IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
from
internal mail server
internal DNS server
to
IT system with
IP address 1.2.3.5
IT system with
IP address 1.2.30.7
IT system with
IP address 1.2.5.*
IT system with
IP address 1.20.6.*
Appl. Gateway
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000
Ä
Ä
TCP > 1023
ÄÄÄÄÄÄ
TCP: 20,21
TCP > 1023
ÄÄÄÄÄÄ
TCP: 23
TCP > 1023
ÄÄÄÄÄÄ
TCP: 23, 80
TCP > 1023
ÄÄÄÄÄÄ
TCP: 80
Screend-Subnet
external DNS
server
Ä
UDP: 53
ÄÄÄÄÄÄ
UDP: 53
Ä
Ä
Ä
Ä
external mail
server
TCP > 1023
ÄÄÄÄÄÄ
TCP: 25
This means that the internal mail server with TCP from a port with a port
number > 1023 has access to port 25 (SMTP) of the external mail server in
the screened sub-net. Ports with a port number > 1023 are also named as
non-privileged ports, as opposed to ports with lower port numbers, which
are named as privileged, as only privileged users (those with root
authorisations) are entitled to establish connections with these ports.
This table must then be transformed into appropriate filter rules. This is
frequently not simple and must therefore be checked precisely. On the basis of
regular tests, it should be ensured that all filter rules have been correctly
implemented. In particular, it must be ensured that only the services set out in
the security policy are permitted.
For the rules of an application gateway, similar tables must be established.
These tables are to be implemented in rules.
Example:
User name service command Authentication
Mrs. Example FTP RETR, STOR one-time password
Mr. Smith FTP RETR chip card
Ä
Ä
Ä
Ä
Ä