PeakMaven

DE Book a Consultation
NET.1.1

NET.1.1 Network Architecture and Design

Most institutions today require data networks for their business operations and the fulfillment of their professional tasks, through which, for example, information and data are exchanged and distributed applications are realized...

Layer: NET — Networks and Communication
Level: Basic Standard High Protection Needs
Roles: Planners IT Operations
Keywords: NET Netzarchitektur -Design

Description

Introduction

Most institutions today require data networks for their business operations and the fulfillment of their professional tasks, through which, for example, information and data are exchanged and distributed applications are realized. Such networks not only connect conventional end devices, extranets, and the Internet. They increasingly also integrate mobile end devices and elements attributed to the Internet of Things (IoT). In addition, cloud services and services for Unified Communication and Collaboration (UCC) are increasingly used via data networks. The resulting advantages are undisputed. But the many end devices and services also increase the risks. It is therefore important to protect one’s own network already through a secure network architecture. For this purpose, it must be planned, for example, how a local area network (LAN) or a wide area network (WAN) can be built securely. Likewise, only partially trusted external networks—e.g., the Internet or customer networks—must be connected appropriately.

To ensure a high level of security, additional security-relevant aspects must be taken into account. Examples of these are secure separation of different tenants and device groups at the network level and the control of their communication through a firewall. Another important security element, especially for clients, is network access control.

Objective

The objective of this building block is to establish information security as an integral component of network architecture and network design.

Scope and Modeling

The building block NET.1.1 Network Architecture and Design is to be applied to the entire network of an institution including all subnets.

The building block contains fundamental requirements that must be observed and fulfilled when networks are planned, built, and operated. Requirements for the secure operation of the corresponding network components, including security components such as firewalls, are not the subject of this building block. These are addressed in building block group NET.3 Network Components.

The focus of this building block is on wired networks and data communication. However, general requirements on architecture and design—e.g., that zones always require physical separation from network segments—must be observed and fulfilled for all network technologies.

Further specific requirements for network areas such as Wireless LAN (WLAN) or storage area networks (SAN) are addressed in building block layer NET.2 Wireless Networks or in building block SYS.1.8 Storage Solutions respectively. Furthermore, the topic of Voice over IP (VoIP) and the underlying security infrastructure are not discussed in this building block but in the corresponding building block NET.4.2 VoIP.

Specific security requirements for virtual private clouds and hybrid clouds are likewise not the focus of this building block.

Network management is considered within the framework of zoning and segmentation; all further topics of network management are addressed in building block NET.1.2 Network Management.

Threat Landscape

Since IT-Grundschutz building blocks cannot address individual information domains, typical scenarios are used to illustrate the threat landscape. The following specific threats and vulnerabilities are of particular importance for building block NET.1.1 Network Architecture and Design.

If communication links are insufficiently dimensioned or their performance is no longer adequate due to a technical failure or a denial-of-service (DoS) attack, clients may, for example, only be able to communicate with servers in a limited manner. This increases access times to internal and external services. These may then only be available to a limited extent or not at all. Institution-relevant information may also no longer be available. As a result, essential business processes or entire production processes can grind to a halt.

Inadequately Secured Network Access

If the internal network is connected to the Internet and the transition is not adequately protected—e.g., because no firewall is used or it is incorrectly configured—attackers can access the institution’s sensitive information and copy or manipulate it.

Improper Construction of Networks

If a network is improperly built or erroneously extended, insecure network topologies may arise or networks may be configured insecurely. Attackers can then more easily find security gaps, penetrate the internal network of the institution, and steal information there, manipulate data, or even disrupt entire production systems. Attackers also remain undetected for longer in an improperly built network that security systems can only monitor to a limited extent.

Requirements

The following are the specific requirements of building block NET.1.1 Network Architecture and Design. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and verified in accordance with the established security concept. The ISO MUST always be involved in strategic decisions.

Additional roles are defined in the IT-Grundschutz Compendium. They SHOULD be filled insofar as this is sensible and appropriate.

ResponsibilitiesRoles
Primarily responsiblePlanners
Additional responsibilitiesIT Operations

Exactly one role SHOULD be Primarily responsible. There may also be Additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a requirement, that role is listed in square brackets after the requirement heading. The use of singular or plural says nothing about how many persons should fill these roles.

Basic Requirements

The following requirements MUST be fulfilled with priority for this building block.

