| Brief background:
| SLIP/PPP are not involved, & the users have DOS pc's at home,
| connecting into a SunOS 4.x box - this small network is soon to be
| connected via a leased line to a larger main network - which
| will supply the inet connection & will have the firewall
| setup - our only concern here are is securing the modems at the
| small site.
Make sure noone can use your modems for out-going calls.
| 1. Recently i have heard that dialback modems arent as secure as
| once (?) thought. Does anyone have any experiences/war-stories/
| hard facts on this ?
I would not rely on it as a secure mecanism in general. There are some
gaps in the timing sequence (at least in Sweden) that can be exploited to
fool the modems.
Also, beware of over-intelligent modems. Some of them are configurable from
remote, and an attacker can hence mess with the RTS/CTS/CDC signals.
We might also tweak with other things like Caller-ID and so on.
| 2. I have heard of a device that can attach to the phone network &
| monitor the target phone number & log data (passwords ?) from it
| for later re-use. Would Bellcore S/Key be strong enough to defeat this
| in as much as, "so what if you see the password its only valid once".
It is (almost) as simple as to hook up a laptop with two modems on it,
one in nailed-up mode and one in "ordinary" mode. Then just copy data from
one modem to the other an copy the result in between. Alternatively, change
it to something you like better.
| 3. Possibly using a low-end cisco with modem support, alternatively a
| telebit netblazer, but i've heard there's problems with its *strange*
| optimisation with the rules you supply it. Any preferences/why ?
| 4. Would it be a good idea to screen the modems off into another subnet
| & monitor that net for dialin attempts ?
We're planning to put the annex behind a Sun on an extra ethernet. The machine
would then run a gated to route them to the ordinary network, but with some
additional filtering (since we use PPP). The Tacacs daemon would run on the
Sun, so the passwords/authentification info will not be sniffable on our
ordinary nets. The Sun will be fortified, and it is possible to use it as an
independent tap point/blocker.
This is just an idea, we have not implemented it, and it is maybe overkill.
/Christian Wettergren, cwe @