Security & Compliance Report

Network Topology

1. Introduction

This report summarizes the key findings from the analysis of network and system configurations, taking into account the relevant NIS2 and TISAX requirements. The configuration of NTP, password policies, syslog setups, and access lists are essential building blocks of a robust ISMS and are critical for compliance.

The network plays a pivotal role: as the "data backbone" of any organization, it largely determines how securely information can be transmitted, stored, and managed. A stable and well-secured network architecture forms the foundation for effective security measures and minimizes the risk of attacks or misconfigurations.

2. Findings Summary

• Total number of findings: 208
• Distribution by severity:

Medium: 73

Warning: 51

Info: 52

High: 32

3. Details per category

NTP Timeserver Issues (71) (Click to expand/collapse)

Password Policy Issues (48) (Click to expand/collapse)

Remote Access (Telnet/SSH) Findings (0) (Click to expand/collapse)

IPSec / IKE Findings (30) (Click to expand/collapse)

ASA Failover Issues (5) (Click to expand/collapse)

VRF Usage Issues (0) (Click to expand/collapse)

Syslog & SNMP Issues (32) (Click to expand/collapse)

Unused Services Issues (22) (Click to expand/collapse)

Single Point of Failure Analysis (Click to expand/collapse)

Unused ACLs (40) (Click to expand/collapse)

ACL Trace / Flow Analysis (0) (Click to expand/collapse)

4. Compliance Mapping (TISAX / NIS2)

NTP Synchronization (TISAX requirement e.g. AL2.5 "Timestamp", NIS2 Art. 20/21): Precise and reliable time synchronization is essential for correct event logging and system integrity. Only in this way can security events be forensically correlated and cross-log analysis be performed accurately.

Syslog Configuration (TISAX e.g. AL2.5 "Logging & Monitoring", NIS2 Art. 20/21): Central collection and analysis of log data supports both TISAX/ISMS and NIS2 (detection and reporting of incidents). Central syslog collection is also essential for tamper-proof long-term archiving of log data, ensuring traceability of when and where incidents occurred.

Password Policies (TISAX AL2.1.x "Password Policies", NIS2 Art. 21 "Access Control"): Complex and enforced password policies are among the key requirements in TISAX and NIS2 regarding user and identity management. This includes minimum length, special characters, regular changes, lockout mechanisms, and multi-factor authentication (MFA) depending on risk.

Access Lists (ACLs) (TISAX AL3 "Network Security Requirements", NIS2 Art. 21 "Segmentation"): ACLs provide segmentation and flow control within the network. Insufficient or incorrect ACL usage can create significant vulnerabilities. TISAX requires clear segmentation and access rules; NIS2 also demands adequate technical and organizational measures to protect infrastructures.

Telnet vs. SSH (TISAX AL2.5 "Encryption in Transit", NIS2 Art. 20 "Cyber Hygiene"): Older, unencrypted protocols such as Telnet pose a major security risk. TISAX and NIS2 emphasize secure management access — i.e., SSH instead of Telnet. This ensures a basic level of encryption and protection against man-in-the-middle attacks.

IPSec / VPN (TISAX AL2.5 or AL3.3 "Cryptography", NIS2 Art. 20/21): Secure VPN connections using IPSec (e.g., IKEv2 with strong algorithms such as AES-256 and DH Group14+) are essential to protect site-to-site or remote access communication. TISAX requires adequate encryption for data in transit; NIS2 requires effective measures against eavesdropping and tampering.

Unused Services (TISAX AL2.x "Hardening", NIS2 Art. 20 "Cyber Hygiene"): Services or ports not needed should be consistently disabled. This minimizes the attack surface and makes it harder for attackers to exploit unnoticed vulnerabilities. Both TISAX and NIS2 require regular review and updating of system configurations to avoid security gaps.

VRF Usage (TISAX AL3 "Network Separation", NIS2 Art. 21): Virtual Routing & Forwarding (VRF) enables logical separation of routing tables and instances. This is important when systems with different protection needs are operated. Incorrect configuration may create gaps; therefore VRF should be implemented in line with TISAX (AL3) and NIS2 segmentation requirements.

SNMP Security (TISAX AL2.5 "Secure Management", NIS2 Art. 20): Legacy SNMP versions (v1, v2c) are insecure (e.g., plaintext community strings). TISAX and NIS2 demand modern secure protocols such as SNMPv3 (encryption, authentication) to prevent unauthorized access or manipulation.

