Firewalls: re: Dial-ups

Firewalls
(December 1995)

Indexed By Thread: [Previous] [Next]

Subject:	re: Dial-ups
From:	"Paul D. Robertson" <proberts @ clark . net>
Date:	Tue, 19 Dec 1995 19:16:34 -0500 (EST)
To:	"A. Padgett Peterson, P.E. Information Security" <PADGETT @ hobbes . orl . mmc . com>
Cc:	firewalls @ GreatCircle . COM
In-reply-to:	<951219134455 . 2022733d @ hobbes . orl . mmc . com>

On Tue, 19 Dec 1995, A. Padgett Peterson, P.E. Information Security wrote:

> Brane21 rote:
> >One question... Outside of a 1-800 # how does one *get* ANI?  I would not 
> >trust CID since anyone can dial *67 before their call or have a CID block 
> >put on their phone if *67 is not available in their area.
> 
> Well you can get ANI on any line if you want to pay for it. 1-900 & 976 I
> know can get it, not sure about 700 and 500 series.

Not *any* line, since ANI is a bypoduct of the phone switching system, 
it has to come off of the local switch, as it is part of the call routing,
a normal business drop doesn't have this capability.  I'm not sure that 
the local telco can legitmately pass ANI to a regular number, if it's due 
to the switch ports, or FCC regs, I don't know.

> 
> However the noce thing about CNID is that private/blocked calls are
> detectable before the phone is answered. You can either refuse to
> answer or re-route to a human/voice message.
> 

CNID is sent just before the ring signal, but unlike ANI isn't used in 
routing the call, it's out of band for routing, but in band as far as the 
signal goes.  Some CNID equipment will only store the last CNID block, making 
it open to spoofing (pass the new spoofed CNID after the last ring, 
before the authentication portion of the modem has grabbed it), for truely 
good CNID, the ID equipment should only collect CNID on a line that is on-hook,
and before first ring.  It is possible, however for CNID to not be passed by 
the switch, if it can't service the request in time, and since, unlike ANI it 
isn't part of the call routing, it's not the same level of assurance as 
ANI, which is at least good to the outbound trunk of the originating 
switch.  Remember ANI is in-band for routing, but out of band for the call, 
making it unspoofable.  CNID is not.

It's been a while since I did voice switch work, and most of this is 
gleaned from conversations, directly accurate information should be 
gleaned from Telecom Digest, or your local telco.  Not that anyone here 
will not feel free to correct me :)

Paul.
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts @
 clark .
 net      which may have no basis whatsoever in fact."
                                                                     PSB#9280

Follow-Ups:

re: Dial-ups
From: Brain21 <brain21 @ montag33 . residence . gatech . edu>

References:

re: Dial-ups
From: "A. Padgett Peterson, P.E. Information Security" <PADGETT @ hobbes . orl . mmc . com>

Indexed By Date	Previous:	WG: Re: CERN Proxy-Server -Reply From: Steve Devore <sdevore @ barr . com>
Indexed By Date	Next:	Re: Does anyone else see this as a problem? From: "Paul D. Robertson" <proberts @ clark . net>
Indexed By Thread	Previous:	re: Dial-ups From: "A. Padgett Peterson, P.E. Information Security" <PADGETT @ hobbes . orl . mmc . com>
Indexed By Thread	Next:	re: Dial-ups From: Brain21 <brain21 @ montag33 . residence . gatech . edu>