T 3.28 Inadequate configuration of active network components

An inadequate configuration of the network components may result in a loss of availability of the network or parts thereof, in a loss of confidentiality of the information, or in a loss of data integrity. Here, the following misconfigurations may be differentiated:

• Active network components used for forming VLANs (virtual LANs) logically segment the network. In the event of a misconfiguration, the communication within a VLAN, between individual VLANs, or between all VLANs may be interrupted. Depending on the VLAN strategy of the corresponding manufacturer, this refers to the assignment of communicating systems to the same VLANs on the one hand and, on the other hand, VLAN routing, if this is supported by the active network components.
  Example: For VLANs only able to communicate with each other using routers, the central infrastructure servers, e.g. providing file and printing services, are not assigned simultaneously to the VLANs of the workplace systems; routers are not present either. In this case, some workplace systems cannot use the central infrastructure servers' services, since they are located in an unavailable sub-network.
• A network may be structured by using routers with the help of the formation of sub-networks. The routers must be configured correspondingly in order to allow for communication between the sub-networks, with the routers having to provide the routes between the different sub-networks in routing tables. Routing tables may be managed dynamically or statically. In both cases, communication between different sub-networks is not possible if the routing tables do not contain any route between the corresponding sub-networks. Accordingly, misconfigurations may occur due to an erroneous definition of static routing tables or due to an incorrect configuration of the routing protocols (e.g. RIP or OSPF) used for automatically synchronising dynamic routing tables.
  Example: A router-to-router connection is configured with the help of a static entry of the corresponding IP addresses. When changing the IP address of one of the routers or by interposing another router, this communication route is no longer available.
• Active network components capable of filtering protocols or network addresses may prevent the communication of certain protocols or prevent the communication between systems with certain network addresses using this technology. A misconfiguration of the corresponding filters may result in an undesired inhibition of the communication depending on the misconfigured filter and the type of misconfiguration.
  Likewise, misconfigured filters may cause connections to be established which offer intruders the opportunity to perform attacks against IT systems in the protected network. Depending on the type of attack, this may result in a loss of availability of individual network components or even the entire network. Moreover, data packets may be redirected and/or changed or read as a result of possibly manipulated connection routes, for example:
  • A multiport repeater is configured in such a way that only systems with certain MAC addresses can be connected to certain ports. After having replaced the network card in one of the terminal devices and the related change to the MAC address, this system will no longer be able to establish a connection to the network (loss of availability).
  • An inappropriate configuration of active network components (particularly of VLANs or filter rules) may result in broadcast domains becoming unnecessarily large or in the formation of unnecessary communication links. This way, unauthorised persons may be able to read confidential data.