IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Communications Remarks
____________________________________________________________________ .........................................
particularly in the case of network components which can be configured
automatically, such as bridges and switches. Only this ensures that the data
packets of a logical group actually remain in the corresponding physical
segment. In the case of bridges / switches which allow a configuration of the
conceivable links on the port level (port switching), manual control of link
establishment on layer 1 is also possible.
Example: Systems which allow the connection of terminals to a network
(terminal servers) and systems to be accessed from the terminal servers need
to be assigned to a segment separated from the rest of the network by means
of a bridge. Only this prevents passwords transferred from the terminal server
to the addressed system from being tapped and, possibly, modified from
another segment.
Terminal-Server
File-Server
t f f d
Figure 4: Separation into segments with a bridge in order to enhance integrity
and confidentiality
Furthermore, network components should be selected and dimensioned
appropriately in order to ensure that neither an overload nor a failure of these
components will result in a loss or corruption of data packets.
Additional controls:
- Has physical segmentation been considered as part of the design of the
local network?
- Have requirements concerning availability (particularly in terms of
performance), confidentiality and integrity been ascertained and taken into
account?
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000
access to file services
bridge