S 5.47 Configuration of a Closed User Group

Initiation responsibility: IT Security Management, PBX officer

Implementation responsibility: Administrators

Integrated Services Digital Networks (ISDN) allow the configuration of Closed User Groups (CUG). Such groups are characterised by the fact that all the subscribers in a CUG can communicate with each other via the public ISDN network; however, requests by external subscribers for establishing links with CUG subscribers can be rejected, just as requests by CUG subscribers for establishing links with subscribers in the public ISDN network.

Mode of operation:

All communications partners here are members of a Closed User Group configured by the network operator (e.g. Deutsche Telekom AG). Authorisation to communicate is checked by the digital exchange of the communications partner via an interlock code which is uniquely assigned to the CUG. To start with, the calling communications partner sends a call request to the digital exchange assigned to him. The digital exchange appends to this call request the ISDN number of the calling partner as well as the unique interlock code of the related Closed User Group. The digital exchange of the called communications partner uses this interlock code to identify whether the call request can be accepted. If identification is positive, the call request is forwarded to the communications partner being called.

The advantage of this function is that unauthorised attempts at access can be rejected already by the digital exchange of the network operator, so that they do not reach the gateways of the communications partner.

A disadvantage of this function is that changes in the membership of a CUG always need to be reported to the network operator, as only this party is capable of making the required modifications to the authorisation parameters. This also means that the network operator is in full control of the membership profile of a CUG and any changes made by the operator cannot necessarily be monitored by the users of a CUG. Furthermore, the configuration and operation of a CUG by a network operator generates one-time as well as running costs.

The configuration of a Closed User Group by the operator of a public network is advisable wherever

• Hardware and software for other processes (e.g. S 5.48 Authentication via CLIP/COLP) first need to be procured

• The membership of a CUG rarely changes

• The network operator is sufficiently trustworthy

Additional controls:

• Is clear and comprehensive documentation available on CUGs which have been configured? Is this documentation up-to-date?

• Are regular checks made as to whether the CUG function - which usually costs money - is still required?