NET.1.1.A1 Security Policy for the Network (B) [IT Operations]

Based on the institution’s general security policy, a specific security policy for the network MUST be created. In this, requirements and specifications MUST be described in a comprehensible manner regarding how networks are to be securely designed and built. The policy MUST specify, among other things:

  • in which cases zones are to be segmented and in which cases user groups or tenants are to be logically or even physically separated,
  • which communication relationships and which network and application protocols are permitted in each case,
  • how data traffic for administration and monitoring is to be separated in terms of networking,
  • what intra-institutional, cross-site communication (WAN, wireless networks) is permitted and what encryption is required in WAN, LAN, or on wireless links, and
  • what inter-institutional communication is permitted.

The policy MUST be known to all employees responsible for network design. It MUST also be fundamental to their work. If the policy is changed or if requirements are deviated from, this MUST be documented and coordinated with the responsible ISO. It MUST be regularly checked whether the policy is still correctly implemented. The results MUST be documented in a meaningful manner.

NET.1.1.A2 Documentation of the Network (B) [IT Operations]

A complete documentation of the network MUST be created. It MUST include a network diagram. The documentation MUST be maintained sustainably. The initial as-is survey, including network performance, as well as all changes made to the network MUST be included in the documentation. The logical structure of the network MUST be documented, especially how subnets are assigned and how the network is zoned and segmented.

NET.1.1.A3 Requirements Specification for the Network (B)

Based on the security policy for the network, a requirements specification MUST be created. This MUST be maintained sustainably. All essential elements for network architecture and design MUST be derivable from the requirements.

NET.1.1.A4 Network Separation into Zones (B)

The overall network MUST be physically separated into at least the following three zones: internal network, demilitarized zone (DMZ), and external connections (including Internet connection and connection to other untrusted networks). The zone transitions MUST be secured by a firewall. This control MUST follow the principle of local communication, such that firewalls only forward permitted communication (allowlist).

Untrusted networks (e.g., the Internet) and trusted networks (e.g., intranet) MUST be separated by at least a two-stage firewall structure consisting of stateful packet filters (firewall). To separate the Internet and the external DMZ in terms of networking, at least one stateful packet filter MUST be used.

In the two-stage firewall architecture, all incoming and outgoing data traffic MUST be controlled and filtered by the outer packet filter or the inner packet filter respectively.

A P-A-P structure, consisting of packet filter, application-layer gateway or security proxies, and packet filter, MUST always be implemented when the security policy or the requirements specification requires it.

NET.1.1.A5 Client-Server Segmentation (B)

Clients and servers MUST be placed in different network segments. Communication between these network segments MUST be controlled by at least one stateful packet filter.

It SHOULD be noted that possible exceptions that allow clients and servers to be positioned in a common network segment are governed by the corresponding application- and system-specific building blocks.

Dedicated network segments MUST be established for guest access and for network areas where there is insufficient internal control over end devices.

NET.1.1.A6 End Device Segmentation in the Internal Network (B)

ONLY end devices that correspond to a similar security level MAY be positioned in a network segment.

NET.1.1.A7 Protection of Sensitive Information (B)

Sensitive information MUST be transmitted via protocols that are secure according to the current state of the art, unless communication takes place via trusted dedicated network segments (e.g., within the management network). If such protocols cannot be used, appropriate encryption and authentication MUST be applied according to the state of the art (see NET.3.3 VPN).

NET.1.1.A8 Basic Protection of Internet Access (B)

Internet traffic MUST be routed through the firewall structure (see NET.1.1.A4 Network Separation into Zones). Data flows MUST be restricted by the firewall structure to the required protocols and communication relationships.

NET.1.1.A9 Basic Protection of Communication with Untrusted Networks (B)

For each network, it MUST be determined to what extent it is to be classified as trustworthy. Networks that are not trustworthy MUST be treated like the Internet and secured accordingly.

NET.1.1.A10 DMZ Segmentation for Access from the Internet (B)

The firewall structure MUST be supplemented by a so-called external DMZ for all services and applications that are accessible from the Internet. A concept for DMZ segmentation SHOULD be created that implements the security policy and requirements specification in a comprehensible manner. Depending on the security level of the IT systems, DMZ segments MUST be further subdivided. An external DMZ MUST be connected to the outer packet filter.

NET.1.1.A11 Protection of Incoming Communication from the Internet to the Internal Network (B)

IP-based access to the internal network MUST be made via a secure communication channel. Access MUST be restricted to trusted IT systems and users (see NET.3.3 VPN). Such VPN gateways SHOULD be placed in an external DMZ. It SHOULD be noted that adequately hardened VPN gateways may be directly accessible from the Internet. Accesses to the internal network authenticated via the VPN gateway MUST pass through at least the internal firewall.

IT systems MUST NOT access the internal network via the Internet or external DMZ. It SHOULD be noted that any exceptions to this requirement are governed by the corresponding application- and system-specific building blocks.

