Very Computer

We have a medical (lab) system which has a modem and analog line
attached to it for use by the software suppliers.

Because of the sensitive nature of the lab results, the lab people
usually plug in the modem, and unplug it when the software folks are
done.

Is there anything that will act as intermediate protection.  That is,
something that will provide password protection between the modem and
Unix host?

Thanks

W.D. Riley
Data Security Administrator
City of Hope Medical Center

Quote:> Because of the sensitive nature of the lab results, the lab people
> usually plug in the modem, and unplug it when the software folks are
> done.

> Is there anything that will act as intermediate protection.  That is,
> something that will provide password protection between the modem and
> Unix host?

Don't know if this will fit your requirement but I thought I'd toss it
out there...

---

 Wasatch Communications Group               http://www.wasatch.com

Another alternative is a small "Remote Access Server" for 1-3 lines,
several vendors offer them (shiva, cayman, sonic.systems), most support
PPP/SLIP and some will pass appletalk in ether as well as normal ip
traffic.  You supply phone line(s) and modem(s) (some may be available
with built in modems), the box is programmed by you with configuration and
account info, either over the net or thru a serial conection.

We bought a 3-line RAS last summer, while researching it I found none that
would use existing NIS, so these accounts & passwords will be independant
of any other machines presently on your LAN, possibly an advantage in
terms of security.

Your own people could take advantage of this service as well as vendors,
but there are some security issues if the phone numbers get discovered, so
be sure that the passwords are good ones.  You could disable or even
remove the vendor accounts between uses.  Note that the RAS sits on your
LAN, it gives your vendors a phone-based port into your LAN, not a
conection to any one machine.  Vendors will still need accounts on the
various machines they maintain for you.
--
Dana S. Emery
Smithsonian Institution, LMS

I speak for myself only.

I would advice against relying on callback from the modem. It will
not protect anything.

What canm be done on the (unix) host is a number of things.

-set remote password (if this is a sysV,might not be documented)
-enable login only on demand (already done manually, but letting
 the computer also do this will be a safe-guard)
 -install software to do 'token' authentification on that port or
 install s/key on that port. On some u*x this is quite easy.

 And the usual stuff, enforce strong passwords, change them from
 time to time.

: > We have a medical (lab) system which has a modem and analog line
: > attached to it for use by the software suppliers.
: >
: > Because of the sensitive nature of the lab results, the lab people
: > usually plug in the modem, and unplug it when the software folks are
: > done.
: >
: > Is there anything that will act as intermediate protection.  That is,
: > something that will provide password protection between the modem and
: > Unix host?

: There are many comercial solutions, some more expensive and more flexible
: than others.  As was already mentioned there are modems that have
: call-back capability, you can preset the number, this could be a
: maintenance issue if the number needs to vary for multiple vendors.

: Another alternative is a small "Remote Access Server" for 1-3 lines,
: several vendors offer them (shiva, cayman, sonic.systems), most support
: PPP/SLIP and some will pass appletalk in ether as well as normal ip
: traffic.  You supply phone line(s) and modem(s) (some may be available
: with built in modems), the box is programmed by you with configuration and
: account info, either over the net or thru a serial conection.

: We bought a 3-line RAS last summer, while researching it I found none that
: would use existing NIS, so these accounts & passwords will be independant
: of any other machines presently on your LAN, possibly an advantage in
: terms of security.

: Your own people could take advantage of this service as well as vendors,
: but there are some security issues if the phone numbers get discovered, so
: be sure that the passwords are good ones.  You could disable or even
: remove the vendor accounts between uses.  Note that the RAS sits on your
: LAN, it gives your vendors a phone-based port into your LAN, not a
: conection to any one machine.  Vendors will still need accounts on the
: various machines they maintain for you.
: --
: Dana S. Emery
: Smithsonian Institution, LMS

: I speak for myself only.

--
--
Peter Hakanson  VolvoData Dep 2580 phone +46 31 66 74 27

It's a good start.

The Courier series (we have 50 of them, but USR won't sell us any more
below street price) not only has Call-back capability built in, but also
has password authentication. The manual implies that one authentication
mode requires that the remote courier know the password, and calls from
any other modem (or a courier with the wrong password) won't even get
past the carrier negotiation.

