10.4 Additional Security for Modems

With today's telephone systems, if you connect your computer's modem to an outside telephone line, then anybody in the world can call it.

Although usernames and passwords provide a degree of security, they are not foolproof. Users often pick bad passwords, and even good passwords can occasionally be guessed or discovered by other means.

For this reason, a variety of special kinds of modems have been developed that further protect computers from unauthorized access. These modems are more expensive than traditional modems, but they do provide an added degree of security and trust.

Password modems

These modems require the caller to enter a password before the modem connects the caller to the computer. As with regular Unix passwords, the security provided by these modems can be defeated by repeated password guessing or if an authorized person releases his password to somebody who is not authorized. Usually, these modems can store only 1 to 10 passwords. The password stored in the modem should not be the same as the password of any user. Some versions of Unix can be set up to require special passwords for access by modem. Password modems are probably unnecessary on systems of this kind; the addition of yet another password may be more than your users are prepared to tolerate.

Callback setups

As we mentioned earlier in this chapter, these schemes require the caller to enter a username, and then immediately hang up the telephone line. The modem then will call back the caller on a predetermined telephone number. These schemes offer a little more security than do regular modems. Most callback modems can store only a few numbers to call back. Callback setups can be defeated by somebody who calls the callback modem at the precise moment that it is trying to make its outgoing telephone call or (in some cases) by an attacker who does not hang up the telephone line when the computer attempts to dial back. Nevertheless, callback setups do offer an increased level of security.

Encrypting modems

These modems, which must be used in pairs, encrypt all information transmitted and received over the telephone lines. Encrypting modems offer an extremely high degree of security not only against individuals attempting to gain unauthorized access, but also against wiretapping. Some encrypting modems contain preassigned cryptographic "keys" that work only in pairs. Other modems contain keys that can be changed on a routine basis, to further enhance security. (Chapter 7 contains a discussion of encryption.)

Many of the benefits afforded by encrypting modems can be had for less money by using cryptographic protocols over standard modems, such as SSH over a PPP connection.

Caller-ID and ANI schemes

As described in Section 10.2.2 earlier in this chapter, you can use the information provided by the telephone company for logging or controlling access. Caller-ID and ANI can further be used as a form of access control: when the user calls the modem, the Caller-ID or ANI information is checked against a list of authorized phone numbers, and the call is switched to the company's computer only if the number is approved.

Modems are a remote access technology born of the 1960s, first deployed in the 1970s, and popularized in the 1980s and 1990s. Nevertheless, modems are still very much a part of the computing landscape today. Attackers know that they can break into many otherwise defended networks by finding modems that have not been properly secured. For this reason, security professionals must be familiar with modem security issues.

    Part VI: Appendixes