O O Ø O O O O
Securing Modem Back Doors
When a security policy and implementation are necessarily strict, several factors begin to push for their liberalization. Users will rail against time, service and convenience limitations, and vendors may campaign for workarounds for loosely implemented systems—“Oh everyone does it this way.” (Opening their domains to all subnet traffic, for instance. Not that this has ever been requested of any of us at Codetalker, or of any of our clients. Right.)
These factors help put a security policy, and an organization's commitment to it, to the test. And if users' or vendors' requirements are not paid sufficient attention, that's when the back doors sneak in.
The most common unauthorized back door is the lowly modem. A user may want to circumvent a firewall, or a vendor in direct communication with the user may want dialup access to the desktop for support reasons. Either example is anathema to a security policy, but may satisfy a legitimate use. Here are a few steps then, on how to implement a secure backdoor modem.
Door Steps
- Have a phone line configured for dial out access only (Non Direct-In-Dial). If the modem is to be for support, such as a PCAnywhere installation, have the vendor receive calls originated from the desktop, not the other way around. Demon dialing is not dead.
- Deactivate Auto Answer. Or is this too obvious?
- Physically secure the PC, so it can be used only for its intended purpose. This means locked doors, cases, power up passwords, and a tighter OS. (i.e. NT, as opposed to Win9X)
- Have the user and/or department agree to a document outlining something close to the following:
- What business case requirement is fulfilled by having such dial-out access? That way, if the business need changes, it will be easier to confirm that the modem can be removed.
- The modem (external only, please) will be powered off except during times of use.
- The authorized modem users will be present whenever the modem is powered on. This user should be familiar with the organization's overall security policy, to give them a better idea of the importance of correctly following procedures.
- The user will not connect to any outside service while attached to any internal network services.
- The user will never activate, either through hardware or software, the Auto Answer feature of the modem.
- Full workstation scanning for viruses or other illicit software will occur after any such dial-out session.
And the list goes on. The degree of severity of the restrictions depends largely on the style of the organizational security policy. This could be taken to extremes, but only at the cost of creating more illicit back doors. Acknowledging some requirements, such as bank dial-ups for payroll access, enables you to put some controls around them, and reduce the likelihood of users working around your carefully configured security system.
Evan Spence