NET.1.1.A12 Protection of Outgoing Internal Communication to the Internet (B)

Outgoing communication from the internal network to the Internet MUST be decoupled at a security proxy. The decoupling MUST take place outside the internal network. If a P-A-P structure is used, outgoing communication SHOULD always be decoupled through the security proxies of the P-A-P structure.

NET.1.1.A13 Network Planning (B)

Every network implementation MUST be planned appropriately, completely, and in a comprehensible manner. The security policy and the requirements specification MUST be observed in this process. Furthermore, at least the following points MUST be taken into account in the planning as required:

  • connection of the Internet and, if applicable, the site network and extranet,
  • topology of the overall network and network areas, i.e., zones and network segments,
  • dimensioning and redundancy of network and security components, transmission links, and external connections,
  • protocols to be used and their basic configuration and addressing, in particular IPv4/IPv6 subnets of end device groups, and
  • administration and monitoring (see NET.1.2 Network Management).

Network planning MUST be regularly reviewed.

NET.1.1.A14 Implementation of Network Planning (B)

The planned network MUST be implemented in a professional manner. This MUST be verified during acceptance testing.

NET.1.1.A15 Regular Target/Actual Comparison (B)

It MUST be regularly checked whether the existing network corresponds to the target state. At minimum, it MUST be checked to what extent it fulfills the security policy and requirements specification. It MUST also be checked to what extent the implemented network structure corresponds to the current state of network planning. For this purpose, responsible persons and review criteria or requirements MUST be defined.

Standard Requirements

Together with the basic requirements, the following requirements correspond to the state of the art for this building block. They SHOULD generally be fulfilled.

NET.1.1.A16 Specification of the Network Architecture (S)

Based on the security policy and the requirements specification, an architecture for the zones including the internal network, DMZ area, and external connections SHOULD be developed and maintained sustainably. In this process, all relevant architectural elements SHOULD be considered depending on the specific situation of the institution, but at minimum:

  • network architecture of the internal network with specifications on how to use network virtualization technologies, Layer 2 and Layer 3 communication, and redundancy procedures,
  • network architecture for external connections, including firewall architectures, DMZ and extranet design, and specifications for site interconnection,
  • determination of where in the network which security components such as firewalls or IDS/IPS are to be placed and which security functions these must implement,
  • specifications for the network connection of different IT systems,
  • network architecture in virtualization hosts, with particular consideration of Network Virtualization Overlay (NVO) and the architecture in vertically integrated systems (ViS),
  • specifications of the fundamental architectural elements for a private cloud as well as protection of connections to virtual private clouds, hybrid clouds, and public clouds, and
  • architecture for the secure administration and monitoring of the IT infrastructure.

NET.1.1.A17 Specification of the Network Design (S)

Based on the network architecture, the network design for the zones including the internal network, DMZ area, and external connections SHOULD be developed and maintained sustainably. For this purpose, the relevant architectural elements SHOULD be considered in detail, but at minimum:

  • permissible forms of network components including virtualized network components,
  • specifications on how WAN and wireless connections are to be secured,
  • connection of end devices to switching components, connections between network elements, and use of communication protocols,
  • redundancy mechanisms for all network elements,
  • address concept for IPv4 and IPv6 as well as associated routing and switching concepts,
  • virtualized networks in virtualization hosts including NVO,
  • structure, connection, and protection of private clouds as well as secure connection of virtual private clouds, hybrid clouds, and public clouds, and
  • specifications for network design for the secure administration and monitoring of the IT infrastructure.

NET.1.1.A18 P-A-P Structure for Internet Connection (S)

The institution’s network SHOULD be connected to the Internet via a firewall with P-A-P structure (see NET.1.1.A4 Network Separation into Zones).

Between the two firewall stages, a proxy-based application-layer gateway (ALG) MUST be implemented. The ALG MUST be connected to both the outer packet filter and the internal packet filter via its own transfer network (dual-homed). The transfer network MUST NOT be used for purposes other than those of the ALG.

If no ALG is used, appropriate security proxies MUST be implemented. The security proxies MUST be connected via their own transfer network (dual-homed). The transfer network MUST NOT be used for purposes other than those of the security proxies. It MUST be checked whether mutual attacks via the security proxies are possible. If this is the case, the transfer network MUST be appropriately segmented.

All data traffic MUST be decoupled via the ALG or corresponding security proxies. A transfer network that directly connects both firewall stages MUST NOT be configured. The internal firewall MUST also reduce the attack surface of the ALG or the security proxies against insiders or IT systems in the internal network.

