Table of Contents for
Practical UNIX and Internet Security, 3rd Edition

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition Practical UNIX and Internet Security, 3rd Edition by Alan Schwartz Published by O'Reilly Media, Inc., 2003
  1. Cover
  2. Practical Unix & Internet Security, 3rd Edition
  3. A Note Regarding Supplemental Files
  4. Preface
  5. Unix “Security”?
  6. Scope of This Book
  7. Which Unix System?
  8. Conventions Used in This Book
  9. Comments and Questions
  10. Acknowledgments
  11. A Note to Would-Be Attackers
  12. I. Computer Security Basics
  13. 1. Introduction: Some Fundamental Questions
  14. What Is Computer Security?
  15. What Is an Operating System?
  16. What Is a Deployment Environment?
  17. Summary
  18. 2. Unix History and Lineage
  19. History of Unix
  20. Security and Unix
  21. Role of This Book
  22. Summary
  23. 3. Policies and Guidelines
  24. Planning Your Security Needs
  25. Risk Assessment
  26. Cost-Benefit Analysis and Best Practices
  27. Policy
  28. Compliance Audits
  29. Outsourcing Options
  30. The Problem with Security Through Obscurity
  31. Summary
  32. II. Security Building Blocks
  33. 4. Users, Passwords, and Authentication
  34. Logging in with Usernames and Passwords
  35. The Care and Feeding of Passwords
  36. How Unix Implements Passwords
  37. Network Account and Authorization Systems
  38. Pluggable Authentication Modules (PAM)
  39. Summary
  40. 5. Users, Groups, and the Superuser
  41. Users and Groups
  42. The Superuser (root)
  43. The su Command: Changing Who You Claim to Be
  44. Restrictions on the Superuser
  45. Summary
  46. 6. Filesystems and Security
  47. Understanding Filesystems
  48. File Attributes and Permissions
  49. chmod: Changing a File’s Permissions
  50. The umask
  51. SUID and SGID
  52. Device Files
  53. Changing a File’s Owner or Group
  54. Summary
  55. 7. Cryptography Basics
  56. Understanding Cryptography
  57. Symmetric Key Algorithms
  58. Public Key Algorithms
  59. Message Digest Functions
  60. Summary
  61. 8. Physical Security for Servers
  62. Planning for the Forgotten Threats
  63. Protecting Computer Hardware
  64. Preventing Theft
  65. Protecting Your Data
  66. Story: A Failed Site Inspection
  67. Summary
  68. 9. Personnel Security
  69. Background Checks
  70. On the Job
  71. Departure
  72. Other People
  73. Summary
  74. III. Network and Internet Security
  75. 10. Modems and Dialup Security
  76. Modems: Theory of Operation
  77. Modems and Security
  78. Modems and Unix
  79. Additional Security for Modems
  80. Summary
  81. 11. TCP/IP Networks
  82. Networking
  83. IP: The Internet Protocol
  84. IP Security
  85. Summary
  86. 12. Securing TCP and UDP Services
  87. Understanding Unix Internet Servers and Services
  88. Controlling Access to Servers
  89. Primary Unix Network Services
  90. Managing Services Securely
  91. Putting It All Together: An Example
  92. Summary
  93. 13. Sun RPC
  94. Remote Procedure Call (RPC)
  95. Secure RPC (AUTH_DES)
  96. Summary
  97. 14. Network-Based Authentication Systems
  98. Sun’s Network Information Service (NIS)
  99. Sun’s NIS+
  100. Kerberos
  101. LDAP
  102. Other Network Authentication Systems
  103. Summary
  104. 15. Network Filesystems
  105. Understanding NFS
  106. Server-Side NFS Security
  107. Client-Side NFS Security
  108. Improving NFS Security
  109. Some Last Comments on NFS
  110. Understanding SMB
  111. Summary
  112. 16. Secure Programming Techniques
  113. One Bug Can Ruin Your Whole Day . . .
  114. Tips on Avoiding Security-Related Bugs
  115. Tips on Writing Network Programs
  116. Tips on Writing SUID/SGID Programs
  117. Using chroot( )
  118. Tips on Using Passwords
  119. Tips on Generating Random Numbers
  120. Summary
  121. IV. Secure Operations
  122. 17. Keeping Up to Date
  123. Software Management Systems
  124. Updating System Software
  125. Summary
  126. 18. Backups
  127. Why Make Backups?
