IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Communications Remarks
____________________________________________________________________ .........................................
S 5.61 Suitable physical segmentation
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrators
Physical segmentation involves separating the network with the help of active
and passive network components on layer 1, 2 or 3. Suitable physical
segmentation can increase availability, integrity and confidentiality. Various
types of network components can be used to perform segmentation (refer to S
5.13 Appropriate use of elements for network coupling).
Availability
The performance and bandwidth offered by a network are also considered
from the perspective of availability, which can be enhanced if the network is
separated on layer 1, 2 or 3 of the OSI model. Separation on layer 1 achieves
the smallest possible increase in the availability of the individual segments but
the highest possible throughput between them, while separation in layer 3
achieves the largest possible increase in the availability of the individual
segments but the lowest possible throughput between them.
Segmentation on layer 1 with the help of a repeater increases the availability
of the network by preventing electrical errors in one segment from affecting
the remaining segments.
Example: In a network consisting of two thinwire Ethernet segments linked
together via a repeater, the absence of a terminator in one segment does not
affect the functionality of the other segment.
electric defective segment
Figure 1: Electrical separation of segments with a repeater in order to increase
availability
What applies to repeaters here also holds true for bridges and switches, as they
cover layer 1 as well. In addition to this function, faulty data packets on layer
2 and collisions are isolated in one segment. The segments are also relieved,
as data packets can be forwarded systematically between them. It must be
ensured that the bridge or switch in use has a sufficiently high capacity (filter
and transfer rates), to allow the data traffic between the segments to be
processed without any major delays.
Generally, bridges and switches operate on layer 2 of the OSI model. To set
up the connection matrix, these components evaluate the MAC addresses of
the involved systems in the respective segments. Some manufacturers also
offer switches which operate on layer 3, for example, using the IP address to
set up the connection matrix. In both cases, setup is performed automatically,
although certain models also allow manual intervention. Some manufacturers
additionally offer the possibility of setting up the connection matrix manually
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000
t
electric uninfluenced segment