Is it possible to implement such a system (that is two line call back) using conventional modems hooked up to an NT RAS Server.
From: David B. Donahue[SMTP:ddonahue @
Sent: Thursday, January 23, 1997 10:33 PM
To: Adam Shostack; Matt Wallace
Cc: firewalls @
Subject: Re: Dial-In placement
It's really much worse than trusting your Telcos. Although I'm
reluctant to post a specific exploit (unless talked out it), A
hacker can simply call your single line call-back modem and
total bypass any outcalling it does.
He then has access, just as if he was at the called party's home.
For this reason I always recomend the new two-line call back modems
that get dailed into on one line and then always dail out on
the other (the line for which had the Telco disable the abbility
to get inbound calls). These new modems are not the standard and
are actually pretty rare, even though most call-back modem vendors
are moving to it because of this problem.
I allways would recomend a stronger security solution than a weaker
one, unless the project had some compelling reason why it had to
be less secure.
Because you havn't stated any such compelling reason, I think
that putting it outside the firewall on a DMZ or on a side DMZ
would allow to contain/log the damage better if the call back modem
security was comprimised.
> From: Adam Shostack <adam @
> To: Matt Wallace <mwallace @
> Cc: firewalls @
> Subject: Re: Dial-In placement
> Date: Wednesday, January 22, 1997 7:47 PM
> If you trust call-back, you are extending your security policy to the
> telcos switches. If you trust telco switches, I strongly suggest you
> spend a weekend at Defcon, HoHoCon, Beyond Hope, or one of the other
> open hacker cons.
> Matt Wallace wrote:
> | On Wed, 22 Jan 1997, Henry Lim Chee Wee wrote:
> | > Irwin Lazar wrote:
> | > > I think I missed a discussion about this a few weeks ago, but can
> | > > offer any suggestions on whether it is better to place a dial-in
> | > > inside or outside of the firewall?
> | > put it on the DMZ segment. Add data encryption and call-back
> | > verification.
> | It depends on your firewall. If you can set it up to do call back, then
> | would place it inside the firewall in most circumstances. With a
> | application firewall, you'll almost certainly appreciate the dialups on
> | inside.
> | -Matt
> "It is seldom that liberty of any kind is lost all at once."