Authenticated and trusted network access from the VPN gateway to the internal network SHOULD NOT pass through the ALG or the security proxies of the P-A-P structure.

NET.1.1.A19 Separation of Infrastructure Services (S)

Servers that provide fundamental services for the IT infrastructure SHOULD be positioned in a dedicated network segment. Communication with them SHOULD be controlled by a stateful packet filter (firewall).

NET.1.1.A20 Assignment of Dedicated Subnets for IPv4/IPv6 End Device Groups (S)

Different IPv4/IPv6 end devices SHOULD be assigned to dedicated subnets depending on the protocol used (IPv4-only, IPv6-only, or IPv4/IPv6 dual-stack).

NET.1.1.A21 Separation of the Management Area (S)

To manage the infrastructure, out-of-band management SHOULD be used consistently. All end devices required for managing the IT infrastructure SHOULD be positioned in dedicated network segments. Communication with these end devices SHOULD be controlled by a stateful packet filter. Communication to and from these management network segments SHOULD be restricted to the necessary management protocols with defined communication endpoints.

The management area SHOULD include at least the following network segments. These SHOULD be further subdivided depending on the security policy and requirements specification into:

  • network segment(s) for IT systems responsible for the authentication and authorization of administrative communication,
  • network segment(s) for the administration of IT systems,
  • network segment(s) for monitoring and monitoring,
  • network segment(s) containing central logging including syslog servers and SIEM servers,
  • network segment(s) for IT systems required for fundamental services of the management area, and
  • network segment(s) for the management interfaces of the IT systems to be administered.

The various management interfaces of IT systems MUST be separated by their purpose and network placement using a stateful packet filter. IT systems (management interfaces) SHOULD additionally be separated by dedicated firewalls for the following groupings:

  • IT systems accessible from the Internet,
  • IT systems in the internal network, and
  • security components located between IT systems accessible from the Internet and the internal network.

It MUST be ensured that the segmentation cannot be undermined by management communication. Bridging of network segments MUST be excluded.

NET.1.1.A22 Specification of the Segmentation Concept (S)

Based on the specifications of the network architecture and network design, a comprehensive segmentation concept for the internal network SHOULD be created. This segmentation concept SHOULD include any virtualized networks present in virtualization hosts. The segmentation concept SHOULD be planned, implemented, operated, and maintained sustainably. The concept SHOULD cover at least the following points, insofar as these are provided for in the target environment:

  • initially to be established network segments and specifications for how new network segments are to be created and how end devices are to be positioned in the network segments,
  • specifications for the segmentation of development and test systems (staging),
  • network access control for network segments with clients,
  • connection of network areas connected to the network segments via wireless technologies or leased lines,
  • connection of virtualization hosts and virtual machines on the hosts to the network segments,
  • data center automation, and
  • specifications on how to integrate end devices serving multiple network segments, e.g., load balancers, and storage and backup solutions.

Depending on the security policy and requirements specification, it SHOULD be designed for each network segment how it is to be implemented in terms of networking. Furthermore, it SHOULD be determined what security functions the coupling elements between the network segments must provide (e.g., firewall as a stateful packet filter or IDS/IPS).

NET.1.1.A23 Separation of Network Segments (S)

IT systems with different protection requirements SHOULD be placed in different network segments. If this is not possible, the protection requirement SHOULD be based on the highest protection requirement occurring in the network segment. Furthermore, network segments SHOULD be further subdivided depending on their size and the requirements of the segmentation concept. It MUST be ensured that no bridging of network segments or even zones is possible.

If virtual LANs (VLANs) on a switch belong to different institutions, the separation SHOULD be physical. Alternatively, data SHOULD be encrypted to protect the transmitted information from unauthorized access.

NET.1.1.A24 Secure Logical Separation Using VLANs (S)

If VLANs are used, NO connection MUST thereby be created between the internal network and a zone before the ALG or the security proxies.

In general, it MUST be ensured that VLANs cannot be bridged.

NET.1.1.A25 Detailed Planning and Implementation of Network Architecture and Design (S)

Detailed planning and implementation for network architecture and network design SHOULD be carried out, documented, reviewed, and maintained sustainably.

NET.1.1.A26 Specification of Operational Processes for the Network (S)

Operational processes SHOULD be created or adapted as required and documented. In particular, consideration SHOULD be given to how the zoning and segmentation concept affect IT Operations.

NET.1.1.A27 Integration of the Network Architecture into Emergency Planning (S) [IT Operations]

It SHOULD be analyzed in a comprehensible manner, both initially and at regular intervals, how the network architecture and the derived concepts affect emergency planning.