  128. Backing Up System Files
  129. Software for Backups
  130. Summary
  131. 19. Defending Accounts
  132. Dangerous Accounts
  133. Monitoring File Format
  134. Restricting Logins
  135. Managing Dormant Accounts
  136. Protecting the root Account
  137. One-Time Passwords
  138. Administrative Techniques for Conventional Passwords
  139. Intrusion Detection Systems
  140. Summary
  141. 20. Integrity Management
  142. The Need for Integrity
  143. Protecting Integrity
  144. Detecting Changes After the Fact
  145. Integrity-Checking Tools
  146. Summary
  147. 21. Auditing, Logging, and Forensics
  148. Unix Log File Utilities
  149. Process Accounting: The acct/pacct File
  150. Program-Specific Log Files
  151. Designing a Site-Wide Log Policy
  152. Handwritten Logs
  153. Managing Log Files
  154. Unix Forensics
  155. Summary
  156. V. Handling Security Incidents
  157. 22. Discovering a Break-in
  158. Prelude
  159. Discovering an Intruder
  160. Cleaning Up After the Intruder
  161. Case Studies
  162. Summary
  163. 23. Protecting Against Programmed Threats
  164. Programmed Threats: Definitions
  165. Damage
  166. Authors
  167. Entry
  168. Protecting Yourself
  169. Preventing Attacks
  170. Summary
  171. 24. Denial of Service Attacks and Solutions
  172. Types of Attacks
  173. Destructive Attacks
  174. Overload Attacks
  175. Network Denial of Service Attacks
  176. Summary
  177. 25. Computer Crime
  178. Your Legal Options After a Break-in
  179. Criminal Hazards
  180. Criminal Subject Matter
  181. Summary
  182. 26. Who Do You Trust?
  183. Can You Trust Your Computer?
  184. Can You Trust Your Suppliers?
  185. Can You Trust People?
  186. Summary
  187. VI. Appendixes
  188. A. Unix Security Checklist
  189. Preface
  190. Chapter 1: Introduction: Some Fundamental Questions
  191. Chapter 2: Unix History and Lineage
  192. Chapter 3: Policies and Guidelines
  193. Chapter 4: Users, Passwords, and Authentication
  194. Chapter 5: Users, Groups, and the Superuser
  195. Chapter 6: Filesystems and Security
  196. Chapter 7: Cryptography Basics
  197. Chapter 8: Physical Security for Servers
  198. Chapter 9: Personnel Security
  199. Chapter 10: Modems and Dialup Security
  200. Chapter 11: TCP/IP Networks
  201. Chapter 12: Securing TCP and UDP Services
  202. Chapter 13: Sun RPC
  203. Chapter 14: Network-Based Authentication Systems
  204. Chapter 15: Network Filesystems
  205. Chapter 16: Secure Programming Techniques
  206. Chapter 17: Keeping Up to Date
  207. Chapter 18: Backups
  208. Chapter 19: Defending Accounts
  209. Chapter 20: Integrity Management
  210. Chapter 21: Auditing, Logging, and Forensics
  211. Chapter 22: Discovering a Break-In
  212. Chapter 23: Protecting Against Programmed Threats
  213. Chapter 24: Denial of Service Attacks and Solutions
  214. Chapter 25: Computer Crime
  215. Chapter 26: Who Do You Trust?
  216. Appendix A: Unix Security Checklist
  217. Appendix B: Unix Processes
  218. Appendixes C, D, and E: Paper Sources, Electronic Sources, and Organizations
  219. B. Unix Processes
  220. About Processes
  221. Signals
  222. Controlling and Examining Processes
  223. Starting Up Unix and Logging In
  224. C. Paper Sources
  225. Unix Security References
  226. Other Computer References
  227. D. Electronic Resources
  228. Mailing Lists
  229. Web Sites
  230. Usenet Groups
  231. Software Resources
  232. E. Organizations
  233. Professional Organizations
  234. U.S. Government Organizations
  235. Emergency Response Organizations
  236. Index
  237. Index
  238. Index
  239. Index
  240. Index
  241. Index
  242. Index
  243. Index
  244. Index
  245. Index
  246. Index
  247. Index
  248. Index
  249. Index
  250. Index
  251. Index
  252. Index
  253. Index
  254. Index
  255. Index
  256. Index
  257. Index
  258. Index
  259. Index
  260. Index
  261. Index
  262. Index
  263. About the Authors
  264. Colophon
  265. Copyright

