CertiGuide to Security+  9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)       9  3.1  Devices

3.1.4  Wireless 1 2 3.1.6  RAS (Remote Access Server)

Security Issues with Modems

If your users have modems at home, and directly dial into your network, this means that there are modems waiting for incoming calls on your internal network, and therein is the problem. Anyone who knows (or finds) the telephone number to these modems can call them and attempt to access your network. Relying on “security through obscurity” by selecting a modem telephone number that doesn’t resemble any of your corporate phone numbers won’t protect you. It just makes it a bit more difficult for those specifically targeting your organization. Oh, and by the way, we’ll bet you don’t change your dial-in numbers any time an employee who knows them leaves your organization, do you? (Author Helen states with certainty that she can still recite, completely from memory, a dial-in number she used 12 years ago as a consultant.) The bottom line on relying on “security through obscurity” for dial-in modem numbers is: Assume that one way or another, people you don’t want to have your modem phone numbers, eventually will. Given that, you need to protect your network by making sure that when personnel dial in to your network, they properly authenticate themselves. Non- or poor- password dial-ins negates most (if not all) of the good done by a very well configured firewall between your internal network and the Internet.

One way to combat the dial-in security issue is to use only modems or server software with “callback” capability. That is, when they receive an incoming call, they call back one of a set of pre-determined numbers, and let the user’s PC answer, before offering a connection to the network. Unless someone resets the callback number, callers at unauthorized locations will not be permitted access. This is an example of redundant security measures – in this case employing both a password or certificate, and corporate knowledge of a user’s location, for authentication. Of course, this mechanism isn’t practical when your users are dialing in from unpredictable locations like hotels around the world.

Similarly, the security provided by callback technology is not foolproof. Although modems can be secured with Call Back via Remote Access Services (RAS), this RAS security can be defeated with Call Forwarding, in which the RAS Server calls back a predefined number – which has been forwarded to another number. This is another example of new features breaking previously good security. (Refer to 3.1.6)

Another security issue is that of “rogue modems.” These are modems on individual workstations whose users wish to access their PC from home “easily” “without going through all that security stuff we have on the network dial-in”. The users install remote access software on their PC at work, make sure the modem is turned on when they leave the office, go home and dial in directly to their office computer often without a password or any type of authorization gaining access to its files and network resources. Again, if THEY can dial in, ANYONE can dial in, if they find the phone number. So a very useful security precaution is to limit use of remote PC access software on your network, perhaps even regularly auditing for the presence of it on PC’s, and make sure when it IS used that strong passwords are employed.

Would this “never happen” at your organization? We’ve seen it at a bank. If users in that environment would assume its “safe enough” to do, because “they’re only doing file transfers,” it could happen to you, too.

3.1.4  Wireless 1 2 3.1.6  RAS (Remote Access Server)