IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
S 2.146 Secure operation of a network management
system
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrators
For the secure and reliable operation of a network management tool or a
complex network management system composed, for example, of several
different network management tools, a secure configuration of all the
components involved should be ensured. These components include the
operating systems on which the network management system is executed, the
external databases usually required for the network management system, the
protocol in use (refer to S 2.144 Selection of a suitable network management
protocol) and the active network components themselves. Before a network
management system is put into operation, the requirements for preparing and
implementing a network management concept should be determined (refer to
S 2.143 Development of a network management concept).
The following items must be observed in particular:
- To prevent network management information from being intercepted or
modified, the computer on which the network management console is
operated must be protected appropriately. Measures here include, for
example, installation in a specially protected room, the use of screen locks,
password protection for the network management console, and further
security mechanisms offered by the underlying operating system.
- Safeguard S 2.144 Selection of a suitable network management protocol
should be taken into account in order to ensure secure operation. In
particular, the reading of MIBs and other information by unauthorised
persons should be prevented by appropriately configuring the active
network components on the basis of the protocol in use (refer to S 4.80
Reliable access mechanisms for remote administration and S 4.82 Secure
configuration of active network components).
- If network management functions are performed decentrally in accordance
with the client / server model or through the use of X-Windows
technology, their secure operation must also be ensured.
- The integrity of the software in use must be tested at regular intervals in
order to allow a timely detection of any unauthorised modifications.
- The response of the network management system in the event of a system
crash must be tested. In particular, it should be possible to perform an
automatic restart in order to minimise the time interval over which the local
network is not monitored. The network management database must not be
damaged by a system crash, and must be available again following a
restart, as the configuration data it contains are essential for the operation
of the network management system. For this reason, these data require
special protection, firstly in order to ensure their availability, and secondly
in order to prevent the utilisation of old or faulty configuration data
following a restart which may have been perpetrated by an intruder
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000