|
|
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrators
A survey of the existing network environment is required for a systematic security analysis of the network. Such a survey is also needed if an existing network needs to be extended. The items described below must be taken into consideration during the planning of a network.
A survey of the existing environment must be accompanied by a detailed documentation of the following aspects, which partly depend on each other:
The essential details to be recorded during each individual step are specified in the following:
Survey of the existing network topography
A survey of the existing network topography involves a recording of the network's physical structure. Here, it is advisable to use the spatial structure of the network as orientation. A plan containing the following features should be prepared and maintained:
. To support the maintenance of this plan, it is advisable to use an appropriate tool (e.g. CAD programs, special tools for network plans, cable management tools in conjunction with system management tools, etc.). Regular updating of these plans following rebuilding or extension must be ensured, in addition to clear and precise documentation (also refer to S 1.11 Plans detailing the location of supply lines and S 5.4 Documentation on and marking of cables).
Survey of the existing network topology
A survey of the existing network topology involves a consideration of the logical structure of the network. For this purpose, it is necessary to make a record of the segmentation of the individual OSI layers and, if applicable, the VLAN structure.
The representation of the network topology should make it possible to determine the active network components via which a link can be established between any two terminal devices. Furthermore, it is necessary to document the configurations of the active network components used for forming the segments. This can involve the configuration files in the case of logical segmentation, and the actual configuration of the network components in the case of physical segmentation.
Survey of the network protocols in use
The network protocols used in the individual segments of a network as well as the configurations required for this purpose (e.g. the MAC addresses, IP addresses and subnet masks for the IP protocol) need to be determined and documented. The documentation should provide details on which services are authorised (e.g. HTTP, SMTP, Telnet), and which services are filtered in accordance with which criteria.
Survey of the LAN /WAN connections
The LAN / WAN connections are to be described, if they have not already been documented. For every LAN / WAN connections between two networks, details must be provided on:
This should also include a documentation of the WAN protocols in use (e.g. ISDN, X.25). If firewalls are employed (refer to Chapter 7.3 Firewalls), their configuration must also be documented (e.g. filter rules).
Survey of the actual network performance and traffic flow
The network performance must be measured and the traffic flow between the segments or subnetworks must be analysed. Corresponding measurements need to be performed for each network protocol in use.
Any time the network environment is modified, the above mentioned surveys are to be repeated. The documentation prepared as part of these surveys must be stored so that it is protected against access by unauthorised parties, but readily available for the security management and administrators.
Additional controls:
| © Copyright
by Bundesamt für Sicherheit in der Informationstechnik |
July 1999 |