S 5.124 Network connections in meeting, event and training rooms

Initiation responsibility: Head of IT

Implementation responsibility: Building Services, Administrator

On the one hand, IT systems such as projectors or training computers are often installed in a stationary manner in meeting, event, and training rooms, and on the other hand, mobile IT systems such as laptops are also frequently brought along. Here, the networking of these IT systems with each other, with the internet, or with the organisation's intranet is often desired

Since third party IT should always be deemed untrustworthy at first, any uncontrolled connection of IT systems brought by visitors to internal LANs should be prevented. If possible, a direct connection of brought and internal IT systems should be avoided as well. In this connection, at least all security safeguards described in module S 5.2 Exchange of data media must be implemented.

As a matter of principle, the following types of access may be desirable:

• LAN access for all room users, without internet access
• LAN access for employees
• direct internet access for all room users
• internet access via LAN for all room users
• internet access via LAN for employees

How these different types of access must be evaluated and protected is described in the following:

From a security point of view, the best and simplest solution is to generally prevent any access to internal LANs from meeting, event, and training rooms. In the most secure case, no corresponding connections should be installed at all in order to rule out that persons not belonging to the organisation can establish a connection to the internal network.

However, this is not always possible. If internal employees must be able to access the intranet from meeting, event, and training rooms, at least the following safeguards must be taken (see S 5.122 Secure connection of laptops to local networks):

• Access to a LAN should be restricted to IT systems approved for this. For example, this should be ensured by checking the MAC addresses, by using certificates belonging to the individual computers, or with the help of user authentication.
• Meeting, event, and training rooms should be separated from the LAN by a restrictively configured packet filter in order to be able to prevent undesired communication. This way, the effects of malware possibly present on the connected computers can be reduced, amongst other things.
• It must be ensured that third parties are not able to read and/or record the data traffic when employees use the LAN. On the one hand, this could be performed by configuring the infrastructure in such a way that the employee's connection cannot be used by further computers (e.g. by relinquishing hubs). On the other hand, encrypted communication may be used that can only be established upon corresponding authentication of the employee.
• If possible, no Dynamic Host Configuration Protocol (DHCP) should be offered for the accesses to the LAN. This way, connected external computers are not automatically integrated into the network and require manual configuration (the internal computers must be pre-configured accordingly in this case). Static DHCP assigning the network infrastructure information only to the internal computers identified based on the MAC address would also be conceivable.

However, direct internet accesses can also be found increasingly in the meeting, event, and training rooms, e.g. using dedicated DSL accesses. The accesses are often labelled as internet sockets. Visitors may use these sockets to access their home network, for example. For security reasons, these internet accesses must not be connected directly to the intranet, so that the central security gateway cannot be bypassed. It must be ruled out that a computer is able to establish simultaneous connections to the intranet and the internet. In this case, the original hardware-related separation of the two networks is suspended. If meeting, event, and training rooms are to be directly connected to the internet, the access should be protected with the help of a packet filter in order to protect the connected IT systems against standard attacks to ports. Furthermore, a simple security proxy can protect the connected computers against the threats caused by active content and log the accesses to websites within the framework of the options designed by data protection laws.

External employees should not be offered internet access using the organisation's intranet as switch board network. For example, due to errors in the configuration it can never be ruled out that external employees gain access to information or applications worthy of protection despite restricted access options.

If direct LAN access is prevented, internal employees may also be provided with access to the LAN from meeting, event, and training rooms using a VPN via the internet (see S 5.122 Secure connection of laptops to local networks).

The corresponding security safeguards should be taken for setting up WLANs for providing an internet access.

Review questions:

• Is it ensured that any direct connection of brought and internal IT systems is prevented?
• Is LAN access restricted exclusively to IT systems approved to this end?
• Are third parties prevented from reading and/or recording internal data traffic?
• Are computers in meeting, event, and training rooms prevented from simultaneously establishing connections to the intranet and the internet?