NET.1.2 Network Management
Reliable network management is a fundamental prerequisite for the secure and efficient operation of modern networks. For this purpose, it is necessary that network management comprehensively integrates all network components...
Description
Introduction
Reliable network management is a fundamental prerequisite for the secure and efficient operation of modern networks. For this purpose, it is necessary that network management comprehensively integrates all network components. In addition, appropriate measures must be implemented to protect the network management communication and infrastructure.
Network management encompasses many important functions such as network monitoring, configuration of components, handling of events, and logging. Another important function is reporting, which can be set up as a shared platform for networks and IT systems. Alternatively, it can be implemented as a dedicated unified platform or as part of the individual network management components.
The network management infrastructure consists of central management systems—such as an SNMP server—administration end devices with software for management access, and decentralized management agents. In addition, dedicated management tools such as probes or specific measuring devices, as well as management protocols such as SNMP or SSH, belong to it. Management interfaces such as dedicated Ethernet ports or console ports are also part of a network management infrastructure.
Objective
The objective of this building block is to establish information security as an integral component of network management.
Scope and Modeling
The building block NET.1.2 Network Management is to be applied to every network management system (management system and IT system to be managed) used in the information domain. The IT systems to be managed are typically individual clients, servers, or active network components (network coupling elements).
This building block considers the necessary components and conceptual tasks for network management. Requirements for system management of networked clients and servers are not described here.
This building block describes how network management can be built and secured and how the associated communication can be protected. Details regarding the protection of network components, especially their management interfaces, are addressed in the building blocks of layers NET.2 Wireless Networks and NET.3 Network Components.
The logging discussed in this building block should be integrated into a comprehensive logging and archiving concept (see OPS.1.1.5 Logging and OPS.1.2.2 Archiving).
The data of network management must be taken into account in the data backup concept. Requirements for this are contained in building block CON.3 Data Backup Concept.
Threat Landscape
Since IT-Grundschutz building blocks cannot address individual information domains, typical scenarios are used to illustrate the threat landscape. The following specific threats and vulnerabilities are of particular importance for building block NET.1.2 Network Management.
Unauthorized Access to Central Network Management Components
If an attack succeeds in accessing network management solutions—e.g., through unpatched security vulnerabilities or insufficient network separation—all network components connected there can be controlled and reconfigured. This allows, for example, access to sensitive information, redirection of network traffic, or sustainable disruption of the entire network.
Unauthorized Access to Individual Network Components
If an attack succeeds in accessing individual network components, the respective component can be controlled and manipulated. All data traffic routed through the network component can thereby be compromised. Furthermore, further attacks can be prepared to penetrate deeper into the institution’s network.
Unauthorized Interference with Network Management Communication
If network management communication is intercepted and manipulated, active network components can thereby be misconfigured or controlled. This can violate network integrity and restrict the availability of the network infrastructure. Furthermore, the transmitted data can be intercepted and viewed.
Insufficient Time Synchronization of Network Management Components
If the system time of the network management components is insufficiently synchronized, the log data may not be able to be correlated with each other. Correlation may also lead to erroneous statements since the different timestamps of events have no common basis. This makes it impossible to respond appropriately to events. Problems may also not be resolved. As a result, security incidents and data exfiltration can go undetected.
Requirements
The following are the specific requirements of building block NET.1.2 Network Management. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and verified in accordance with the established security concept. The ISO MUST always be involved in strategic decisions.
Additional roles are defined in the IT-Grundschutz Compendium. They SHOULD be filled insofar as this is sensible and appropriate.
| Responsibilities | Roles |
|---|---|
| Primarily responsible | IT Operations |
| Additional responsibilities | Planners, Supervisors |
Exactly one role SHOULD be Primarily responsible. There may also be Additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a requirement, that role is listed in square brackets after the requirement heading. The use of singular or plural says nothing about how many persons should fill these roles.
Basic Requirements
The following requirements MUST be fulfilled with priority for this building block.
NET.1.2.A1 Planning of Network Management (B)
The network management infrastructure MUST be planned appropriately. All points mentioned in the security policy and requirements specification for network management SHOULD be taken into account. At minimum, the following topics MUST be taken into account:
- areas to be separated for network management,
- access options to the management servers,
- communication for management access,
- protocols used, e.g., IPv4 and IPv6,
- requirements for management tools,
- interfaces for forwarding captured event or alarm messages,
- logging, including required interfaces to a central logging solution,
- reporting and interfaces to overarching solutions, and
- corresponding requirements for the network components to be integrated.
NET.1.2.A2 Requirements Specification for Network Management (B)
Based on NET.1.2.A1 Planning of Network Management, requirements for the network management infrastructure and processes MUST be specified. All essential elements for network management MUST be taken into account. The policy for network management SHOULD also be observed.
NET.1.2.A3 DISCONTINUED (B)
This requirement has been discontinued.
NET.1.2.A4 DISCONTINUED (B)
This requirement has been discontinued.
NET.1.2.A5 DISCONTINUED (B)
This requirement has been discontinued.
