Firewalls: Re: Secure Modem Pool

Firewalls
(April 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Secure Modem Pool
From:	Christian Wettergren <cwe @ it . kth . se>
Date:	Tue, 25 Apr 95 09:46:16 +0200
To:	joshua geller <alkahest!joshua @ dee . retix . com>
Cc:	se @ adv . sbc . sony . co . jp, firewalls @ greatcircle . com
In-reply-to:	Your message of Mon, 24 Apr 95 16:04:46 PDT. <199504242304 . QAA08915 @ alkahest . isas . com>

|    Brief background:
|    SLIP/PPP are not involved, & the users have DOS pc's at home, 
|    connecting into a SunOS 4.x box - this small network is soon to be
|    connected via a leased line to a larger main network - which 
|    will supply the inet connection & will have the firewall
|    setup - our only concern here are is securing the modems at the 
|    small site.

Make sure noone can use your modems for out-going calls.

|    1. Recently i have heard that dialback modems arent as secure as
|       once (?) thought. Does anyone have any experiences/war-stories/
|       hard facts on this ?

I would not rely on it as a secure mecanism in general. There are some
gaps in the timing sequence (at least in Sweden) that can be exploited to
fool the modems.

Also, beware of over-intelligent modems. Some of them are configurable from
remote, and an attacker can hence mess with the RTS/CTS/CDC signals.
We might also tweak with other things like Caller-ID and so on.

|    2. I have heard of a device that can attach to the phone network &
|       monitor the target phone number & log data (passwords ?) from it
|       for later re-use. Would Bellcore S/Key be strong enough to defeat this
|       in as much as, "so what if you see the password its only valid once".

It is (almost) as simple as to hook up a laptop with two modems on it,
one in nailed-up mode and one in "ordinary" mode. Then just copy data from
one modem to the other an copy the result in between. Alternatively, change
it to something you like better.

|    3. Possibly using a low-end cisco with modem support, alternatively a
|       telebit netblazer, but i've heard there's problems with its *strange*
|       optimisation with the rules you supply it. Any preferences/why ?

|    4. Would it be a good idea to screen the modems off into another subnet
|       & monitor that net for dialin attempts ?

We're planning to put the annex behind a Sun on an extra ethernet. The machine
would then run a gated to route them to the ordinary network, but with some
additional filtering (since we use PPP). The Tacacs daemon would run on the 
Sun, so the passwords/authentification info will not be sniffable on our 
ordinary nets. The Sun will be fortified, and it is possible to use it as an
independent tap point/blocker.

This is just an idea, we have not implemented it, and it is maybe overkill.

/Christian Wettergren, cwe @
 it .
 kth .
 se

References:

Re: Secure Modem Pool
From: joshua geller <alkahest!joshua @ dee . retix . com>

Indexed By Date	Previous:	Re: "Good Times" Virus Scare a Hoax From: Jas (Matthew K) <matt @ uts . EDU . AU>
Indexed By Date	Next:	French mailing list From: "Kare Presttun" <Kare . Presttun @ ansf . alcatel . fr>
Indexed By Thread	Previous:	Re: Secure Modem Pool From: joshua geller <alkahest!joshua @ dee . retix . com>
Indexed By Thread	Next:	Re: Secure Modem Pool From: Adam Shostack <adam @ bwh . harvard . edu>