|
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrators
To fulfil requirements concerning availability (also in terms of bandwidth and performance), confidentiality and integrity, the configuration, modification or extension of a network needs to be planned carefully. A network concept needs to be prepared for this purpose.
The development of a network concept can be classified into an analytical component and a conceptual component:
Analysis
First of all, it is necessary to determine whether an existing network needs to be extended or modified, or whether a completely new network needs to be established.
In the former case, the safeguards titled S 2.139 Survey of the existing network environment and S 2.140 Analysis of the existing network environment need to be realised. These safeguards are not required in the latter case; instead, requirements concerning network communications and the protection requirements of the future network need to be determined.
In order to determine requirements for communications, it is necessary to ascertain the flow of data and traffic anticipated between logical and organisational units, as the expected loads will influence the segmentation of the planned network. The necessary logical and physical communications relationships (with respect to services, users and groups), as well as the LAN / WAN connections must also be ascertained.
The protection requirement of the network is derived from that required by planned and existing IT processes. The result is used as a basis for forming appropriate physical and logical subnetworks (e.g. as regards the confidentiality of data). For example, the security requirements of an IT application influence the segmentation of the planned network.
Subsequently, an attempt must be made to harmonise the derived communications relationships with the protection requirements. In certain cases, it might be necessary to restrict communications relationships in order to fulfil the specified protection requirements.
The available resources need to be ascertained after that. These include personnel resources required to prepare and implement a concept and operate the network, as well as financial resources needed for this purpose.
The results are to be documented appropriately.
Conception
From the points of view mentioned above, the network structure and applicable constraints should be conceived and developed in the stages mentioned in the following, on the basis of a plan which also takes into account future requirements (e.g. concerning bandwidth) and in accordance with local conditions.
The network concept is prepared in a manner similar to that described in S 2.139 Survey of the existing network environment and thus essentially involves the following steps; however, these steps need not be executed strictly in the order given below. In some case, the results of executing the individual steps influence one another mutually, so that these results need to be checked and consolidated on a regular basis.
The individual steps essentially involve the following activities:
Step 1 - Conception of network topography and topology
Based on the analysis profile (see above) and actual structural conditions, a suitable network topography and topology need to be selected (also refer to S 5.60 Selection of a suitable backbone technology, S 5.2 Selection of an appropriate network topography and S 5.3 Selection of cable types suited in terms of communications technology). However, future requirements such as scalability also need to be considered here. The prepared concept must be documented (cabling plans, etc.)
Based on the ascertained requirements and the anticipated / calculated data flow, an appropriate physical and logical segmentation must be performed during conception of the network topography and topology (refer to S 5.61 Suitable physical segmentation, S 5.62 Suitable logical segmentation and S 5.13 Appropriate use of equipment for network coupling).
Step 2 - Conception of the network protocols
This step involves the selection and appropriate conception of the required network protocols. This includes, for example, the preparation of an addressing scheme for the IP protocol and the formation of subnetworks. During the selection of the network protocols, it must be observed that these protocols are supported by the network topology as well as planned and existing active network components.
Step 3 - Conception of LAN / WAN connections
Based on the anticipated flow of data across the planned LAN / WAN connections as well as requirements concerning security and availability, the LAN / WAN connections can be conceived in this step. This includes the selection of suitable coupling elements (refer to S 5.13 Appropriate use of elements for network coupling) as well as their secure configuration (refer to Chapter 7.3 Firewalls and S 4.82 Secure configuration of active network components).
Additional steps
Based on the developed network concept, measures for preparing a network management concept can now be implemented (refer to S 2.143 Development of a network management concept, S 2.144 Selection of a suitable network management protocol and S 2.145 Requirements for a network management tool) and a realisation plan can be outlined in accordance with S 2.142 Development of a network realisation plan.
© Copyright
by Bundesamt für Sicherheit in der Informationstechnik |
July 1999 |