NET.1.2.A6 Regular Data Backup (B)
When backing up network management data, at minimum the system data for integrating the components or objects to be managed, event messages, statistical data, and data retained for configuration management MUST be backed up.
NET.1.2.A7 Basic Logging of Events (B)
At minimum, the following events MUST be logged:
- unauthorized access or access attempts,
- performance or availability fluctuations in the network,
- errors in automated processes (e.g., during configuration distribution), and
- restricted reachability of network components.
NET.1.2.A8 Time Synchronization (B)
All components of the network management, including integrated network components, MUST use a synchronized time. The time SHOULD be synchronized at each location within the local network using an NTP service. If a separate management network has been set up, an NTP instance SHOULD be positioned in this management network.
NET.1.2.A9 Protection of Network Management Communication and Access to Network Management Tools (B)
If network management communication takes place via the productive infrastructure, secure protocols MUST be used for this. If this is not possible, a dedicated administration network (out-of-band management) MUST be used (see NET.1.1 Network Architecture and Design).
If network management tools are accessed from a network outside the management networks, authentication and encryption methods considered secure MUST be implemented.
NET.1.2.A10 Restriction of SNMP Communication (B)
In general, NO insecure versions of Simple Network Management Protocol (SNMP) MAY be used in network management. If insecure protocols are still used and not secured via other secure network protocols (e.g., VPN or TLS), a separate management network MUST be used. In general, SNMP SHOULD only be accessed with the minimum required access rights. Access authorization SHOULD be restricted to dedicated management servers.
Standard Requirements
Together with the basic requirements, the following requirements correspond to the state of the art for this building block. They SHOULD generally be fulfilled.
NET.1.2.A11 Establishment of a Security Policy for Network Management (S)
A security policy for network management SHOULD be created and maintained sustainably. The security policy SHOULD be known to all persons involved in network management. The security policy SHOULD also be fundamental to their work. It SHOULD be regularly and comprehensibly checked whether the contents required by the security policy are implemented. The results SHOULD be documented in a meaningful manner.
The security policy SHOULD specify which areas of network management are implemented via central management tools and services. It SHOULD also define to what extent tasks in network management are to be automated by the institution.
In addition, framework conditions and specifications for network separation, access control, logging, and for the protection of communication SHOULD be specified. Framework conditions and specifications for the network management tool used and for the basic operational rules of network management SHOULD also be specified.
NET.1.2.A12 As-Is Survey and Documentation of Network Management (S)
Documentation SHOULD be created that describes how the management infrastructure of the network is structured. This SHOULD include the initial as-is survey as well as all changes made in network management. In particular, it SHOULD be documented which network components are managed with which management tools. Furthermore, all IT workstations and end devices used for network management, as well as all information assets, management data, and information about the operation of network management SHOULD be recorded. Finally, all interfaces to applications and services outside of network management SHOULD be documented.
The as-is state of the management infrastructure documented in this way SHOULD be reconciled with the documentation of the network infrastructure (see building block NET.1.1 Network Architecture and Design Network Architecture and Design).
The documentation SHOULD be complete and always up to date.
NET.1.2.A13 Creation of a Network Management Concept (S)
Based on the security policy for network management, a network management concept SHOULD be created and maintained sustainably. At minimum, the following aspects SHOULD be taken into account as required:
- methods, techniques, and tools for network management,
- securing of access and communication,
- network separation, in particular the assignment of network management components to zones,
- scope of monitoring and alerting per network component,
- logging,
- automation, in particular central distribution of configuration files to switches,
- escalation chains for faults and security incidents,
- provision of network management information for other operational areas, and
- integration of network management into emergency planning.
NET.1.2.A14 Detailed Planning and Implementation (S)
Detailed planning and implementation for the network management infrastructure SHOULD be created. All points addressed in the security policy and in the network management concept SHOULD be taken into account.
NET.1.2.A15 Concept for the Secure Operation of the Network Management Infrastructure (S)
Based on the security policy for network management and the network management concept, a concept for the secure operation of the network management infrastructure SHOULD be created. The application and system operation of the network management tools SHOULD be taken into account. It SHOULD also be examined how the services of other operational units can be integrated and controlled.
NET.1.2.A16 Setup and Configuration of Network Management Solutions (S)
Network management solutions SHOULD be built, securely configured, and put into operation based on the security policy, the specified requirements (see NET.1.2.A2 Requirements Specification for Network Management), and the detailed planning and implementation. The specific processes for network management SHOULD then be established.
NET.1.2.A17 Regular Target/Actual Comparison Within Network Management (S)
It SHOULD be regularly and comprehensibly checked to what extent the network management solution corresponds to the target state. It SHOULD be checked whether the existing solution still fulfills the security policy and requirements specification. It SHOULD also be checked to what extent the implemented management structure and the processes used correspond to the current state. Furthermore, it SHOULD be compared whether the management infrastructure is up to date.
NET.1.2.A18 Training for Management Solutions (S) [Supervisors]
Training and practice measures for the network management solutions in use SHOULD be designed and carried out. The measures SHOULD cover the individual circumstances in configuration, availability, and capacity management as well as typical situations in fault management. Training and practice SHOULD be repeated regularly, at minimum when major technical or organizational changes occur within the network management solution.
