6.7 Heterogenous networks

Description

A local network is composed of wiring (i.e. cables and connecting elements, which are passive network components) as well as active network coupling components. Generally, various types of cable and active network components can be integrated into a LAN. Active network components require a separate power supply. Such components include repeaters, bridges, switches, routers, gateways etc. Passive network components do not require a separate power supply. Such components include cables, distributor cabinets, patch fields and plug connectors.

Cabling is discussed in detail in Chapter 4.2, while Chapters 5 and 6 deal with application-related periphery. Consequently, this module focuses on the active network components, the topology underlying them, their configuration, criteria for choosing suitable components, the selection of communication protocols and the related network management. Only LAN technologies, e.g. Ethernet, Token Ring and FDDI network protocols and the related network components such as bridges, switches and routers are considered here. These technologies can also be used in MANs. However, integration into WANs is not discussed here; this information is provided in Chapter 7.3 "Firewalls".

If a LAN is to be protected adequately from the perspective of IT baseline protection, a reference to this chapter alone is not sufficient. In addition to the active network components and network management software, a treatment of the physical wiring and of the server systems present in the network is also required. For this reason, it is absolutely necessary to refer to the above-mentioned chapters as well. This chapter provides guidelines on how to analyse a heterogeneous network and use this analysis as a basis for realising and operating such a network from the perspective of IT security. Consequently, this chapter is intended for organisational departments responsible for operating networks and in possession of the corresponding technical know-how.

Threat Scenario

The following typical threats are assumed as regards IT baseline protection of a heterogeneous network:

Force Majeure:

Organisational Shortcomings:

Human Failure:

Technical Failure:

Deliberate Acts:

Recommended Countermeasures (S)

For the implementation of IT baseline protection, selection of the required packages of safeguards ("modules") as described in chapters 2.3 and 2.4, is recommended.
Here, it must be pointed out once again that adequate protection of a LAN from the perspective of IT baseline protection can only be ensured if the packages of safeguards described in Chapter 4.2 Cabling, Chapter 6.1 Server-based networks and, if applicable, additional measures related to the operating-system in use and Chapter 6.8 Network and system management are also implemented.
Furthermore, the active network components should be installed in rooms intended to accommodate technical infrastructure (e.g. distributor rooms), this means that the safeguards described in Chapter 4.3.4 Technical infrastructure rooms also need to be taken into account.
The network administrator's workstation also requires special protection. In addition to the safeguards described in Chapter 4.3.1 Offices, rules pertaining to the operating system in use must also be specified here (refer to Chapter 6).
Secure operation of a heterogeneous network requires the implementation of a number of measures, beginning with an analysis of the existing network environment, followed by the development of a network management concept, and leading to the actual operation of a heterogeneous network. The steps and measures involved are described below:

1. Analysis of the existing network environment (refer to S 2.139 Survey of the existing network environment and S 2.140 Analysis of the existing network environment)

2. Conception

3. Reliable operation of a network

4. Contingency planning

The complete package of safeguards for the area of heterogeneous networks is presented in the following; this package includes measures of a fundamental nature which need to be noted in addition to the measures described above.

Infrastructure:

Organisation:

Personnel:

Hardware/Software:

Communications:

Contingency Planning:


© Copyright by Bundesamt für Sicherheit in der Informationstechnik 2000

Last Update on 6 April 2000