to various disasters (leaking electrolyte leading to electric shocks etc.).
      • Maximum load – refers to the maximum load in Watts that you can attach to the UPS.
      • Bypass procedures – exist in case a maintenance has to be done on a UPS or there is an internal problem in the UPS. Most online UPS systems have this insurance – normally the electricity flows through internal parts of the UPS and UPS decides for example whether it wants to charge batteries or not- if this circuit fails in any case, the UPS re-directs the flow from the input immediately to the output with no electricity going through its internal components.
      • Remote management – many UPS systems offer remote management – a network interface for RJ-45 connector with ability to perform tests and check overview of the UPS.
    • PDU – Power Distribution Unit – provides power distribution, usually attached on the back of a rack
      • Connect redundant rack PDUs tseparate circuits – quite self explanatory, on the rack or for server power connection in general there should be PDUs available that are on different circuits – for example one circuit from one fuse box without a UPS and second from another with UPS device on it.
    • Capacity planning
      • PDU ratings – each PDU has its own capacity rating and it is not advised to put many devices that could overload the PDU.
      • UPS ratings – basically refers to maximum load you can attach to the UPS.
      • Total potential power draw – total potential power draw will be the summary of devices taking power that are attached to one or more circuits. Consider the fact that if a server has a power supply of 400W consumption, it doesn’t mean it is consuming that much all the time. The actual consumption depends on the load – how much power all components inside the server need at that moment. Anyway when you are calculating you should always work with maximum values – not only it leaves you a space for extraordinary needs, but it will also mean that you won’t run into corner cases.
    • Multiple circuits
      • Connect redundant power supplies to separate PDUs – Servers, storages and network appliances usually come with 2 power supplies so you can attach each power supply to separate PDU (each PDU is then connected to different circuit etc. 
    • Safety
      • ESD procedures – Electro static discharge – usually consits of of a wrap around your wrist that is connected through a clip to the ground (or some grounded equipment). By touching an electro components, you can seriously damage them if you pass a charge to them and that can happen even without you feeling it. You should at least try to touch grounded metal equipment (rack, heating pipes etc.) before touching any internal parts of servers to try to discharge yourself.
      • Fire suppression – in modern data centers you wouldn’t find fire extinguishers, but more likely a complex system consisting of fire detectors, control panel and gas bombs. These systems are based on inert gas (eg. FM-200), which suppress the amount of oxygen in the air in the data center bellow a level, which is needed for fire to burn. 
      • Proper lifting techniques – a lot of equipment in the data center is very heavy, improper lifting technique can seriously hurt your back, be sure to lift heavy things with legs also and not only with your back.
      • Rack stability – racks are usually stabilized by rack stabilizers – optional kits that can be bought to the rack. It can help to distribute the load across wider area, but mainly it puts special metal standers in front and behind the rack minimizing a possibility of rack falling to the front (when you for example pull many servers on rail kits in front of the rack).
      • Floor load limitations – racks full of equipment can be very heavy (especially mounted UPS with batteries, big SAN storages full of HDDs etc.) always be sure to check what is the maximum load on a square meter before you start insert heavy equipment into the rack, especially when you are using a fake floor.
      • Sharp edges and pinch points – be aware that some of the equipment doesn’t have to be fabricated that well and some parts (usually for example internal hidden parts of the rack, which you wouldn’t try to reach unless you are searching for fallen nut) can have sharp edges.
    • HVAC
      • Room and rack temperature and humidity – both temperature and humidity can critically damage servers and network devices if they reach big values (there are some recommendations mainly released by google for data centers regarding these values).
        • Monitoring and alert notifications – it is recommended to use environment monitoring in data centers, usually these systems come with many different sensors (temperature, humidity etc.) and many ways (email, sms etc.) how to inform  data center staff about something going wrong.
      • Air flow – proper air flow has to be established in order maintain stable temperature across the whole data center – without having places that are too hot and others that are too cold. Some kind of air circulation is needed and should be designed specifically for the space of the data center according to the buildings capabilities and data center needs.
        • Rack filler/baffle/blanking panels – these are optional and can help with air circulation around the racks. All of these components fill similar role like in the server itself, but this time for whole racks – it will help you to direct or better balance air circulation around/ through racks.
      • Hot aisle and cold aisle – mentioned in 1.3 – Cooling. Data centers are often designed based on hot isles and cold isles – racks are facing each others witch their fronts / backs, not the way that one rack would be facing other rack’s back. The correct way leads to equipment in racks exhausting the hot air to one row, while taking the cold air from cold  row (cold row is that one the racks have the front side in). Air condition of the data center is then designed accordingly – usually creating a circulation around the room – small data centers (few short rows), or having directed exhausting of cold air in each cold row and collection of hot air in each hot row in large data centers.

Leave a Reply