Firewalls: Secure Modem Pool

Firewalls
(April 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Secure Modem Pool
From:	ari @ soscorp . com (Ari Shamash)
Date:	Tue, 25 Apr 1995 10:16:14 -0400
To:	se @ adv . sbc . sony . co . jp (Steve England)
Cc:	firewalls @ GreatCircle . COM
In-reply-to:	<9504241713 . AA03640 @ sabakon . adv . sbc . sony . co . jp>
References:	<9504241713 . AA03640 @ sabakon . adv . sbc . sony . co . jp>

>>>>> On Mon, 24 Apr 95 18:13:18 BST, se @
 adv .
 sbc .
 sony .
 co .
 jp (Steve England) said:

	Steve> Are there generally recommended way(s) in which to
	Steve> setup a pool of modems for dialin (possibly dialback)
	Steve> capability whilst remaining secure ?

Dial in lines, whether ISDN, POTS, or even dedicated links to remote
sites, should be put on the insecure side of a firewall.  However, it
should not be put on a segment where other resources exist, such as
your Internet link.  I suggest you put your dialups on an isolated
segment connected to a third interface on your firewall.  That way, if
somebody does dial up into your modem pool, they do not get any access
to any resources (such as your Internet link) before they authenticate
themselves to the firewall.

	Steve> 1. Recently i have heard that dialback modems arent as
	Steve> secure as once (?) thought. Does anyone have any
	Steve> experiences/war-stories/ hard facts on this ?

Generally, these kind of attacks work like this: a person trying to
break in dials up the modem, and then simulates a hangup noise and
dialtone WITHOUT ACTUALLY HANGING UP.  The dialback modem thinks the
line has hung up, picks up the line, dials, and waits for a carrier.
The person supplies a carrier, and viola, connects to the system.

Using a separate modem on a separate line behind the phone system for
dialback is better.  Better yet, use a random modem from a pool.

This is, of course, assuming you can trust that the phone company
hasn't been broken into.

	Steve> 2. I have heard of a device that can attach to the
	Steve> phone network & monitor the target phone number & log
	Steve> data (passwords ?) from it for later re-use. Would
	Steve> Bellcore S/Key be strong enough to defeat this in as
	Steve> much as, "so what if you see the password its only
	Steve> valid once".

S/Key is a challenge response mechanism, where passwords are valid
only once.  The problem IMHO with S/key is that the challenge does not
change, for example, if one of the words in the 6 word password is
mistyped.  A snooper can seize that opportunity, fix your spelling
mistake, and log in before you get a chance to retype in your
password.

	Steve> 3. Possibly using a low-end cisco with modem support,
	Steve> alternatively a telebit netblazer, but i've heard
	Steve> there's problems with its *strange* optimisation with
	Steve> the rules you supply it. Any preferences/why ?

Use your firewall for authentication, not your terminal server.  So in
terms of security, you can get anything.

	Steve> 4. Would it be a good idea to screen the modems off
	Steve> into another subnet & monitor that net for dialin
	Steve> attempts ?

Yes, but put the subnet behind a secure firewall.

Ari Shamash
SOS Corporation

Follow-Ups:

Re: Secure Modem Pool
From: peter @ nmti . com (Peter da Silva)
Re: Secure Modem Pool
From: FV Admin mail <fvadmin @ sgf . fv . com>

References:

Secure Modem Pool
From: se @ adv . sbc . sony . co . jp (Steve England)

Indexed By Date	Previous:	Re: Lecture on firewall performance From: Dermot Tynan <dtynan @ karpov . ilo . dec . com>
Indexed By Date	Next:	Re: Firewall failure modes (was Re: performance) From: peter @ nmti . com (Peter da Silva)
Indexed By Thread	Previous:	Re: Secure Modem Pool From: Adam Shostack <adam @ bwh . harvard . edu>
Indexed By Thread	Next:	Re: Secure Modem Pool From: FV Admin mail <fvadmin @ sgf . fv . com>