S 2.139 Survey of the existing network environment

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

The survey of the existing network environment is a prerequisite for a targeted security analysis of the existing network. It is also required for the expansion of an existing network. When planning networks, the items described below must be taken into consideration during the design phase.

For this, a survey, including supplementary documentation of the following aspects partially building upon each other, is required:

In the individual steps, the following must primarily be recorded :

Survey of the network topography

The physical structure of the network must be recorded for the survey of the network topography. In this, it makes sense use the spatial conditions under which the network is designed as a basis. A plan containing

must be drawn up and/or updated. In order to maintain this plan, it makes sense to use a corresponding support tool (e.g. CAD programs, specific tools for network plans, cable management tools in connection with system management tools, or similar). These plans must be updated consistently in the event of conversions or expansions and unambiguous and comprehensible documentation must be provided (see also S 1.11 Plans detailing the location of supply lines and S 5.4 Documentation and labelling of cables).

Survey of the network topology

The logical structure of the network must be considered for the survey of the network topology. For this, the segmentation of the individual OSI layers and possibly the VLAN structure must be recorded.

Using the representation of the network topology, it must be possible to determine the active network components that can be used in order to establish a connection between any two terminal devices. Additionally, the configurations of the active network components used for forming the segments must be documented. This may include the configuration files for logical segmentation and the specific configuration of the network components for physical segmentation.

Survey of the network protocols used

Referring to the selected segmentation of the network, the network protocols used in the individual segments and the correspondingly required configurations (e.g. the MAC addresses, the IP addresses, and the subnet masks for the IP protocol) must be determined and documented. At this point, it should also be documented which services are admissible (e.g. HTTP, SMTP, Telnet) and which services are filtered according to which criteria.

Survey of the communication transitions in the LAN and WAN

The communication transitions in the LAN and WAN must be described, unless they are already contained in the drawn up documentation. The following must be described for every communication transition between two networks:

This also includes the documentation of the WAN protocols used (e.g. ISDN; X.25). When using a firewall (see module S 3.1 Security gateway (firewall)), its configuration (e.g. filter rules) must be documented additionally.

Survey of the network performance and the traffic flow

The network performance must be measured and the traffic flow in and between the segments or sub-networks must be analysed. The corresponding measurements must be performed for every network protocol used.

The most recently performed surveys must be repeated after any changes to the network situation. The documentation drawn up within the framework of the surveys must be stored in such a way that it is protected against unauthorised access on the one hand, but available to the Security Management or the Administrators at any time, on the other hand.

Review questions:

© Federal Office for Information Security. All rights reserved.