Most access server products or even terminal servers will support outgoing
calls. The cost and features vary quite a bit. Thay I've
yet to find one that worked with everyone's software. The problem seems to
be that certain (poorly designed) communications libraries expect to talk
directly to the modem and when they can't, they don't work.
It's possible to configure the AUX port on a Cisco router for dial out but
it takes a little work on the client side to get it to work seamlessly.
Access servers like the Ascend MAX series have a nicely intergrated driver
that maps the COM port on a 95 or NT workstation to their server. It's
seamless to the user and seems to work for the majority of dial-up services
and service software like AOL, Compuserver and MSN. It also uses RADIUS for
authentication which allows us to audit who is making calls to where , when
and for now long. However, it is expensive becaused it's licensed per
workstation.
For terminal types of accesses I'd use something simple like a terminal
server or router port. You Telnet to the router and then issue standard AT
commands to the modem. Works with just about any terminal emulation
software including Hyperterminal if you get the upgrade with WINSOCKS
capabilities.
> -----Original Message-----
> From: jen [SMTP:[EMAIL PROTECTED]]
> Sent: Wednesday, May 12, 1999 6:39 PM
> To: [EMAIL PROTECTED]
> Subject: Securing analog phone lines (!)
>
> One of the problems we're dealing with is lots of users want analog
> phone lines at their desks. You can imagine the problems this causes. We
> need to either provide an alternative to giving them modems at their
> desks. The problem with outgoing calls is easier to manage than
> incoming calls, but I wouldn't mind advice with both.
>
> Here are some questions:
>
> 1. What products are there that will support outgoing calls? We have a
> Windows environment. WINport from LANSource is one product, and Shiva
> is another, but we don't know of much else.
>
[Bill Stackpole] Depending on your PBX you might be able to log
these calls, set the port to function only certain
days and hours and set the port for dial-out only.
> 2. What products are there that will support incoming calls? This is the
> harder one, of course. I'm not sure it's technically feasible to support
> incoming calls.
>
[Bill Stackpole] incoming calls to the desktop? None that I know of
unless your PBX supports call logging and port
restrictions.
> 3. Is there a proxy for pcANYWHERE, Timbuktu, and other remote control
> applications so that we can make sure that no one is leaving their
> computer without a password? It would be good if we could make sure the
> passwords are secure, too.
>
[Bill Stackpole] I use a Demon Dialer to check all my numbers for
modems, then go back and check those that answer
for PCAnywhere connectivity. Some SNMP agents for Win95 allow you
to query running processes. That means you can set-up a "robot" machine to
check your machine to see if any of them have pcANYWHERE loaded.
> 4. Is there any firewall product that can respond to events? For
> example, if a pcANYWHERE connection came in, it would be nice to setup
> different policies for the host computer to access the network. Another
> event that would be nice to be able to respond to is time (for example,
> allow pcANYWHERE access only during business hours, or allow access to
> blocked sites only during off-hours).
>
[Bill Stackpole] Unlikely, there is nothing to detect. No new node,
no new routes, etc.
> 5. Any general ideas about security and analog phone lines? I realize
> that the most secure method is to just not allow them at all. This isn't
> going to fly, though.
>
[Bill Stackpole] If you can force everyone through an access server
and those that can't use an access server limited the line to dial-out ONLY.
Provide a pool of pcAnywhere machines and control their access through a
dial-in server. And some additional security requirement like a token
(SecurID) or use secure modems. There are some companies that offer modems
that have built in authentication. Force your users to NT, make them use
RAS and require CHAP or callback security. Once connected and authenticated
they can us pcAnywhere to control their PC.
Kill the first person that violates the policy. After that everyone
else will follow it! ;-}
> Thanks!
>
> Jen
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
