S 2.300 Secure withdrawal from operation or replacement of components of a security gateway
Initiation responsibility: Head of IT, IT Security Officer
Implementation responsibility: Administrator
If any components of the security gateway are to be taken out of operation or replaced, all security-related information must be deleted from the devices. This applies especially where the components are discarded and passed on to third parties (e.g. sold) or where a device is sent to the vendor or a service company for replacement under warranty or repair, but it also applies where the devicecontinues to be used internally or is scrapped.
Depending on the purpose of the components, the following information and data may be stored on the devices, for example:
- configuration files, from which information can be deduced about the network structure of the organisation (e.g. IP addresses, routing tables, SNMP community strings, access control lists and similar)
- password files
- log files containing security-related information or personal data
- user data, for example from the web cache or e-mail spool directories
- potentially dangerous files (malware) from "quarantine directories"
- certificates and keys (e.g. SSL certificates for SSL proxies or keys for
access with SSH)
Due to the sensitivity of this information, care should be taken to ensure that prior to removing defective or outdated devices from operation or replacing them, the files are deleted or rendered unreadable. After deleting the data, check if the deletion was executed successfully. The procedure to follow in this case depends greatly on the type and purpose of the device. The security policy for the security gateway should define the responsibilities in this area.
Depending on the device and purpose for which it has been used, the relevant files may be distributed over several directories. For example, in the case of application-level gateways (ALGs), the various configuration files are usually stored in a different place from the cache files, spool and quarantine directories. Before taking the equipment out of operation it is therefore necessary to determine what security-relevant files are stored where.
For "normal" computers that were used as components of a security gateway, the hard disks should be erased with a suitable tool so that it is impossible to restore the files after deletion. This can be accomplished, for example, by booting the computer from an external boot medium and overwriting the hard disks with random data. It is recommended in this case to repeat the overwriting process several times.
For appliances, the procedure used depends on whether a hard disk is installed in the device or if the data is stored on a non-volatile storage medium. The devices often provide a "factory reset" option that can be used to reset all configuration settings to the values set at the factory before delivery. You should still check if the data has actually been deleted or reset and if certain data or files are still present after performing a "factory reset".
If information particularly critical to security is stored on the device and it cannot be guaranteed with sufficient certainty that the data really was deleted, then it may be necessary to physically destroy the memory modules or hard disks and/or to make them unusable.
In addition to checking the information stored on the device itself, the backup media should also be checked to determine if they contain sensitive information. If it is not necessary for some other reason to store the backup media (for example for archiving purposes or mandatory storage due to legal regulations), the media should also be erased after taking the device out of operation.
The components of security gateways are often labelled on the outside with IP addresses, host names or other technical information. These labels should also be removed before disposal.
Review questions:
- Is all security-related information on the device completely deleted when the security gateway or one of its components is taken out of operation or replaced?
- Does the security policy define the persons responsible for the discarding process of the security gateway?
- If the backup media of security gateway components are no longer required: Is the sensitive information on the backup media completely deleted?
- Are any labels on the security gateway components removed before the components are discarded?