Recommendation for internet service providers
According to Section 109 of the German Telecommunications Act (Telekommunikationsgesetz, TKG), internet service providers (ISP) must put suitable technical provisions and other safeguards in place. The Federal Network Agency has produced, in consultation with the BSI, a catalogue of security requirements relating to the operation of telecommunications and data processing systems and the processing of personal data. This catalogue (referred to hereafter as the Security Criteria) is intended to serve as the basis for the security concept according to Section 109 of the TKG.
The BSI has since worked together with internet service providers to publish detailed recommended actions on a range of topics. These recommendations flesh out the safeguards described in the Security Criteria mentioned above and reflect the state of the art (best current practice).
Securing telemedia services according to the state of the art
The German IT Security Act is intended to significantly improve the security of information technology (IT) systems. The new regulations are designed to make IT systems more secure in terms of the aspects that are to be protected by IT security safeguards (availability, integrity, confidentiality and authenticity). This will then enable existing and future threats to IT security to be countered effectively.
In the context of the German IT Security Act, the German Telemedia Act (Telemediengesetz, TMG) was also amended to place greater responsibility on the persons in charge of telemedia offered in the ordinary course of business to protect their IT systems (see Section 13 (7) of the TMG).
This document is aimed at those addressed by Section 13 (7) of the TMG and gives recommendations as to which state-of-the-art safeguards must be taken into account. The first step explains the different types of telemedia service provider according to the TMG. Then in the second step, the technical and organisational safeguards to be taken into account for each type of provider are illustrated based on different use cases.
Absicherung von Telemediendiensten nach Stand der Technik
Secure provision of online advertising -- securing ad servers
The discussion paper 'Sicheres Bereitstellen von Online-Werbung -- Absicherung von Ad-Servern' ('Secure provision of online advertising -- securing ad servers') is aimed specifically at those involved in the online advertising industry, particularly ad server operators and marketers. The document makes recommendations as to which state-of-the-art measures must be taken into account in order to technically secure IT systems in the online advertising industry. The safeguards presented here have a two-fold objective: to provide more detail about and to expand on the safeguards already specified in the ' Absicherung von Telemediendiensten nach Stand der Technik Absicherung von Telemediendiensten nach Stand der Technik cyber security recommendation.
Sicheres Bereitstellen von Online-Werbung v1.0
Provision of secure ISP services
This cyber security recommendation provides an overview of the relevant technical recommended actions and essential organisational aspects.
Sichere Bereitstellung von ISP-Dienstleistungen v2.0
Malware protection
If malware is present on connected customer systems, it can damage the infrastructure of ISPs by sending spam or conducting DDoS attacks, for example. The 'Malware-Schutz' ('Malware protection') recommended action contains a summary of the safeguards that providers serving private customers should put in place to protect against malware. The recommendations cover customer support, technical safeguards and cooperation between providers.
Malware-Schutz: Handlungsempfehlungen für Internet-Service-Provider v2.0
Secure web hosting
Insufficiently secured websites and web servers on the internet must be seen as potential paths for spreading malware and therefore constitute a basic threat. The BSI recommendation 'Sicheres Webhosting' ('Secure web hosting') is intended for web hosts and addresses safeguards for improving security for web hosting customers. For this, the different phases of web hosting and basic safeguards will be taken into consideration.
E-mail security
Despite several predictions that online communications will shift more to social networks in future, e-mail is still the most popular medium for sending electronic messages at the moment. But this goes hand in hand with the fact that e-mail is still one of the most popular channels for spreading malware such as viruses, worms and Trojans. Also incredibly irritating is the huge volume of spam messages, which continue to make up the vast majority of all the e-mails that are being sent. The 'E-Mail-Sicherheit' ('E-mail security') recommended action brings together various safeguards that aim to contain malware and spam, as well as protect mailboxes.