Modems and Security

Modems raise a number of security concerns because they create links between your computer and the outside world. Modems can be used by individuals inside your organization to remove confidential information. Modems can be used by people outside your organization to gain unauthorized access to your computer. If your modems can be reprogrammed or otherwise subverted, they can be used to trick your users into revealing their passwords. And, finally, an attacker can eavesdrop on a modem communication.

Despite the rise of the Internet, modems remain a popular tool for breaking into large corporate networks. The reason is simple: while corporations closely monitor their network connections, modems are largely unguarded and unaudited. In many organizations, it is difficult and expensive to prevent users from putting modems on their desktop computers and running “remote access” software. This happens much more frequently than you might expect.

So what can be done? To maximize security, modems should be provided by the organization and administered in a secure fashion.

The first step is to protect the modems themselves. Be sure they are located in a physically secure location, so that no unauthorized individual can access them. The purpose of this protection is to prevent the modems from being altered or rewired. Some modems can have altered microcode or passwords loaded into them by someone with appropriate access, and you want to prevent such occurrences. You might make a note of the configuration switches (if any) on the modem, and periodically check them to be certain they remain unchanged.

Many modems sold these days allow remote configuration and testing. This capability makes changes simpler for personnel who manage several remote locations. It also makes abusing your modems simpler for an attacker. Therefore, be certain that such features, if present in your modems, are disabled.

The next most important aspect of protecting your modems is to protect their telephone numbers. Treat the telephone numbers for your modems the same way you treat your passwords: don’t publicize them to anyone other than those who have a need to know. Making the telephone numbers for your modems widely known increases the chances that somebody might try to use them to break into your system.

Physical Intervention for Use

When modems are connected to hardware to allow off-site technicians to remotely maintain or troubleshoot it, you certainly want to prevent unauthorized users from connecting to these modems and reconfiguring your equipment. One simple and effective approach is to leave the modems unplugged from the phone line, and require off-site technicians to call your operator before performing maintenance (or, better yet, the reverse, to make social engineering attacks less feasible.) The operator connects the phone line for the technician’s work (and notes this in a log book), and disconnects it thereafter.

Unfortunately, you cannot keep the telephone numbers of your modems absolutely secret. After all, people do need to call them. And even if you were extremely careful with the numbers, an attacker could always discover the modem numbers by dialing every telephone number in your exchange. For this reason, simple secrecy isn’t a solution; your modems need more stringent protection.

Tip

You might consider changing your modem phone numbers on a yearly basis as a basic precaution. You might also request phone numbers for your modems that are on a different exchange from the one used by the business voice and fax numbers that you advertise.

Banners

A banner is a message that is displayed by a modem (or the computer to which the modem is connected) when it is called. Some banners are displayed by the answering system before the caller types anything; other banners are displayed only after a person successfully authenticates. Example 10-1 shows a simple, but problematic, banner.

Example 10-1. A simple but problematic banner

Welcome to Internet Privacy Corporation (IPC), where privacy comes first.

Don't have an account? 
Log in with username "guest" password "guest" to create one!

If you have problems logging in, please call
Paul Johnson in technical support at 203-555-1212. 

FreeBSD 4.2 login:

Banners improve the usability of a system by letting the callers know that they have reached the correct system. They can also include any necessary legal disclosures or notices. Unfortunately, banners can also be used by attackers: an attacker who scans a telephone exchange or a city can use banners to determine which organization’s modems they have found. Banners can also provide useful clues that help an attacker break into a system, such as disclosing the operating system version or the modem firmware revision.

Banners have a troubled history. In the 1980s, it was common for computer banners to include the word “welcome.” Although it has been rumored that a person on trial for computer intrusion argued successfully that the word “welcome” was essentially an invitation from the system’s management for the attacker to break in, this never really happened; nevertheless, the explicit invitation is a bad idea. In other cases, attackers have successfully had evidence suppressed because system banners did not inform them that their keystrokes were being recorded.

For all of these reasons, the banner that we presented in Example 10-1 is problematic. A better banner is shown in Example 10-2.

Example 10-2. A better banner

Unauthorized use of this system is prohibited and may be prosecuted to the 
fullest extent of the law. By using this system, you implicitly agree to
monitoring by system management and law enforcement authorities. If you do 
not agree with these terms, DISCONNECT NOW.

login:

Here are some recommendations for what to put into your banner:

  • State that unauthorized use of the system is prohibited and may be prosecuted. (Do not say that unauthorized use will be prosecuted. If some unauthorized users are prosecuted when others are not, the users who are prosecuted may be able to claim selective enforcement of this policy.)

  • State that all users of the system may be monitored.

  • Tell the user that he is agreeing to be monitored as a condition of using the computer system.

  • In some cases, it is acceptable to display no welcome banner at all.

