I remember being invited to visit the cockpit of a commercial airliner during a flight when I was little. On US airlines, at least, that kind of openness is a distant memory.
If you don't work in network security, you might find it unsettling to see just how much additional trouble a person can cause by having physical access to the hardware itself -- the cables and ports and LCD front panels and the like.
As an example, here's a dirty secret: in quite a few of the large, institutional settings I have had access to, the hash of the IOS enable password is stored on local flash inside the machine, and set to the same string across many core devices. This means that if you can compromise one switch (perhaps a small one in a basement closet), you could also have privileged access to larger switches deep inside data centers on the same campus.
Compromising the first switch is much easier if you can attach a serial console and reboot it at will. If I were serious about doing something like this, I might even bring an extra switch along to substitute in, so the regular users of the network would see no downtime.
Groups of switches inside a data center (when viewed with eyeballs) have a kind of tedious homogeneity to them. Generic faceplates all in rows, kudzu of brightly-colored generic cables fanning out in every direction, armies of green LEDs flashing with traffic, thick black ropes of power cables in back ready to wiggle loose from a stray nudge. Aloof. Opaque.
The traffic to and from each data center switchport, though, is often highly individual. Many times it is deadly dull for port after port after port. But sometimes, you see that you are watching a machine that appears to be processing payroll. Or saving a series of very expensive and proprietary chip masks to some huge file server. Or, best of all, you might see millions of rows of data describing those things and more, all being stored as tidy SQL.
So yes, I draw the line somewhere short of allowing homeless people into a space where they would be sleeping next to network devices with important roles.
What's the point of link-level security when governments control the CAs and global routing tables anyway? You're probably being spied on right now, and not because someone has physical access to a mop closet with some switches in it.
Much of this thread complains that physical access is the end all to security, in that people on this thread suggest that access to physical gear should be our number one rule. I have a few problems with this in that I don't specifically need physical access to a core router if the network is flat nor would I think that simply locking up my network equipment would solve my security problems. Its true that giving end users access to production network is a mistake, but to say that schools and corporations don't every day make basic security mistakes including physical access, its how we security practitioners reduce our exposure of the work of idiots, monitoring and alerting, port management and a plethora of other mitigation techniques, its endless game of cat and cat.
You can actually still go in the cockpit on commercial airlines, just not during the flight. Before or after the flight the pilots are usually happy to show you the cockpit.
