S 2.204 Prevention of insecure network access

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator, Auditor

Every insecure access to a network constitutes an enormous security gap. Therefore every communication to the internal network must, without exception, be effected via a secure access channel. This could be, for example, a firewall (see module S 3.1 Security gateway (firewall)).

Rules must be enacted specifying that no other external connections can be established by bypassing the firewall. All users must be informed as to the dangers associated with the creation of "wild", i.e. unchecked, access routes, e.g. using modems which employees have brought into work with them.

Any external network access should be recorded in a centralised manner (see module S 4.1 Heterogeneous networks). Furthermore, sampling methods should be used to review whether additional network access routes have been established over modems or by any other means. For example, predefined auto-dial call numbers specified can be tested to see whether any data transmission facilities are activated in response.

Data transmission should be properly controlled in all organisations. All data transmission facilities should be approved and their use should be subject to clear rules and procedures. This concerns not only routers, modems and ISDN cards, but also infrared or radio interfaces. In particular, the following points should be specified:

In this context, examples can be found in S 2.61 Provisions governing modem usage or S 2.179 Procedures controlling the use of fax servers.

Review questions:

© Federal Office for Information Security. All rights reserved.