Thus war games style 'scanner' software would get 'NO CARRIER' and figure
it's some sort of weird fax machine...
--
David Richards                             Ripco, since Nine*-Eighty-Three
My opinions are my own,                    Public Access in Chicago
But they are available for rental          Shell/SLIP/PPP/UUCP/ISDN/Leased

I do insist that modem supplied callback gives *no* security!

Don't call me for details:-)

: >I would advice against relying on callback from the modem. It will
: >not protect anything.

: It will protect against ANYTHING except physical attacks (cut the wire
: outside the building to 'catch' the callback, attacks from the location
: that is called back to, and reprogramming of the actual telco switch.

: It's a good start.

: >
: >: > We have a medical (lab) system which has a modem and analog line
: >: > attached to it for use by the software suppliers.
: >: >
: >: > Because of the sensitive nature of the lab results, the lab people
: >: > usually plug in the modem, and unplug it when the software folks are
: >: > done.
: >: >
: >: > Is there anything that will act as intermediate protection.  That is,
: >: > something that will provide password protection between the modem and
: >: > Unix host?
: >
: >: There are many comercial solutions, some more expensive and more flexible
: >: than others.  As was already mentioned there are modems that have
: >: call-back capability, you can preset the number, this could be a
: >: maintenance issue if the number needs to vary for multiple vendors.

: It'd help to use USR Courier modems for the origination and answering
: hardware.

: The Courier series (we have 50 of them, but USR won't sell us any more
: below street price) not only has Call-back capability built in, but also
: has password authentication. The manual implies that one authentication
: mode requires that the remote courier know the password, and calls from
: any other modem (or a courier with the wrong password) won't even get
: past the carrier negotiation.

: Thus war games style 'scanner' software would get 'NO CARRIER' and figure
: it's some sort of weird fax machine...
: --
: David Richards                             Ripco, since Nine*-Eighty-Three
: My opinions are my own,                    Public Access in Chicago
: But they are available for rental          Shell/SLIP/PPP/UUCP/ISDN/Leased

--
--
Peter Hakanson  VolvoData Dep 2580 phone +46 31 66 74 27

=20
I do insist that modem supplied callback gives *no* security!=20
=20
Don't call me for details:-)=20
=20


: >I would advice against relying on callback from the modem. It will=20
: >not protect anything.=20
=20
: It will protect against ANYTHING except physical attacks (cut the wire=20
: outside the building to 'catch' the callback, attacks from the=20
location=20
: that is called back to, and reprogramming of the actual telco switch.=20
=20
: It's a good start.=20
=20



: >=20
: >: > We have a medical (lab) system which has a modem and analog line=20
: >: > attached to it for use by the software suppliers.=20
: >: > =20
: >: > Because of the sensitive nature of the lab results, the lab=20
people=20
: >: > usually plug in the modem, and unplug it when the software folks=20
are=20
: >: > done.=20
: >: > =20
: >: > Is there anything that will act as intermediate protection. =20
That is,=20
: >: > something that will provide password protection between the=20
modem and=20
: >: > Unix host?=20
: >=20
: >: There are many comercial solutions, some more expensive and more=20
flexible=20
: >: than others.  As was already mentioned there are modems that have=20
: >: call-back capability, you can preset the number, this could be a=20
: >: maintenance issue if the number needs to vary for multiple vendors.=20
=20
: It'd help to use USR Courier modems for the origination and answering=20
: hardware.=20
=20
: The Courier series (we have 50 of them, but USR won't sell us any more=20
: below street price) not only has Call-back capability built in, but=20
also=20
: has password authentication. The manual implies that one=20
authentication=20
: mode requires that the remote courier know the password, and calls=20
from=20
: any other modem (or a courier with the wrong password) won't even get=20
: past the carrier negotiation.=20
=20
: Thus war games style 'scanner' software would get 'NO CARRIER' and=20
figure=20
: it's some sort of weird fax machine...=20
: --=20
: David Richards                             Ripco, since=20
Nine*-Eighty-Three=20
: My opinions are my own,                    Public Access in Chicago=20
: But they are available for rental         =20
Shell/SLIP/PPP/UUCP/ISDN/Leased=20

Usenet/E-Mail!=20
=20
--=20
--=20
Peter Hakanson  VolvoData Dep 2580 phone +46 31 66 74 27=20
=20
--- Internet Message Header Follows ---=20
Path:=20
seunet!mn3.swip.net!mn6.swip.net!seunet!news2.swip.net!nike.volvo.se!cyk
lop.volvo.se!peter=20