NET.1.2.A19 DISCONTINUED (S)
This requirement has been discontinued.
NET.1.2.A20 DISCONTINUED (S)
This requirement has been discontinued.
NET.1.2.A21 Decoupling of Network Management Communication (S)
Direct management access by administrators from an IT system outside the management networks to a network component SHOULD be avoided. If such access is necessary without a central management tool, communication SHOULD be decoupled. Such jump servers SHOULD be integrated into the management network and positioned in a separate access segment.
NET.1.2.A22 Restriction of Management Functions (S)
ONLY the required management functions SHOULD be activated.
NET.1.2.A23 DISCONTINUED (S)
This requirement has been discontinued.
NET.1.2.A24 Central Configuration Management for Network Components (S)
Software or firmware and configuration data for network components SHOULD be able to be automatically distributed via the network and installed and activated without interruption of operations. The information required for this SHOULD be securely available at a central location and integrated into version management and data backup. The central configuration management SHOULD be maintained sustainably and regularly audited.
NET.1.2.A25 Status Monitoring of Network Components (S)
The fundamental performance and availability parameters of the central network components SHOULD be continuously monitored. For this purpose, the respective threshold values SHOULD be determined in advance (baselining).
NET.1.2.A26 Alarming and Logging (S)
Important events on network components and on the network management tools SHOULD be automatically transmitted to a central management system and logged there (see OPS.1.1.5 Logging). The responsible personnel SHOULD additionally be automatically notified. Alarming and logging SHOULD include at least the following points:
- failure or unreachability of network or management components,
- hardware malfunctions,
- failed login attempts, and
- critical states or overload of IT systems.
Event messages or logging data SHOULD be transmitted to a central management system either continuously or in batches. Alarm messages SHOULD be transmitted immediately when they occur.
NET.1.2.A27 Integration of Network Management into Emergency Planning (S)
The network management solutions SHOULD be integrated into the institution’s emergency planning. For this purpose, the network management tools and the configurations of network components SHOULD be backed up and integrated into restart plans.
NET.1.2.A28 Placement of Management Clients for In-Band Management (S)
For the administration of both internal and external IT systems, dedicated management clients SHOULD be used. For this purpose, at least one management client SHOULD be placed in the outer network area (for administration of IT systems adjacent to the Internet) and another in the internal area (for administration of internal IT systems).
NET.1.2.A29 Use of VLANs in the Management Network (S)
If management networks are separated by VLANs, care SHOULD be taken that the outer packet filter and the devices connected to it are located in their own subnet. In addition, it SHOULD be ensured that the ALG is not bypassed.
Requirements for High Protection Needs
The following are exemplary proposals for requirements for this building block that go beyond the level of protection corresponding to the state of the art. The proposals SHOULD be considered when there are high protection needs. The specific determination is made within the framework of an individual risk analysis.
NET.1.2.A30 Highly Available Implementation of the Management Solution (H)
Central management solutions SHOULD be operated with high availability. To this end, servers or tools including network connections SHOULD be designed redundantly. Individual components SHOULD also be provided with high availability.
NET.1.2.A31 Exclusive Use of Secure Protocols (H)
For network management, ONLY secure protocols SHOULD be used. All security functions of these protocols SHOULD be used.
NET.1.2.A32 Physical Separation of the Management Network (H) [Planners]
The management network SHOULD be physically separated from the productive networks.
NET.1.2.A33 Physical Separation of Management Segments (H) [Planners]
Physically separated zones SHOULD be established at minimum for the management of LAN components, security components, and components for external connections.
NET.1.2.A34 DISCONTINUED (H)
This requirement has been discontinued.
NET.1.2.A35 Specifications for Evidence Preservation (H)
The collected log data SHOULD be archived in a legally compliant and audit-proof manner for forensic analyses (see also DER.2.2 Provision for IT Forensics).
NET.1.2.A36 Integration of Network Management Logging into a SIEM Solution (H)
The logging of network management SHOULD be integrated into a Security Information and Event Management (SIEM) solution. For this purpose, the requirements catalogs for selecting network management solutions SHOULD be adapted with regard to the required support for interfaces and transfer formats (see NET.1.2.A2 Requirements Specification for Network Management).
NET.1.2.A37 Cross-Site Time Synchronization (H)
Time synchronization SHOULD be ensured across all sites of the institution. A common reference time SHOULD be used for this purpose.
NET.1.2.A38 Specification of Emergency Operation Modes for the Network Management Infrastructure (H)
For rapid restoration of the target states of software or firmware and configuration of components in the network management infrastructure, sufficiently good fallback solutions SHOULD be specified.
Additional Information
Good to Know
The International Organization for Standardization (ISO) formulates specifications for securing networks in standard ISO/IEC 27033 “Information technology - Security techniques - Network security - Part 1: Overview and concepts to Part 3: Reference networking scenarios - Threats, design techniques and control issues.”
The BSI has published the further document “Secure Connection of Local Networks to the Internet (ISi-LANA)” on the topic of network management.