Put the modems on a machine parallel to your main firewall,
with the same authentication method you use for sessions from the
outside. Use a scsi or sbus terminal server; its worse on your cpu,
but easier to trace the signal path, and ensure that users use strong
authentication.
I like Central Data Systems term servers; they connect to the
scsi port. Aurora & Magma make S/bus terminal boards. I wrote a sun
managers summary about the three if you're interested
ftp://duke.bwh.harvard.edu/pub/adam/term-servers.short, term
servers.gz is the full set of responses.
| Are there generally recommended way(s) in which to setup a
| pool of modems for dialin (possibly dialback) capability whilst
| remaining secure ?
| 1. Recently i have heard that dialback modems arent as secure as
| once (?) thought. Does anyone have any experiences/war-stories/
| hard facts on this ?
Phone switches are computers outside your control. Should you
trust them for your security?
| 2. I have heard of a device that can attach to the phone network &
| monitor the target phone number & log data (passwords ?) from it
| for later re-use. Would Bellcore S/Key be strong enough to defeat this
| in as much as, "so what if you see the password its only valid once".
Yes. It would not prevent taking over of the connection, but
I do not know how realistic that threat is. I do know people have
hacked past dial back modems by attacking switches.
| 3. Possibly using a low-end cisco with modem support, alternatively a
| telebit netblazer, but i've heard there's problems with its *strange*
| optimisation with the rules you supply it. Any preferences/why ?
Are you really familiar with it? Why not use a unix box of
your choice with a terminal server?
adam
--
* Support The Phil Zimmermann legal defense fund *
http://www.netresponse.com/zldf
"It is seldom that liberty of any kind is lost all at once."
-Hume
References:
|
|
