>>>>> On Mon, 24 Apr 95 18:13:18 BST, se @
jp (Steve England) said:
Steve> Are there generally recommended way(s) in which to
Steve> setup a pool of modems for dialin (possibly dialback)
Steve> capability whilst remaining secure ?
Dial in lines, whether ISDN, POTS, or even dedicated links to remote
sites, should be put on the insecure side of a firewall. However, it
should not be put on a segment where other resources exist, such as
your Internet link. I suggest you put your dialups on an isolated
segment connected to a third interface on your firewall. That way, if
somebody does dial up into your modem pool, they do not get any access
to any resources (such as your Internet link) before they authenticate
themselves to the firewall.
Steve> 1. Recently i have heard that dialback modems arent as
Steve> secure as once (?) thought. Does anyone have any
Steve> experiences/war-stories/ hard facts on this ?
Generally, these kind of attacks work like this: a person trying to
break in dials up the modem, and then simulates a hangup noise and
dialtone WITHOUT ACTUALLY HANGING UP. The dialback modem thinks the
line has hung up, picks up the line, dials, and waits for a carrier.
The person supplies a carrier, and viola, connects to the system.
Using a separate modem on a separate line behind the phone system for
dialback is better. Better yet, use a random modem from a pool.
This is, of course, assuming you can trust that the phone company
hasn't been broken into.
Steve> 2. I have heard of a device that can attach to the
Steve> phone network & monitor the target phone number & log
Steve> data (passwords ?) from it for later re-use. Would
Steve> Bellcore S/Key be strong enough to defeat this in as
Steve> much as, "so what if you see the password its only
Steve> valid once".
S/Key is a challenge response mechanism, where passwords are valid
only once. The problem IMHO with S/key is that the challenge does not
change, for example, if one of the words in the 6 word password is
mistyped. A snooper can seize that opportunity, fix your spelling
mistake, and log in before you get a chance to retype in your
Steve> 3. Possibly using a low-end cisco with modem support,
Steve> alternatively a telebit netblazer, but i've heard
Steve> there's problems with its *strange* optimisation with
Steve> the rules you supply it. Any preferences/why ?
Use your firewall for authentication, not your terminal server. So in
terms of security, you can get anything.
Steve> 4. Would it be a good idea to screen the modems off
Steve> into another subnet & monitor that net for dialin
Steve> attempts ?
Yes, but put the subnet behind a secure firewall.