S 2.106 Purchase of suitable ISDN cards

ISDN cards which have been selected for purchase should offer all security functions which might be required, so as to prevent unnecessary expenses in future. These security functions should either be an integral part of the card, or realisable with the help of the accompanying communications software and driver programs.

Possible criteria for selecting a suitable ISDN card include:

• capability to perform authentication via PAP and CHAP (Password Authentication Protocol and Challenge Handshake Authentication Protocol, RFC 1994),
• availability of a hardware-based or software-based encryption procedure (symmetric/asymmetric);
• option of evaluating CLIP call numbers (Calling Line Identification Presentation) for the purpose of authentication;
• possibility of maintaining a table of call-numbers for performing callbacks; and
• possibility of logging unsuccessful attempts to establish a link (refusal due to incorrect authentication of call numbers or PAP/CHAP).

Furthermore, the ISDN cards must be checked for functions which would impair operational security. If any such functions are found to exist, they should at least be deactivated through appropriate configuration. This includes, for example, the remote control functionality which allows an establishment of direct communications with the IT system via the public network.

The security-relevant requirements of the ISDN cards relevant for the institution and the operational environment should be identified and forwarded to the purchasing department.

ISDN cards with the greatest possible number of identical security functions should be used on the IT systems requiring such cards as well as the network gateways (e.g. ISDN routers). If this is not ensured, security functions required on both sides will not show the desired effect.