On Thu, 2 Sep 1999, Eric Vyncke wrote:
> Dial-in is SLIGHTLY more secure in the following aspect:
> - confidentiality attacks mostly need access to the physical wire
> (cannot be done from the other side of the Earth)
You'd be surprised at the dial-out points that a well-informed attacker
can find, phone switches that are compromised, etc.
> - authentication when using ISDN when the calling phone number, CLID,
> can be provided by the Telco operator
It's been said to be possible to spoof "normal" CNID to send multiple
IDs, so this isn't something to base a lot of faith in if ISDN allows the
same, or if the LEC/CLEC has been compromised. ANI
(from an 800/888... number) is more reliable since it comes from the call
routing. I don't know if ISDN is in or out of band CNID. That said -- CNID
on all modem lines has helped more than a few court cases, and is well-worth
logging where available. ISPs that have it get extra points in my book.
> >Curt> We have a pretty good firewall protecting our network from the
> >Curt> Internet. However, we have well over 200 users with dail-up
> >Curt> access via an Acsend box with RADIUS authentication. What are
> >Curt> some of the risks of having this type of access into our network
> >Curt> and can these things be cracked.
> >
> >If someone can find out or guess your phone number, then daemon
> >dialers can guess passwords and user names. This could be aided if
> >outsiders can learn about your usernames (e.g. through your web pages,
> >directories, or other public info). And most users choose poor
> >passwords so password cracking programs won't have to be too
> >sophisticated.
Worse yet, 24/7 home Internet access is starting to make dial-up even
less secure. The best advice I've seen is to assign company-owned PCs
for dial-in and regulate their software configurations and connectivity
to ensure they are not providing a route to the corporate network via a PPP
dial-up solution.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