Requirements for High Protection Needs

The following are exemplary proposals for requirements for this building block that go beyond the level of protection corresponding to the state of the art. The proposals SHOULD be considered when there are high protection needs. The specific determination is made within the framework of an individual risk analysis.

NET.1.1.A28 Highly Available Network and Security Components (H)

Central areas of the internal network and the security components SHOULD be designed for high availability. To this end, the components SHOULD be designed redundantly and also implemented with high availability internally.

NET.1.1.A29 Highly Available Implementation of Network Connections (H)

Network connections, such as Internet connections and WAN connections, SHOULD be designed to be fully redundant. Depending on availability requirements, redundant connections to service providers SHOULD be implemented with different technology and performance as required. Path redundancy within and outside one’s own area of responsibility SHOULD also be implemented as required. Possible single points of failure (SPoF) and disruptive environmental conditions SHOULD be taken into account.

NET.1.1.A30 Protection Against Distributed Denial of Service (H)

To defend against DDoS attacks, bandwidth management SHOULD be used to specifically distribute available bandwidth between different communication partners and protocols.

To be able to defend against DDoS attacks with very high data rates, mitigation services SHOULD be procured through larger internet service providers (ISPs). Their use SHOULD be governed by contracts.

NET.1.1.A31 Physical Separation of Network Segments (H)

Depending on the security policy and requirements specification, network segments SHOULD be physically separated by separate switches.

NET.1.1.A32 Physical Separation of Management Network Segments (H)

Depending on the security policy and requirements specification, network segments of the management area SHOULD be physically separated from each other.

NET.1.1.A33 Microsegmentation of the Network (H)

The network SHOULD be divided into small network segments with very similar requirement profiles and the same protection needs. In particular, this SHOULD be taken into account for the DMZ segments.

NET.1.1.A34 Use of Cryptographic Methods at the Network Level (H)

The network segments SHOULD be implemented in the internal network, in the extranet, and in the DMZ area using cryptographic technologies already at the network level. VPN technologies or IEEE 802.1AE SHOULD be used for this purpose.

If communication takes place over connection links within the internal network, extranet, or DMZ that are not sufficiently secure for high protection needs, communication SHOULD be appropriately encrypted at the network level.

NET.1.1.A35 Use of Network-Based DLP (H)

At the network level, data loss prevention (DLP) systems SHOULD be deployed.

NET.1.1.A36 Separation Using VLANs for Very High Protection Needs (H)

For very high protection needs, NO VLANs SHOULD be used.

Additional Information

Good to Know

The BSI has published the following further documents on the topic of networks:

  • Secure connection of local networks to the Internet (ISi-LANA)
  • Technical guideline for organization-internal telecommunications systems with high protection needs: BSI-TL-02103 - Version 2.0

The International Organization for Standardization (ISO) provides specifications for securing networks in standard ISO/IEC 27033 “Information technology - Security techniques - Network security - Part 1: Overview and concepts to Part 3: Reference networking scenarios - Threats, design techniques and control issues.”

Related Building Blocks

NET.1.2 NET.1.2 Network Management NET.3.3 NET.3.3 VPN NET.4.2 NET.4.2 VoIP SYS.1.8 SYS.1.8 Storage Solutions

Referenced by

SYS.1.1 SYS.1.1 General Server OPS.1.1.1 OPS.1.1.1 General IT Operations OPS.1.1.5 OPS.1.1.5 Logging OPS.1.1.7 OPS.1.1.7 System Management NET.1.2 NET.1.2 Network Management SYS.1.5 SYS.1.5 Virtualization SYS.1.8 SYS.1.8 Storage Solutions SYS.1.9 SYS.1.9 Terminal Server NET.2.1 NET.2.1 WLAN Operation SYS.2.5 SYS.2.5 Client Virtualization SYS.2.6 SYS.2.6 Virtual Desktop Infrastructure NET.3.1 NET.3.1 Routers and Switches APP.3.2 APP.3.2 Web Servers IND.3.2 IND.3.2 Remote Maintenance in Industrial Environments NET.3.2 NET.3.2 Firewall NET.3.3 NET.3.3 VPN NET.3.4 NET.3.4 Network Access Control APP.3.6 APP.3.6 DNS Server NET.4.2 NET.4.2 VoIP APP.5.4 APP.5.4 Unified Communications and Collaboration (UCC) INF.14 INF.14 Building Automation

Framework Mappings

ISO 27001
A.8.20 A.8.21 A.8.22 A.5.1
NIST CSF
PR.IR-01 PR.IR-02 ID.AM-03
DORA
Art. 9(4)(a)
NIS2
Art. 21(2)(e)

These mappings are provided for reference and do not replace a professional compliance assessment.