Single Point of Failure (SPOF) & Redundancy (TISAX AL2.10 or AL3.2 "Contingency Management", NIS2 Art. 21): In a highly available IT environment, potential SPOFs must be identified and eliminated wherever possible. TISAX requires emergency plans and redundancy concepts to ensure continued operation during failures. NIS2 also emphasizes appropriate measures for business continuity and resilience against disruptions.

6. Extended Compliance Mapping (current ISO/IEC 27001:2022) (Click to expand/collapse)

ISO 27001 / ISO 27002

ISO 27001 has become the "de-facto standard" for information security. Based on the ISO 27002 controls, technical measures such as logging, cryptography, or network segmentation can be evaluated. The configuration recommendations in this report (e.g., password security, use of ACLs) are essential for successful implementation of these controls.

CIS Controls / CIS Benchmarks

The CIS Controls provide a prioritized list of important cybersecurity measures (e.g., inventory, access control, monitoring). The CIS Benchmarks also contain very detailed hardening recommendations for systems such as Cisco IOS, ASA, Linux, or Windows. The results and recommendations from this report (e.g., for NTP, syslog, or password policies) can be directly applied to CIS guidelines and promote consistent best practice implementation.

NIST SP 800-53 / NIST CSF

The guidelines from the National Institute of Standards and Technology (NIST) are especially established in the US, but are also applied internationally. The NIST Cybersecurity Framework (CSF) (with its five functions "Identify", "Protect", "Detect", "Respond", and "Recover") covers both technical and organizational security requirements. The weaknesses highlighted in this report (e.g., insecure remote access or missing log monitoring) clearly fall within the "Protect" and "Detect" categories, emphasizing the need for action.

BSI IT-Grundschutz (specific to Germany)

For organizations in Germany, BSI IT-Grundschutz provides a binding framework for security measures. Network components are found in modules such as NET.1.1 (Routers & Switches) and SYS.1.1 (General Servers). Secure configurations (e.g., encrypted management access, service password-encryption) significantly contribute to achieving IT-Grundschutz goals.

PCI DSS (when processing credit card data)

In e-commerce, the Payment Card Industry Data Security Standard (PCI DSS) is of central importance. It prescribes strict rules for logging, network segmentation, patch management, and encryption to protect credit card data. The weaknesses identified in this report (e.g., open Telnet ports or unencrypted passwords) should be fixed as quickly as possible with PCI DSS in mind.

HIPAA (Healthcare, US data protection)

For healthcare organizations (e.g., hospitals or healthcare IT), HIPAA (Health Insurance Portability and Accountability Act) is especially relevant. Audit trails, access protection, and strong encryption standards are critical. Insecure remote connections or missing syslog configurations can quickly lead to violations in a HIPAA audit.

Other industry-specific standards & Critical Infrastructure

In addition, there are numerous other requirements, including:

• Banking & finance: BaFin (Germany), EBA Guidelines, BCBS 239.
• Automotive: TISAX and VDA-ISA (already mentioned).
• Critical Infrastructure (KRITIS) in DE/EU: NIS2, Kritis Regulation and national implementations.

"Critical infrastructure" refers to infrastructures whose failure or impairment could cause lasting supply shortages or significant disruptions to public safety. Here, particularly high requirements apply to availability and stability of IT systems, including secure network architecture and a functioning ISMS.

5. Recommendations & Conclusion

To address the identified weaknesses and improve IT security, you should, among other things:

• Configure correct NTP servers and regularly check their availability and accuracy.
• Enforce strict password policies with clear requirements for complexity and length.
• Establish comprehensive syslog monitoring to detect security-relevant events early.
• Remove or update unused ACLs to keep rule sets lean and secure.
• Update IPSec settings to SHA-256 (or higher) and DH Group14 (or higher).
• Consistently replace Telnet access with SSH.
• Fully complete ASA failover configurations (including failover lan unit and failover interface).
• Where appropriate, implement VRFs for network segmentation instead of using the "default VRF".

With these measures you can better meet TISAX and NIS2 requirements while also considering other frameworks such as ISO 27001/27002, CIS Benchmarks, NIST CSF, BSI IT-Grundschutz, or KRITIS. A secure and optimally configured network significantly reduces the attack surface and represents a crucial element of any effective IT security strategy.