S 2.106 Purchase of suitable ISDN cards

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrator, Purchase Department

ISDN cards which have been selected for purchase should offer all security functions which might be required, so as to prevent unnecessary expenses in future. These security functions should either be an integral part of the card, or realisable with the help of the accompanying communications software and driver programs.

Possible criteria for selecting a suitable ISDN card include:

• Capability to perform authentication via PAP and CHAP (Password Authentication Protocol and Challenge Handshake Authentication Protocol, RFC 1994)

• Availability of a hardware-based or software-based encryption procedure (symmetric/asymmetric)

• Possibility of evaluating CLIP call numbers (Calling Line Identification Presentation) for the purpose of authentication

• Possibility of maintaining a table of call-numbers for performing callbacks

• Possibility of logging unsuccessful attempts to establish a link (refusal due to incorrect authentication of call numbers or PAP/CHAP).

Furthermore, the ISDN cards must be checked for functions which would impair operational security. If any such functions are found to exist, they should at least be deactivated through appropriate configuration. This includes, for example, the remote control functionality which allows an establishment of direct communications with the IT system via the public network.

ISDN cards with the greatest possible number of identical security functions should be used on the IT systems requiring such cards as well as the network gateways (e.g. ISDN routers). If a particular security function exists on one side but is absent on the other, the desired effect will not be achieved.

Additional controls:

• Is the purchase department aware of the additional requirements which ISDN cards need to fulfil?