IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Communications Remarks
____________________________________________________________________ .........................................
S 5.47 Configuration of a Closed User Group
Initiation responsibility: IT Security Management, PBX officer
Implementation responsibility: Administrators
Integrated Services Digital Networks (ISDN) allow the configuration of
Closed User Groups (CUG). Such groups are characterised by the fact that all
the subscribers in a CUG can communicate with each other via the public
ISDN network; however, requests by external subscribers for establishing
links with CUG subscribers can be rejected, just as requests by CUG
subscribers for establishing links with subscribers in the public ISDN network.
Mode of operation:
All communications partners here are members of a Closed User Group
configured by the network operator (e.g. Deutsche Telekom AG).
Authorisation to communicate is checked by the digital exchange of the
communications partner via an interlock code which is uniquely assigned to
the CUG. To start with, the calling communications partner sends a call
request to the digital exchange assigned to him. The digital exchange appends
to this call request the ISDN number of the calling partner as well as the
unique interlock code of the related Closed User Group. The digital exchange
of the called communications partner uses this interlock code to identify
whether the call request can be accepted. If identification is positive, the call
request is forwarded to the communications partner being called.
The advantage of this function is that unauthorised attempts at access can be
rejected already by the digital exchange of the network operator, so that they
do not reach the gateways of the communications partner.
A disadvantage of this function is that changes in the membership of a CUG
always need to be reported to the network operator, as only this party is
capable of making the required modifications to the authorisation parameters.
This also means that the network operator is in full control of the membership
profile of a CUG and any changes made by the operator cannot necessarily be
monitored by the users of a CUG. Furthermore, the configuration and
operation of a CUG by a network operator generates one-time as well as
running costs.
The configuration of a Closed User Group by the operator of a public network
is advisable wherever
- Hardware and software for other processes (e.g. S 5.48 Authentication via
CLIP/COLP) first need to be procured
- The membership of a CUG rarely changes
- The network operator is sufficiently trustworthy
Additional controls:
- Is clear and comprehensive documentation available on CUGs which have
been configured? Is this documentation up-to-date?
- Are regular checks made as to whether the CUG function - which usually
costs money - is still required?
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000