Great Circle Associates Firewalls
(August 1994) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Security of Appletalk and Dial back modems
From: blu @ jericho . mc . com (Brian Utterback)
Date: Thu, 21 Jul 94 09:23:37 EDT
To: firewalls @ greatcircle . com 
> From: John Gibbins <johng @
 ichr .
 uwa .
 edu .
 au>

> 1) The phone number is not listed so noone will find it.

Maybe.  Depends on the scenarios you wish to consider.  Somebody blind dialing
might find it.  Somebody targeting your company might find it, at either 
end (i.e they might be able to obtain a list of company phone numbers or might
track the employee's calls.)

> 2) They will not be able to subvert the dial-back process.

On a single modem attached directly to a Mac?  Don't count on it. There are
several known attacks to this type os setup.  Maybe they won't work, but maybe
they will.  Do you know how to test for *ALL* of them?

> 3) They will not know that they need to talk the Appletalk Remote Access
>    protocol if they do get through.

Again, depends on the scenario.  There are only a few likely choices for a 
dial-up protocol. Ascii stream, PPP, SLIP, ARA.  If I know you have a Mac and
you use it to dial in, I would guess ARA.  If I don't know, I might try each 
in turn.

> 4) ARA will prompt for a password so you can't get in without knowing it.

Maybe.  Like anything else, it takes experience to make it work right.  ARA 
has provision for Guest dialups.  All it takes is the wrong click of the mouse.
And then again, ARA sends the password in the clear, so a wire tap could find 
the password.


> 6) If they did break into a machine on our network, they would not be able
>    to go any further.

There are free packet sniffers.  And commercial ones are not prohibitively
expensive.  Are there any other Macs on your network?  Any servers?  Any of
these with guest access would be wide open.  Do you have any postscript
laser printers?  Suppose a malicious intruder changed all the passwords?  Do 
you know how to set them back?  I don`t, but it can be done. Would you be 
willing to put a Mac outside your building with a cable to your Net?


Now, having said all that, we do allow ARA access by our employees to our Net.
However, we are in the process of implementing a smart card system and the
ARA server is administered by me, is physically secured and is dedicated to 
that purpose.  And I still worry about it.  If Apple designed a binary protocol
that requires that passwords be sent and stored in the clear, what other holes
might be in there?

Brian Utterback    blu @
 mc .
 com    Manager Technical Networks
Mercury Computer Systems, Inc.   (508) 256-1300x168
199 Riverneck Road               (508) 256-3599 FAX
Chelmsford, MA 01824             You can't grep dead trees.
Follow-Ups:
Indexed By Date Previous: join the mailing list
From: smeltzk @ cs_srv1 . mh . dpi . qld . gov . au
Next: Mail gateway: how?
From: "Andrew T. Robinson" <atr @ maine . net>
Indexed By Thread Previous: join the mailing list
From: smeltzk @ cs_srv1 . mh . dpi . qld . gov . au
Next: Re: Security of Appletalk and Dial back modems
From: T . Greenland @ uts . EDU . AU
Google
 
Search Internet Search www.greatcircle.com