IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Communications Remarks
____________________________________________________________________ .........................................
- identification and authentication of the operator;
- disconnection in case of critical security incidents;
- automatic call back; and
- logging of all activities.
In addition, other functions can be implemented as well:
- Activation of a time lock on invalid access attempts.
- De-activation of remote maintenance during normal operation and explicit
release for a clearly defined period of time. This is an expedient measure
which, in an emergency, will enable the manufacturer or another service
contractor to intervene.
- Restrictions on the rights of maintenance staff. By means of additional
software installed on the service PC, the users' scope for action can be
restricted in order to achieve gradation of the administration of rights.
- "Forced log-out" in case of line interruption. If the connection between the
remote-maintenance unit and the PC gateway is interrupted in any way,
access to the system must be stopped by a "forced log-out".
Physical de-activation of the remote-maintenance ports
If remote maintenance is normally not required and is to be provided only if
required, physical shut-off of the port is recommended. If required, it can be
re-activated at short notice, possibly after consultation over the telephone with
the manufacturer or the service contractor.
Closed User Group (CUG)
It is possible to create a CUG in public ISDN and X.25 networks. Here, the
network operator provides the user with a virtual "network within a network".
The closed user groups can be obtained from the network operator against the
appropriate fee.
Alternatively, it can be considered realising the closed user groups by using
the ISDN Calling Line Identification and Presentation (CLIP) and Connected
Line Identification and Presentation (COLP). If possible, this can also be done
by appropriately configuring the PBX system or the PC gateway.
Avoiding or controlling direct dial-in
Direct dial-in, e.g. from other networks by suffix dialling in dual tone
multifrequency signalling, into the PBX system should be disabled, if
possible. This is often used for access to server services. If it is not possible to
prevent direct dial-in, it is recommended to activate all available protective
mechanisms and regular controls to detect possible abuse.
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000