IT Baseline Protection Manual - Chapter 6.7 Heterogenous networks
6.7 Heterogenous networks
Description
A local network is composed of wiring (i.e. cables and
connecting elements, which are passive network
components) as well as active network coupling
components. Generally, various types of cable and active
network components can be integrated into a LAN. Active
network components require a separate power supply.
Such components include repeaters, bridges, switches,
routers, gateways etc. Passive network components do not
require a separate power supply. Such components include
cables, distributor cabinets, patch fields and plug connectors.
Cabling is discussed in detail in Chapter 4.2, while Chapters 5 and 6 deal with application-related
periphery. Consequently, this module focuses on the active network components, the topology
underlying them, their configuration, criteria for choosing suitable components, the selection of
communication protocols and the related network management.
Only LAN technologies, e.g. Ethernet, Token Ring and FDDI network protocols and the related network
components such as bridges, switches and routers are considered here. These technologies can also be
used in MANs. However, integration into WANs is not discussed here; this information is provided in
Chapter 7.3 "Firewalls".
If a LAN is to be protected adequately from the perspective of IT baseline protection, a reference to this
chapter alone is not sufficient. In addition to the active network components and network management
software, a treatment of the physical wiring and of the server systems present in the network is also
required. For this reason, it is absolutely necessary to refer to the above-mentioned chapters as well.
This chapter provides guidelines on how to analyse a heterogeneous network and use this analysis as a
basis for realising and operating such a network from the perspective of IT security. Consequently, this
chapter is intended for organisational departments responsible for operating networks and in possession
of the corresponding technical know-how.
Threat Scenario
The following typical threats are assumed as regards IT baseline protection of a heterogeneous network:
T 5.66 Unauthorised connection of IT systems to a network
T 5.67 Unauthorised execution of network management functions
T 5.68 Unauthorised access to active network components
Recommended Countermeasures (S)
For the implementation of IT baseline protection, selection of the required packages of safeguards
("modules") as described in chapters 2.3 and 2.4, is recommended.
Here, it must be pointed out once again that adequate protection of a LAN from the perspective of IT
baseline protection can only be ensured if the packages of safeguards described in Chapter 4.2 Cabling,
Chapter 6.1 Server-based networks and, if applicable, additional measures related to the operating-system
in use and Chapter 6.8 Network and system management are also implemented.
Furthermore, the active network components should be installed in rooms intended to accommodate
technical infrastructure (e.g. distributor rooms), this means that the safeguards described in
Chapter 4.3.4 Technical infrastructure rooms also need to be taken into account.
The network administrator's workstation also requires special protection. In addition to the safeguards
described in Chapter 4.3.1 Offices, rules pertaining to the operating system in use must also be specified
here (refer to Chapter 6).
Secure operation of a heterogeneous network requires the implementation of a number of measures,
beginning with an analysis of the existing network environment, followed by the development of a
network management concept, and leading to the actual operation of a heterogeneous network. The steps
and measures involved are described below:
1. Analysis of the existing network environment (refer to S 2.139Survey of the existing network
environment and S 2.140Analysis of the existing network environment)
Survey of load factors and analysis of traffic flow
Determination of network bottlenecks
Identification of critical areas
2. Conception
Conception of a network (refer to S 2.141Development of a network concept,
S 2.142Development of a network realisation plan and
S 5.60Selection of a suitable backbone technology)
Conception of a network management (refer to S 2.143Development of a network
management concept and S 2.144Selection of a suitable network management protocol)
3. Reliable operation of a network
Segmentation of a network (refer to S 5.61Suitable physical segmentation and
S 5.62Suitable logical segmentation)
Use of a network management software package (refer to S 2.145Requirements for a network
management tool and S 2.146Reliable operation of a network management system)
Auditing of a network (refer to S 4.81Auditing and logging of activities in a network and
S 2.64Checking the log files)
4. Contingency planning
Redundant arrangement of network components (refer to S 6.53Redundant arrangement of
network components)
Backup of configuration files (refer to S 6.52 Regular backup of configuration data of active
network components and S 6.22Sporadic checks of the restorability of backups)
The complete package of safeguards for the area of heterogeneous networks is presented in the
following; this package includes measures of a fundamental nature which need to be noted in addition to
the measures described above.