10.4 Additional Security for Modems
With today's telephone
systems, if you connect your computer's modem to an
outside telephone line, then anybody in the world can call it.
Although usernames and passwords provide a degree of security, they
are not foolproof. Users often pick bad passwords, and even good
passwords can occasionally be guessed or discovered by other means.
For this reason, a variety of special kinds of modems have been
developed that further protect computers from unauthorized access.
These modems are more expensive than traditional modems, but they do
provide an added degree of security and trust.
- Password modems
-
These
modems require the caller to enter a password before the modem
connects the caller to the computer. As with regular Unix passwords,
the security provided by these modems can be defeated by repeated
password guessing or if an authorized person releases his password to
somebody who is not authorized. Usually, these modems can store only
1 to 10 passwords. The password stored in the modem should
not be the same as the password of any user.
Some versions of Unix can be set up to require special passwords for
access by modem. Password modems are probably unnecessary on systems
of this kind; the addition of yet another password may be more than
your users are prepared to tolerate.
- Callback setups
-
As we mentioned earlier in this chapter,
these schemes require the caller to enter a username, and then
immediately hang up the telephone line. The modem then will call back
the caller on a predetermined telephone number. These schemes offer a
little more security than do regular modems. Most callback modems can
store only a few numbers to call back. Callback setups can be
defeated by somebody who calls the callback modem at the precise
moment that it is trying to make its outgoing telephone call or (in
some cases) by an attacker who does not hang up the telephone line
when the computer attempts to dial back. Nevertheless, callback
setups do offer an increased level of security.
- Encrypting modems
-
These modems, which
must be used in
pairs, encrypt all information transmitted and received over the
telephone lines. Encrypting modems offer an extremely high degree of
security not only against individuals attempting to gain unauthorized
access, but also against wiretapping. Some encrypting modems contain
preassigned cryptographic "keys"
that work only in pairs. Other modems contain keys that can be
changed on a routine basis, to further enhance security. (Chapter 7 contains a discussion of encryption.)
Many of the benefits afforded by encrypting modems can be had for
less money by using cryptographic protocols over standard modems,
such as SSH over a PPP connection.
- Caller-ID and ANI schemes
-
As described in Section 10.2.2 earlier in this chapter, you can use the information provided
by the telephone company for logging or controlling access. Caller-ID
and ANI can further be used as a form of access control: when the
user calls the modem, the Caller-ID or ANI information is checked
against a list of authorized phone numbers, and the call is switched
to the company's computer only if the number is
approved.
Modems are a remote access technology born of the 1960s, first
deployed in the 1970s, and popularized in the 1980s and 1990s.
Nevertheless, modems are still very much a part of the computing
landscape today. Attackers know that they can break into many
otherwise defended networks by finding modems that have not been
properly secured. For this reason, security professionals must be
familiar with modem security issues.
|