UnauthorizedModems_12
Protecting Data Networks by Securing Telephone Networks
11
corporations with many telephone numbers, war dialing can take a considerable
amount of time unless multiple war dialers and modems are used. Correlation of
the results between the various modems then becomes a problem.
Another feature that may be implemented to some degree is the ability for the
software performing the war dialing to also attempt unauthorized access to the
computer systems detected. This capability requires the war dialing software be
able to determine the specific operating system or communication software that
is being used on the target system. Usually, this simply entails a brute force
attack consisting of automated guessing of common userid/password
combinations. More extensive and sophisticated attacks, the type hackers
would also attempt, are generally not being performed.
Within the operational model of computer and network security, the functions
war dialing performs all fall under the detection portion of the equation. The
actions security professionals take after a war dialing scan can be construed as a
type of response and, in a very minor way, an attempt at prevention. It is
important to realize war dialing only captures a single picture of the
organizations telephone network at the instant it is performed. New modems
can be added seconds after a sweep is performed and they would not be detected
until a future sweep is performed. If an individual attaches a modem for only a
short period of time, the chances of it being detected in an organization that
performs only occasional sweeps is extremely low. Relying solely on war-
dialers, commercial or otherwise, simply is not sufficient to address the
problems posed by modems.
For an organization to effectively secure their telephone systems, there are three
basic functions that need to be performed:
1) A method to detect and prevent abuses of the phone system,
2) A method to detect intrusive activity on authorized lines, and
3) An integrated approach to meld telephone security functions into an
effective package.
The first function can be viewed as providing a firewall for telephones. A
device of this sort should provide the same functions to protect an internal
network from telephone line modem connections as network firewalls provide
for Internet connections. A telephone firewall would thus serve as a barrier to
intruders, preventing them from gaining access to an organizations internal
network as well as providing a mechanism for an organization to control the
type of access provided to employees. It should restrict data communication to
specific telephone lines identified by the security policy as allowing modem or
fax connections. It should block all incoming or outgoing data communication
on telephone lines authorized as voice only. Additional capabilities that might be
useful in certain circumstances would include the ability to record the contents
of calls as well as the ability to redirect calls of a certain type to a different
destination. Figure 5 illustrates the placement of a telephone firewall in an
organization. In addition, since attacks on the PBX itself occasionally occur, the
device should protect the PBX and monitor calls directed at it.
Up to this point, the only tool available to prevent rogue modems was the war
dialer. As was discussed earlier, this method will be only marginally successful
at best. The question might be asked as to whether a telephone firewall
eliminates the need for war dialers altogether.
What is Needed to
Provide Telephone
Security