IT Documentation - The Blog

Network Plans as an IT Security Measure

September 25, 2014

If you have anything to do with IT security and the IT-Grundschutz Catalogues of the German Federal Office for Information Security (BSI), then you might have heard of measure S 2.139 “Survey of the existing network environment”.

List of review questions from the BSI IT-Grundschutz Catalogue for safeguard S 2.139 “Survey of the existing network environment”:

– Is there an up-to-date survey of the network topography?

– Is the documentation on the network topography also comprehensible for third parties?

– Is there a survey of the network topology on the layers of the ISO/OSI reference model?

– Does the documentation of the network segmentation also include the admissible services and network protocols?

– Does the documentation of the network environment include all communication transitions between the networks?

– Can the documentation of the communication transitions be used in order to comprehend the transmission routes?

– Can the documentation of the communication transitions be used in order to comprehend the communication flow and/or data flow between the communication partners?

– Is the documentation on the network environment protected against unauthorised access, but available for the competent persons at any time?

Source: BSI IT-Grundschutz Catalogue, version 13

Various levels in the IT-Grundschutz Catalogue

In the IT-Grundschutz Catalogues, measures are grouped by various levels. A for basic measures, B for further measures, and C for measures that have to be met for certification. Then there’s I for information and lastly there are measures with no identification. All in all, there are well over a thousand measures which are described for the five different modules and their threats.

The measure mentioned above is a measure of level A, hence a basic measure which is important for a company’s IT security and which needs to be implemented. There are “only” eight review questions, but they’re not at all straightforward. Good IT documentation, however, will help you answer them without too much trouble. Without the support of a software tool, creating IT documentation won’t be easy as you’ll also have to think of keeping your data current. After all, the requirement is that your network topography must be up-to-date.

Using software to support the creation of network plans

To a large extent, the Docusnap documentation tool helps meet the requirements of this measure relatively easily. After completing the inventory process, you can create network, routing, and topology plans at the push of a button. The documentation of VLANs also becomes available when inventorying the network switch configurations. This provides you with an ideal basis. Describe the existing communication flows in the IT operating manual and specify the protocols in the IT Relations module. You can make your documentation available in a number of locations, so why not on a tablet for the administrators and the CTO?

The communication interfaces and transmission routes between the individual data networks can be documented quite easily if these interfaces are implemented via security gateways, in other words firewalls. In these IT systems, there is always a list of allowed data streams. These lists almost always indicate the data source and destination as single network addresses or a whole network segment as well as the allowed network protocol. The direction of the communication flow is also configured in these lists. You’ll “only” need to integrate this list into your documentation and keep it up-to-date. To what extent this process can be automated depends on the firewall product you are using.

For IT security reasons, it would certainly be considered critical if the firewall configuration could be read so easily via the network. That’s why an online query probably won’t work. Maybe a backup of the configuration will help here. When the configuration of a firewall is changed, the settings should always be backed up. Obviously this should also be done before the change so that the previous state can be restored if problems occur. Your firewall administrator will certainly look after this for you though. These configuration files are often simple text files, so maybe something can be retrieved and be used for IT documentation.

Whether there is a different way depends on your processes. If changes are managed in a ticketing system (i.e. change management has been implemented), the person responsible for IT documentation could receive information on the change and make it in the manual.

Other requirements of this BSI measure have to be entered manually, such as protocols used for each network segment. If you already have IT guidelines in place, the regulations should be found in there. Brief change of subject: how do you control compliance with these guidelines? It’s easy to find a solution from a technical point of view. A simple network sniffer such as Wireshark will help. But be sure to restrict your use of such a tool to this purpose and don’t forget to communicate why you are using it. Don’t scan your whole network traffic and then give IT documentation as justification for the action.

Alternatively you can use the mirror port of your switch to analyse which protocols are being used in the network. But please don’t just do it, but always communicate such actions and specify their purpose. It might even be a good idea to get written approval from your management.

IT documentation can be easy!

As you can see there’s a solution for (almost) everything. Certainly no longer as standard software, that’s why clever adjustment of an out-of-the-box solution can often add considerable value. And suddenly, requirements from the BSI IT-Grundschutz Catalogue seem less daunting too. If possible, make sure to use one documentation product only, otherwise it’s easy to lose the plot.