E-Mail-Sicherheit: Handlungsempfehlungen für Internet-Service-Provider v2.0
Secure provision of domain services
Internet domains are an essential part of any internet connection, since all the content of internet services is usually addressed via domain names. It is therefore incredibly important to be able to register and manage internet domains reliably via the global Domain Name System (DNS). The 'Sichere Bereitstellung von Domaindienstleistungen' ('Secure provision of domain services') recommended action outlines how to provide domain services securely and counter any malicious use of domain names.
Sichere Bereitstellung von Domaindienstleistungen v1.0
Secure provision of DNS services
The DNS protocol has some general weaknesses. This means new vulnerabilities that enable DNS entries to be manipulated are being discovered on a regular basis. The 'Sichere Bereitstellung von DNS-Diensten' ('Secure provision of DNS services') recommended action describes the key aspects that must be implemented to ensure DNS servers can operate securely and reliably.
Sichere Bereitstellung von DNS-Diensten v1.0
Domain Name System Security Extensions (DNSSEC)
The BSI has published a cyber security recommendation about DNSSEC to increase its acceptance and encourage take-up. Titled 'Umsetzung von DNSSEC' ('DNSSEC implementation'), the recommendation is aimed at domain holders as well as users and registrars. It brings together the key aspects that must be taken into account when implementing and running DNSSEC.
Study into whether internet routers are compatible with DNSSEC
This study tested internet routers, which are installed at private internet connections in Germany as standard, to verify whether they were compatible with the Domain Name Security Extensions (DNSSEC) and examine their other security features. The study was conducted in collaboration with interested manufacturers and internet providers. The study did not focus on capturing as comprehensive a picture of the German market as possible, nor on producing individual evaluations or product recommendations. The study is dated April 2010.
DNSSEC-Tauglichkeit von Internetzugangsroutern
Safeguarding against reflection attacks
In 2014, the BSI observed a marked increase in distributed denial of service (DDoS) attacks using what are known as reflection methods. In these attacks, the target system is not attacked directly; rather, publicly accessible services on the internet are misused instead. The 'Maßnahmen gegen Reflection Angriffe' ('Safeguarding against reflection attacks') document brings together a range of ways to protect systems against being exploited in reflection attacks.
Maßnahmen gegen Reflection Angriffe v1.1
Anti-DDoS safeguards
The 'Anti-DDoS-Maßnahmen' ('Anti-DDoS safeguards') recommended action describes safeguards that can be implemented internally and in collaboration with customers to help counter DDoS attacks and their consequences.
IPv6 for internet service providers
The 'IPv6 für Internet-Service-Provider' ('IPv6 for internet service providers') recommended action gives information that should be taken into account when introducing IPv6.
IPv6 für Internet-Service-Provider v2.0
Inter-domain routing
Inter-domain routing refers to routing across multiple autonomous systems. This type of routing is primarily administered by internet service providers. The Border Gateway Protocol (BGP) is the de facto standard for inter-domain routing on the internet. Careless or insufficiently tested interventions in the routing process can lead to sub-areas of the network becoming inaccessible or cause communication channels to be bypassed undetected. Therefore, it is especially important to put safeguards in place to prevent BGP routers being manipulated. The 'Inter-Domain-Routing' ('Inter-domain routing') recommended action brings together popular best practices and recommendations for improving the security of internet routing.
Broadband router test concept
The BSI's test concept is primarily aimed at internet service providers and manufacturers of broadband routers. It follows a fully documented procedure and allows for the relevant security features of routers to be reviewed. The key points of the test concept deal with basic security-relevant functions, as well as support for and compliance with established security standards. The test concept also deals with examples of known security risks and attack scenarios.
Two sections that deal, inter alia, with the identification of potential vulnerabilities and are therefore classed as TLP Amber according to the Traffic Light Protocol, have not been published. Interested parties can request the full version of this document if they consent to abide by the Traffic Light Protocol confidentiality agreement and provide assurances they will not use this information to conduct unauthorised attacks on routers by e-mailing routertestkonzept@bsi.bund.de.
