IT Baseline Protection Manual T 2.45 Conceptual deficiencies of a network
T 2.45 Conceptual deficiencies of a network
Correct planning of the installation and expansion of a network decisively determines the success of all network operations. Progressively shorter innovation cycles in IT pose a particular challenge to networks which cannot meet the new requirements due to their design, and therefore easily create bottlenecks:
A network must be designed in accordance with the requirements of network users (e.g. workgroups) as regards the confidentiality of data and the integrity of the network. Otherwise, confidential data of a particular workgroup could be read by other, unauthorised network users. The confidentiality of data can also be violated through the relocation of individual workgroup members or entire workgroups if it is not possible to configure new confidential domains in the network or reconfigure existing ones. This threat also applies to the integrity of the network or segments thereof.
Example:A subnetwork separated by a router was configured for a workgroup that had special requirements as regards the confidentiality and integrity of data. Because of the routing of cables this segment was confined to one single building. If several members of this workgroup were later relocated to a different building, they would then need to communicate via the standard, productive network. As a result, the confidentiality and integrity of the data could no longer be ensured.
If new applications with higher bandwidth demands than were foreseen during the planning phase are placed within the network, this can easily impair the availability of the entire network if conceptual deficiencies in its infrastructure no longer allow adequate scaling (loss of availability due to overload). Depending on the existing segmentation of the network, the loss of availability might only affect individual segments.
Example:For historical reasons, many existing networks which have been expanded during the course of time contain, in many cases, backbone segments with a lower maximum bandwidth, such as Token-Ring or Ethernet segments. The restricted transmission rates in these backbone segments affect the availability of the entire network during periods when the load is high.
Networks intended exclusively to connect proprietary systems can also suffer a loss of availability if they are connected to non suitable systems (loss of availability due to network components which cannot operate together).
Example:Proprietary networks are used primarily in the mainframe sector for connecting mainframes with their terminals. Such networks are often intended for terminal or printer operation only and are not suitable for other architectures (e.g. Ethernet). This applies to the installed cables as well as the active network components. If an attempt is made to exceed this scope, the proprietary network usually becomes unavailable. One possibility of integrating two different architectures is to create a connection via a gateway.
The use of active network components which are not designed for use with certain protocols might prevent the use of these protocols or of additionally required services.
Example:A network consisting exclusively of active components which only support IP routing or IP switching does not allow a Novell NetWare network operating system to be run on a SPX/IPX basis.
The use of passive network components which impose restrictions on the possible network access protocols might prevent future scaling of the network.
Example:A network consisting exclusively of 50-ohm coaxial cables does not allow the use of ATM. Networks consisting of 150-ohm twisted-pair cables do not allow the use of 100-ohm Ethernet components. Such conceptual deficiencies, partly historical in nature, require costly changes to the network infrastructure.
Although a network can have a neutral design with respect to applications, systems and services, the use of highly heterogeneous components can give rise to high maintenance requirements which might exceed the scope of ability of the operating personnel. This can impair the availability of the network if failures or malfunctions on passive or active network components cannot be remedied quick enough due to a lack of personnel capacity.