  • If your computer is a Federal Interest computer system,[102] say so. There are additional penalties for breaking into such systems, and the existence of these penalties may deter some attackers.

Here are some recommendations for what not to put into your banner:

  • Do not use any word expressing “welcome.”

  • Do not identify the name of your organization.

  • Do not provide any phone numbers or other contact information.

  • Do not identify the name or release of your computer’s operating system.

Caller-ID and Automatic Number Identification

In many areas, you can purchase an additional telephone service called Caller-ID. As its name implies, Caller-ID identifies the phone number of each incoming telephone call. The phone number is usually displayed on a small box next to the telephone when the phone starts ringing. Automatic Number Identification (ANI) is a version of this service that is provided to customers of toll-free numbers (800 numbers and other toll-free exchanges).

Many modems support Caller-ID directly. When these modems are properly programmed, they will provide Caller-ID information to the host computer when the information is received over the telephone lines.

There are many ways that you can integrate Caller-ID with your remote access services:

  • Some remote access systems can be programmed to accept the Caller-ID information directly and log the information for each incoming call along with the time and the username that was provided. The vast majority of remote access systems that support telephone lines delivered over ISDN Basic Rate, ISDN PRI, and T1 FlexPath circuits include support for logging Caller-ID information in RADIUS accounting log files.[103]

    Caller-ID can be very useful for tracking down perpetrators after a break-in. Unlike a username and password, which can be stolen and used by an unauthorized individual, Caller-ID information almost always points back to the actual source of an attack. Many dialup ISPs now routinely collect Caller-ID information and make this information available to law enforcement agencies that investigate cybercrimes. The author of the Melissa computer worm was identified, in part, though the use of Caller-ID information.

  • If your remote access system does not handle Caller-ID, you can set up a second modem in parallel with the first on the same line. Program your computer to answer the first modem on the third or fourth ring. Use a third-party Caller-ID logging program to capture the Caller-ID information from the second modem. You will then need to manually combine the two logs.

  • ISDN offers yet another service called Restricted Calling Groups, which allows you to specify a list of phone numbers that are allowed to call your telephone number. All other callers are blocked.

Advanced telephone services such as these are only as secure as the underlying telephone network infrastructure: many corporate telephone systems allow the corporation to determine what Caller-ID information is displayed on the telephone instrument of the person being called—even for calls that terminate on other parts of the public switched telephone network. Attackers who have control of a corporate telephone system can program it to display whatever phone number they desire, potentially bypassing any security system that depends solely on Caller-ID or Restricted Calling Groups.

One-Way Phone Lines

Many sites set up their modems and telephone lines so that they can both initiate and receive calls.

Allowing the same modems to initiate and receive calls may seem like an economical way to make the most use of your modems and phone lines. However, this approach introduces a variety of significant security risks:

  • Toll fraud can be committed only on telephone lines that can place outgoing calls. The more phones you have that can place such calls, the more time and effort you will need to spend to make sure that your outbound modem lines are properly configured.

  • If phone lines can be used for either inbound or outbound calls, then you run the risk that your inbound callers will use up all of your phone lines and prevent anybody on your system from initiating an outgoing call. (You also run the risk that all of your outbound lines may prevent people from dialing into your system.) By forcing telephones to be used for either inbound or outbound calls, you assure that one use of the system will not preclude the other.

  • If your modems are used for both inbound and outbound calls, an attacker can use this capability to subvert any callback systems (see the sidebar) that you may be employing.

Your system will therefore be more secure if you use separate modems for inbound and outbound traffic. In most environments the cost of the extra phone lines is minimal compared to the additional security and functionality provided by line separation.

You may further wish to routinely monitor the configuration of your telephone lines to check for the following conditions:

  • To make sure that telephone lines that are not used to call long-distance telephone numbers cannot, in fact, place long-distance telephone calls

  • To make sure that telephone lines used only for inbound calls cannot place outbound calls

Subverting Callback

A callback scheme is one in which an outsider calls your machine, connects to the software, and provides some form of identification. The system then severs the connection and calls the outsider back at a predetermined phone number. Callback enhances security because the system will dial only preauthorized numbers, so an attacker cannot get the system to initiate a connection to his modem.

Callback can be subverted if the callback is performed using the same modem that received the initial phone call. This is because many phone systems will not disconnect a call initiated from an outside line until the outside line is hung up. To subvert such a callback system, the attacker merely calls the “callback modem” and then does not hang up when the modem attempts to sever the connection. When the callback modem tries to dial out again, it is still connected to the attacker’s modem. The attacker sets his modem to answer the callback modem, and the system is subverted. This type of attack can also be performed on systems that are not using callback, but are doing normal dialout operations.

