|
|
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrators
Physical segmentation involves separating the network with the help of active and passive network components on layer 1, 2 or 3. Suitable physical segmentation can increase availability, integrity and confidentiality. Various types of network components can be used to perform segmentation (refer to S 5.13 Appropriate use of elements for network coupling).
Availability
The performance and bandwidth offered by a network are also considered from the perspective of availability, which can be enhanced if the network is separated on layer 1, 2 or 3 of the OSI model. Separation on layer 1 achieves the smallest possible increase in the availability of the individual segments but the highest possible throughput between them, while separation in layer 3 achieves the largest possible increase in the availability of the individual segments but the lowest possible throughput between them.
Segmentation on layer 1 with the help of a repeater increases the availability of the network by preventing electrical errors in one segment from affecting the remaining segments.
Example: In a network consisting of two thinwire Ethernet segments linked together via a repeater, the absence of a terminator in one segment does not affect the functionality of the other segment.
Figure 1: Electrical separation of segments with a repeater in order to increase availability
What applies to repeaters here also holds true for bridges and switches, as they cover layer 1 as well. In addition to this function, faulty data packets on layer 2 and collisions are isolated in one segment. The segments are also relieved, as data packets can be forwarded systematically between them. It must be ensured that the bridge or switch in use has a sufficiently high capacity (filter and transfer rates), to allow the data traffic between the segments to be processed without any major delays.
Generally, bridges and switches operate on layer 2 of the OSI model. To set up the connection matrix, these components evaluate the MAC addresses of the involved systems in the respective segments. Some manufacturers also offer switches which operate on layer 3, for example, using the IP address to set up the connection matrix. In both cases, setup is performed automatically, although certain models also allow manual intervention. Some manufacturers additionally offer the possibility of setting up the connection matrix manually (via a central tool) on the port level, where the cables are actually routed (port or configuration switching).
Routers operating on layer 3 incorporate the characteristics of both repeaters and bridges as regards availability, and also allow an evaluation of protocols on layer 3. This results in a load separation on a higher level, thus permitting almost full control of network traffic. In particular, no broadcasts are forwarded between segments (subnets) separated by means of a router. Consequently, a broadcast storm occurring in one segment does not affect the other.
Based on the results of a traffic-flow analysis (refer to S 2.139 Survey of the existing network environment), it might be necessary to perform physical segmentation in order to increase the bandwidth and performance to the required extent.
Example: Central server systems for file and printing services as well as applications are present or planned in a network. To achieve a high level of performance and availability, it might be advisable to connect these servers in a dedicated manner to a switch, from where the server systems are linked with the individual workstations (shared or switched mode). If possible, the connection between the server systems and the switch should at least comprise a Fast Ethernet link.
In general, a switched network provides higher performance than a shared network, as all subscribers connected to a shared network need to share the available bandwidth. In contrast, a switched network offers every subscriber the full bandwidth at least as far as the next active network component. However, it must be noted that such a network requires structured cabling (star configuration), and that a fully switched network generates relatively high costs.
Alternative solutions involve the coupling of individual segments in the backbone area or areas experiencing high network loads (e.g. workgroups) via a switch; these segments are configured as shared-media LANs (see Figure 2). Additionally, it is always possible to connect individual workstation systems with high performance requirements directly to a switch. Whereas a shared network or shared segment can be laid out in a bus or a star configuration, reasons of availability and investment safeguarding make it advisable to implement structured cabling (star configuration) in this case as well. (refer to S 5.2 Selection of an appropriate network topography).
Figure 2: Example of a network consisting of switched and shared segments. The servers are linked via Fast Ethernet.
Confidentiality
All measures which prevent an exchange of data between two segments are suitable for increasing the confidentiality of the data. Consequently, a repeater alone is unsuitable for this purpose. Some manufacturers offer multi-port repeaters which can be configured so as to allow only certain network users to operate in the network via these repeaters. To a certain extent, this prevents unauthorised clients from establishing links with the network. Bridges / switches and routers increase confidentiality by preventing and checking data traffic on layers 2 and 3, and joining or separating segments on the port level in a dedicated manner. Certain manufacturers also offer bridges and switches which restrict access by network clients. Routers offer the most extensive possibilities of controlling the components dealt with here. Routers can not only be used to control access and routes for accessing other networks, but also to specify which clients may communicate with systems in another segment on which basis. By excluding certain layer-3 protocols the router can prevent the data related to these protocols from reaching the other segments. This is done by defining appropriate filter rules for the routers; these rules can be formulated on the protocol level. If a TCP/IP protocol stack is used, for example, individual TCP and UDP ports can be disabled or enabled selectively. Components operating on higher layers, such as application-level firewalls, are not considered here (refer to S 2.75 Selection of a suitable application gateway).
Example: Separating a network with the help of a router and appropriately configured filter rules prevents the transfer of FTP and TFTP data (ports 20 and 21 or 69 respectively) between the segments, so that this service cannot be intercepted on the other segment. This also prevents the transfer of broadcast data between the subnets. In addition, the filters must be configured by default such that communications are initially restricted to the greatest possible extent and only enabled subsequently for individual services as the requirements for them arise. If necessary, IP-specific filtering should be considered here.
Figure 3: Example of segmentation into subnetworks on layer 3 by a router
Data and network integrity
As a rule, the integrity of data up to layer 3 is ensured by the network access protocol in use, whilst additional measures are required to ensure network integrity, i.e. concordance between the actual network environment and the planned physical, as well as logical, segmentation. These measures must prevent the establishment of unauthorised or incorrect communications links, as well as unauthorised system access which would impair the integrity of the network.
Consequently, network integrity is essentially ensured by
For this, it is necessary to restrict physical access to the network components to a sufficient extent (e.g. by implementing infrastructure-specific measures for the distributor room, cabling etc.) and conceive the network management system so as to prevent unauthorised access to the network components via the network.
The use of network components alone does not serve to enhance protection of the integrity of data on layer 3 (e.g. application data), although it does hinder selective attacks on data integrity. For this purpose, network components can be used which prevent data packets from being tapped and manipulated. Such components comprise, for example, bridges / switches and routers which can be used to separate a network into segments or subnetworks between which data communications are to be controlled, restricted or configured. A mapping of logical relationships to a physical configuration plays a key role, particularly in the case of network components which can be configured automatically, such as bridges and switches. Only this ensures that the data packets of a logical group actually remain in the corresponding physical segment. In the case of bridges / switches which allow a configuration of the conceivable links on the port level (port switching), manual control of link establishment on layer 1 is also possible.
Example: Systems which allow the connection of terminals to a network (terminal servers) and systems to be accessed from the terminal servers need to be assigned to a segment separated from the rest of the network by means of a bridge. Only this prevents passwords transferred from the terminal server to the addressed system from being tapped and, possibly, modified from another segment.
Figure 4: Separation into segments with a bridge in order to enhance integrity and confidentiality
Furthermore, network components should be selected and dimensioned appropriately in order to ensure that neither an overload nor a failure of these components will result in a loss or corruption of data packets.
Additional controls:
| © Copyright
by Bundesamt für Sicherheit in der Informationstechnik |
July 1999 |