|
|
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrators
Some active network components can be administered or monitored remotely via network access. This access is performed by means of connectionless or connection-oriented protocols. Such protocols include:
For all types of access, measures must be taken to ensure that no unauthorised access takes place.
For this purpose, the default passwords and community names of the network components must be replaced with secure passwords and community names (refer to S 4.82 Secure configuration of active network components). In the case of many active network components, the coupling of community names and passwords influences the FTP, Telnet, SNMP and CMIP protocols. Some components also allow restriction of access on the basis of MAC or IP addresses. This option should be used wherever possible, in order to permit access exclusively from dedicated management stations.
Data transmission protocols (TFTP, FTP, RCP) should only be activated from the network components themselves. This applies in particular to non-authenticating protocols such as TFTP. For interactive communication protocols (Telnet), the auto-logout option of the network components should be activated.
In the case of most protocols, it must be noted that passwords and community names are transmitted in plain text, i.e. they can be intercepted in principle (refer to S 5.61 Suitable physical segmentation and S 5.62 Suitable logical segmentation).
Example: The "public" and "private" default community names in SNMP should be replaced with other names.
Additional controls:
| © Copyright
by Bundesamt für Sicherheit in der Informationstechnik |
July 1999 |