We have previously offered networking administration tips that discussed the concepts of securing the servers on your network, and securing the routers on the network as well. This tip, excerpted from Managing IP Networks with Cisco Routers
, by Scott M. Ballew, discusses some of the things that you can do to enhance the security of your network, given that you have a pool of dial-up modems that allows users access to your network from locations outside the firewall. This can be a major security nightmare, but this tip offers some cooling thoughts.
The subjects of network management and network security will be discussed in great detail in our upcoming FREE conference, Networking Decisions, which will be held in Chicago on October 16 - 18. Click here to register for the conference.
The most often overlooked source of security problems is not your permanent external links. This dubious honor is reserved for your dial-0up morel pools. These are often placed at the heart of your network, with little or no security restrictions placed between them and your network. Once you realize that there are far more machines with modems in the world than machines attached to the Internet, you should see why dial-up modems are a major security threat. One network I know was taking great pains to ensure that it wasn't possible to access certain sensitive machines from public access sites elsewhere on the network, yet it had a dial-up modem pool with absolutely no user authentication that was permitted access. The public access sites were far less of a security threat than their own modems, because an intruder working from the public access sites might at least be noticed by witnesses.
To fend off this threat to your network's security, you can do several things. First, never allow unauthenticated use of your dial-up modems. At a minimum, have the caller identify himself to the system and provide a password, even if these are never checked. This gives the appearance of security, and may chase off the casual attacker. Better would be to have your dial-up servers validate the user and password, perhaps using one of the remote authentication services listed earlier. But that still may not be enough. When that isn't enough, consider having your dial-up servers call back the user after establishing their identity. This way, even a captured user name and password are only valid from a specific location. However, dial-back modems don't work well if your users are moving around a lot. If none of these solutions is feasible or adequate, your only choice may be to treat your dial-up modems as if they were part of the outside world, and put them outside of your firewall. While inconvenient to your legitimate users, placing a modem pool outside the firewall isolates a major security problem from your network.
This was first published in August 2002