T 2.98 Incorrect planning and design of the use of routers and switches

When planning the use of active network components, the prominent factors are usually functionality and performance. If the operation of routers and switches, which act as central elements in networks, is not incorporated in the company-wide security concept, the secure use of these components cannot be ensured.

Errors made when planning the use of routers and switches usually fall into one of the following categories:

Insufficient consideration of the intended use of devices

When planning the use of routers and switches, the intended use of these components is crucial. Often the intended use of the components is not sufficiently taken into account at the planning stage, e.g. in the use of VLANs. Contrary to statements often made in advertising, VLANs were not developed to meet security requirements involved in the separation of networks. VLANs offer numerous points of attack so that additional safeguards must always be implemented, particularly in the field of separating networks requiring protection.

Errors may also occur when the use of routing protocols is planned. If routers are used in demilitarised zones (DMZs), the use of dynamic routing protocols may jeopardise the availability, confidentiality and integrity of the network requiring protection.

Insufficient consideration of security mechanisms

The existing security mechanisms (both in the existing network and for the network components to be used) are frequently not taken into account sufficiently during planning. For example, additional measures may be necessary if a device does not support certain security mechanisms. If this is not taken into account during the planning phase, problems may arise further down the line when the necessity is recognised.

One important point which is often not considered during planning, for example, is the setting up of a separate administration network (out-of-band management). If the selected or existing devices only support unsafe protocols such as SNMPv1, SNMPv2 or Telnet, it is imperative that an administration network is set up. In many cases this requirement is not addressed with the consequence that, in some circumstances, there are difficulties setting up the administration network later because the required connections are not available.

Non-existent or inadequate information and documentation

Occasionally, key information is not available during the planning phase, as no related documentation has been made available by the provider or the relevant documents are not taken into consideration. It is often difficult to reverse poor decisions made due to inadequate documentation if it becomes apparent, for example, that a device does not support certain functions at all or only offers inadequate support.

© Federal Office for Information Security. All rights reserved.