>
>
>Questions:
>
>Are there generally recommended way(s) in which to setup a
>pool of modems for dialin (possibly dialback) capability whilst
>remaining secure ?
>
>Brief background:
>SLIP/PPP are not involved, & the users have DOS pc's at home,
>connecting into a SunOS 4.x box - this small network is soon to be
>connected via a leased line to a larger main network - which
>will supply the inet connection & will have the firewall
>setup - our only concern here are is securing the modems at the
>small site.
>
>The following thoughts have occured to me - please comment/criticise
>constructively.
>
>1. Recently i have heard that dialback modems arent as secure as
> once (?) thought. Does anyone have any experiences/war-stories/
> hard facts on this ?
>2. I have heard of a device that can attach to the phone network &
> monitor the target phone number & log data (passwords ?) from it
> for later re-use. Would Bellcore S/Key be strong enough to defeat this
> in as much as, "so what if you see the password its only valid once".
>3. Possibly using a low-end cisco with modem support, alternatively a
> telebit netblazer, but i've heard there's problems with its *strange*
> optimisation with the rules you supply it. Any preferences/why ?
>4. Would it be a good idea to screen the modems off into another subnet
> & monitor that net for dialin attempts ?
>
>
>Thanks & Regards
>
>Steve
>
>
>
Obviously, being a university environment with few trade secrets to hide
we're not worried about the high-tech PBX/line snoopers out there.
S/Key would be probably the most effective solution on a cost/benefit ratio.
However, our users would probably object to having a different password
each time.
Having said that, we have a modem pool hanging off of a sun workstation
multi-port expander. The standard getty and login have been replaced to
provide with 2 levels of passwords. 1 is the user's private password
(which is different from his regular login password on the network and
is unique to the modem machine).
2 is the shared password. This is a password which is common and kind of
a passphrase to be able to use the host. Both passwords are expired quarterly,
with a 2-week overlap period for the shared password while we propagate the
information out to the account holders.
So, even if somebody happens to know the username and password for somebody
who has an account on the modem machine (restricted access machine for
only those that have accounts), it does him no good because
1) it's a different password (hopefully - we really couldn't know if it
wasn't)
2) there's a second password that only legitimate account holders know.
Disclaimer: yes, it's not the best security in the world, but it's good
enough for us, and that's the key.
--
____________________________________________________________________________
Doug Hughes Engineering Network Services
System/Net Admin Auburn University
doug @
eng .
auburn .
edu
"Real programmers use cat > file.as"
Follow-Ups:
References:
|
|
