S 1.43 Secure installation of active network components

Initiation responsibility: Head of IT, IT Security Officer, Planner

Implementation responsibility: Administrator, Building Services Manager

In order to ensure manipulation-proof operation of a network, it is necessary to operate active network components (such as routers, switches, ISDN routers) in a secure environment. This may either be a server room (see module S 2.4 Server room) or, if no separate server room is available, a server cabinet (see module S 2.7 Protective cabinets). No unauthorised persons must gain unattended access to the installation site of the devices.

It should be taken into consideration that manufacturers of protective cabinets often use standard locks so that all cabinets may be opened with any key of the cabinet manufacturer. Therefore, it may be necessary to replace the standard lock of a protective cabinet with an individual lock.

Moreover, the devices should be installed in such a way that they are protected against electromagnetic and magnetic fields. Additionally, they should be equipped with control mechanisms which signal if admissible tolerances for moisture and temperature are exceeded.

Protecting routers and switches against unauthorised access is also important, since password recovery procedures for resetting passwords are known for many devices which mostly require physical access to the devices (console connection). Often, the devices are also equipped with PCMCIA slots: The corresponding PCMCIA cards may be used for general storage of data and offer a convenient option for exchanging configuration data, for performing updates, or for installing image files.

The serial console interface (RS-232 port) allows connection of a PC or terminal in order to perform administration or configuration work. The password for accessing the console must be stored in writing at a safe location (see also S 2.22 Escrow of passwords).

Additionally, the risks of theft, vandalism, and unauthorised shutdown of the device must be minimised.

Review questions:

• Are network components such as routers and switches operated in a secure environment?
• Have the passwords for accessing the consoles of the network components been stored in writing at a safe location?
• Have safeguards been taken in order to avoid risks caused by impairments of the application environment (e.g. moisture, temperature), theft, vandalism, and unauthorised shutdown of the network components?