S 2.141 Development of a network concept

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

In order to meet the requirements regarding availability (including bandwidth and performance), confidentiality, and integrity, the design, modification, and/or expansion of a network require careful planning. This is ensured by drawing up a network concept.

The process of drawing up a network concept can be divided into an analytic and a conceptual part:

Analysis

First, you must differentiate whether an existing network is to be expanded and/or modified or whether the network is to be created from scratch.

In the first case, the safeguards S 2.139 Survey of the existing network environment and S 2.140 Analysis of the existing network environment must be implemented. These safeguards are not applicable to the second case. Instead, the network communication requirements must be determined and the protection requirements of the new network must be defined.

In order to determine the communication requirements, the data and traffic flow between the logical or organisational units to be expected in the future must be determined, since the load to be expected must have an influence on the segmentation of the future network. The required logical and/or physical communication links (referring to services, users, or groups) must also be determined and the communication transitions for LAN/LAN connection or using a WAN must be determined.

The protection requirements of the network are derived from those of the planned or already existing IT procedures. This information is used to deduce physical and logical segment structures so that these requirements (e.g. regarding confidentiality) can be taken into account when implementing the network. For example, the protection requirements of an IT application determine the future segmentation of the network.

Ultimately, an attempt to harmonise the communication links derived with the protection requirements must be made. It may be required to restrict the communication links for this in order to meet the determined protection requirements.

Finally, the available resources must be determined. This includes both the personnel resources necessary to create and implement a concept and/or to operate the network, and the financial resources required to accomplish this. The results must be documented accordingly.

Conception

From the points of view mentioned above, based on a plan which incorporates future requirements (e.g. regarding the bandwidth), as well as taking into consideration the local circumstances, the network structure and the general conditions to be taken into consideration must be developed in accordance with the following steps and documented in the concept.

The network concept is drawn up in a similar way to S 2.139 Survey of the existing network environment and accordingly consists of the following steps as a matter of principle, whereby it is not possible to strictly adhere to the order of the steps mentioned below in ever case. In some parts, the results obtained from the steps influence each other so that the intermediate results must be reviewed and consolidated at regular intervals.

The following activities must primarily be performed in the individual steps:

Step 1 - Conception of the network topography and topology

Based on the analysis situation (see above) and the specific structural circumstances, an appropriate network topography and topology must be selected (see also S 5.60 Selection of a suitable backbone technology, S 5.1 Removal or deactivation of unneeded lines, S 5.2 Selection of an appropriate network topology, and S 5.3 Selection of cable types appropriate in terms of communications technology). However, future requirements such as the scalability must be taken into consideration at this point. The conception drawn up this way must be documented (wiring diagrams, etc.).

Based on the determined requirements and the data flow to be expected and/or determined, an appropriate physical and logical segmentation must be performed when designing the network topography and topology (see S 5.61 Suitable physical segmentation, S 5.62 Suitable logical segmentation, and S 5.13 Appropriate use of equipment for network coupling).

Step 2 - Conception of the network protocols

The network protocols to be used must be selected and designed accordingly in this step. This includes the process of creating an addressing scheme and the formation of a subnet for the IP protocol, for example. When selecting the network protocols, it must be taken into consideration that these may be supported by the network topology and the planned or existing active network components.

Step 3 - Conception of the communication transitions in the LAN and WAN

Concerning the determined data flow across communication transitions and the requirements regarding security and availability, the communication transitions can be designed in this step. This includes the selection of appropriate coupling elements (see S 5.13 Appropriate use of equipment for network coupling), but also the secure configuration of these elements (see modules S 3.1 Security gateway (firewall) and S 4.82 Secure configuration of active network components).

Additional steps

Based on the network concept drawn up, the safeguards for drawing up a network management concept can now be implemented (see S 2.143 Development of a network management concept, S 2.144 Selection of a suitable network management protocol, and S 2.145 Requirements for a network management tool) and an implementation plan can be drawn up according to S 2.142 Development of a network realisation plan.

Review questions:

© Federal Office for Information Security. All rights reserved.