Firewalls: RE: Dial-In placement

Firewalls
(January 1997)

Indexed By Thread: [Previous] [Next]

Subject:	RE: Dial-In placement
From:	sherwin @ petrotrin . com (Sherwin Dean Francis)
Date:	Fri, 24 Jan 1997 08:15:20 -0000
To:	"'David B. Donahue'" <ddonahue @ emf . net>
Cc:	"'Firewalls @ GreatCircle . COM'" <Firewalls @ GreatCircle . COM>

Is it possible to implement such a system (that is two line call back) using conventional modems hooked up to an NT RAS Server.

Cheers

Sherwin Francis

----------
From:  David B. Donahue[SMTP:ddonahue @
 emf .
 net]
Sent:  Thursday, January 23, 1997 10:33 PM
To:  Adam Shostack; Matt Wallace
Cc:  firewalls @
 GreatCircle .
 COM
Subject:  Re: Dial-In placement

It's really much worse than trusting your Telcos. Although I'm 
reluctant to post a specific exploit (unless talked out it), A 
hacker can simply call your single line call-back modem and 
total bypass any outcalling it does.

He then has access, just as if he was at the called party's home.

For this reason I always recomend the new two-line call back modems 
that get dailed into on one line and then always dail out on 
the other (the line for which had the Telco disable the abbility 
to get inbound calls). These new modems are not the standard and 
are actually pretty rare, even though most call-back modem vendors 
are moving to it because of this problem.

I allways would recomend a stronger security solution than a weaker 
one, unless the project had some compelling reason why it had to 
be less secure. 

Because you havn't stated any such compelling reason, I think 
that putting it outside the firewall on a DMZ or on a side DMZ
would allow to contain/log the damage better if the call back modem 
security was comprimised.

-David Donahue
----------
> From: Adam Shostack <adam @
 homeport .
 org>
> To: Matt Wallace <mwallace @
 netcom .
 com>
> Cc: firewalls @
 GreatCircle .
 COM
> Subject: Re: Dial-In placement
> Date: Wednesday, January 22, 1997 7:47 PM
> 
> If you trust call-back, you are extending your security policy to the
> telcos switches.  If you trust telco switches, I strongly suggest you
> spend a weekend at Defcon, HoHoCon, Beyond Hope, or one of the other
> open hacker cons.
> 
> Adam
> 
> 
> Matt Wallace wrote:
> | On Wed, 22 Jan 1997, Henry Lim Chee Wee wrote:
> | > Irwin Lazar wrote:
> | > > I think I missed a discussion about this a few weeks ago, but can
anyone
> | > > offer any suggestions on whether it is better to place a dial-in
server
> | > > inside or outside of the firewall?
> | > put it on the DMZ segment. Add data encryption and call-back
> | > verification. 
> 
> | It depends on your firewall. If you can set it up to do call back, then
I 
> | would place it inside the firewall in most circumstances. With a
gateway
> | application firewall, you'll almost certainly appreciate the dialups on
the
> | inside.
> | 
> | -Matt
> | 
> 
> 
> -- 
> "It is seldom that liberty of any kind is lost all at once."
> 					               -Hume
> 
>

Indexed By Date	Previous:	Re: smap vs. smtpd From: Joao Brazao Ferreira <jbf @ tech . telepac . pt>
Indexed By Date	Next:	syslogd problems From: rotert @ lpi . ruhr-uni-bochum . de (Bernd Rotert)
Indexed By Thread	Previous:	Re: Dial-In placement From: Arjo Mukherjee 4663 <mukherje @ ebo . dec . com>
Indexed By Thread	Next:	Firewall Toolkits on PC From: Son Tran <sont @ zoomtel . com>