Newsgroups: comp.security.unix=20
Subject: Re: Safe Modem Access=20
Date: 14 Oct 1996 16:25:04 GMT=20
Organization: Volvo Corp.=20
Lines: 57=20




NNTP-Posting-Host: cyklop.volvo.se=20
X-Newsreader: TIN [version 1.2 PL2]=20
=20

Michal,

Would you bet your companys resources on the assumption
that you local ptt always breaks the line ??? I would
not trust (our ptt) with anything at all.
Using modembased dial back encourages exactly this.

And you always risk a local tapping of an exposed line,
then all actions from the ptt is useless.

And be clear,
First you say "Posting such unsubstantiated statements",
then you describe the scenario.
Would it be more responsible to tell exactly this
can be (mis)used is most parts of the world ? No
CERT does not do that kind of things , why should i.

Isn't it enough to tell "the world" that is is a
clear risk about this ? Especially when much better
methods does not cost more ?

Please don't continue propose dialback solutions.
The are and have always been unsafe BY ANY STANDARD!

Drive Carefully!

--
Peter Hakanson  VolvoData Dep 2580 phone +46 31 66 74 27

Hello Peter,

So, what's the obvious security flaw if you use dialback
and has another modem dialling back than the one you dial
in the first place? Spoofing a dialtone won't work in this
case and if you are worried about wiretaps there are a lot
of vendors who provide modems with encryption.

Tommy

Quote:> I do insist that modem supplied callback gives *no* security!

> Don't call me for details:-)

If you expect very few to believe you, why post it in the first place?

Properly-implemented callback is a very good tool for solving some
security problems.  Saying that it's not is contrary to a huge body of
industry thought.  Contradicting industry thought is fine (even
encouraged) but doing so without documentation falls on the level of
"is not/is too".

  Shawn McMahon          | Smokesignals Computer Company
  Senior System Operator | Southern Oklahoma's Internet Service Provider
  Chickasaw Nation Net   | 405 332-0033   http://www.chickasaw.com

Quote:>Hello Peter,

>So, what's the obvious security flaw if you use dialback
>and has another modem dialling back than the one you dial
>in the first place? Spoofing a dialtone won't work in this
>case and if you are worried about wiretaps there are a lot
>of vendors who provide modems with encryption.

        DoN.

I was talkin about "modem supplied callback". Please read
what i write.

Ways around this (like dialback on another line) will fix
this particular risk, but then it's so complicated that
a simpler solution can be made that is even safer.

: Hello Peter,

: So, what's the obvious security flaw if you use dialback
: and has another modem dialling back than the one you dial
: in the first place? Spoofing a dialtone won't work in this
: case and if you are worried about wiretaps there are a lot
: of vendors who provide modems with encryption.

: Tommy

: >
: > Isn't it enough to tell "the world" that is is a
: > clear risk about this ? Especially when much better
: > methods does not cost more ?
: >
: > Please don't continue propose dialback solutions.
: > The are and have always been unsafe BY ANY STANDARD!
: >
: > Peter Hakanson  VolvoData Dep 2580 phone +46 31 66 74 27
: >

: >

: > > :
: > > : I do insist that modem supplied callback gives *no* security!
: > > :

--
--
Peter Hakanson  VolvoData Dep 2580 phone +46 31 66 74 27

'modem supplied' dialback _IS_ secure (short of physical intrusion in
the wire at each end, or hacking the switch), if the switching equipment
used is 100% sure to 'end' the call when the modem drops the switch hook.

Yes, there are cheesy modems out there that won't release the line
correctly, and there are cheesy telephone switches that keep the connection
open, but dialback is better than nothing.

As I've said, the Courier does password authentication and dialback in
firmware. We like them.

I think you need two banks of modems, the lines connected to the dialout
bank should be protected by the PBX against dialin.

Casper
--
Casper Dik - Sun Microsystems - via my guest account at the University

Statements on Sun products included here are not gospel.
Unsolicited e-mail adverti*ts will be proofread for $250.

 This is very common knowledge.

--
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Ben Klausner                              (512) 823-0924 - T/L 793-0924
 Austin Site Information Technology                IBM, RS/6000 Division