Some callback systems attempt to get around this problem by waiting for a dial tone. Unfortunately, these modems can be fooled by an attacker who simply plays a recording of a dial tone over the open line.

The best way to foil attacks on callback systems is to use two sets of modems—one set for dialing in and one set for dialing out. Ideally, the incoming lines should be configured so that they cannot dial out, and the outgoing lines should be unable to receive incoming calls. This is easily accomplished using call-forwarding.

But it is even possible to subvert a callback system that uses two modems. If the attacker has subverted a phone company switch, he can install call-forwarding on the phone number that the callback modem is programmed to dial, and forward those calls back to his modem.

Callback schemes can enhance your system’s overall security, but you should not depend on them as your primary means of protection.

Protecting Against Eavesdropping

Modems are susceptible to eavesdropping and wiretapping. Older modems, including data modems that are slower than 9,600 baud, and most fax modems can be readily wiretapped using off-the-shelf hardware. Higher-speed modems can be eavesdropped upon using moderately sophisticated equipment that, while less readily available, can still be purchased for, at most, thousands of dollars.

How common is electronic eavesdropping? No one can say with certainty. As Whitfield Diffie has observed, for electronic eavesdropping to be effective, the target must be unaware of its existence or take no precautions. It’s likely that there are some individuals and corporations that will never be the target of electronic eavesdropping, while there are others that are constantly targets.

Kinds of eavesdropping

There are basically six different places where a telephone conversation over a modem can be tapped:

At your premises

Using a remote extension, an attacker can place a second modem or a tape recorder in parallel with your existing instruments. Accessible wiring closets with standard punch-down blocks for phone routing make such interception trivial to accomplish and difficult to locate by simple inspection. An inductive tap can also be used, and this requires no alteration to the wiring.

Outside your window

In the spring of 2002, researchers at the University of California at Berkeley discovered that it is possible to determine what information is being sent over dialup modems by analyzing the Transmit Data and Receive Data lights (http://applied-math.org/optical_tempest.pdf). To protect yourself from this attack you should make sure that the flashing TD and RD lights cannot be observed from outside your organization, either by appropriately positioning the modem or by covering the TD and RD lights with black electrical tape.

On the wire between your premises and the central office

An attacker can splice monitoring equipment along the wire that provides your telephone service. In many cities, especially older ones, many splices already exist, and a simple pair of wires can literally go all over town and into other people’s homes and offices without anybody’s knowledge.

At the phone company’s central office

A tap can be placed on your line by employees at the telephone company, operating in either an official or an unofficial capacity. If the tap is programmed into the telephone switch itself, it may be impossible to detect its presence.[104] Hackers who penetrate the phone switches can also install taps in this manner (and, allegedly, have done so).

Along a wireless transmission link

If your telephone call is routed over a satellite or a microwave link, a skillful attacker can intercept and decode that radio transmission. This is undoubtedly done by intelligence agencies of many governments, and may be done by some other large organizations, such as organized crime.

At the destination

The terminus of your telephone call can be the location of the wiretap. This can be done with the knowledge or consent of the operators of the remote equipment, or without it.

Who might be tapping your telephone lines? Here are some possibilities:

A spouse or coworker

A surprising amount of covert monitoring takes place in the home or office by those we trust. Sometimes the monitoring is harmless or playful; at other times, there are sinister motives.

Industrial spies

A tap may be placed by a spy or a business competitor seeking proprietary corporate information. As almost 75% of businesses have some proprietary information of significant competitive value, the potential for such losses should be a concern.

Law enforcement

In 2001, U.S. law enforcement officials obtained court orders to conduct 1,491 wiretaps, according to the Administrative Office of the United States Courts. A large majority of those intercepts, 78%, were the result of ongoing drug investigations. Wiretaps are also used to conduct investigations into terrorism, white-collar crime, and organized crime.

Law enforcement agents may also conduct illegal wiretaps—wiretaps for which the officers have no warrant. Although information obtained from such a wiretap cannot be used in court as evidence, it can be used to obtain a legal wiretap or even a search warrant. (In the late 1980s and 1990s, there was an explosion in the use of unnamed, paid informants by law enforcement agencies in the United States; it has been suggested that some of these “informants” might actually be illegal wiretaps.) Information could also be used for extralegal purposes, such as threats, intimidation, or blackmail.

Eavesdropping countermeasures

There are several measures that you can take against electronic eavesdropping, with varying degrees of effectiveness:

Visually inspect your telephone line

Look for spliced wires, taps, or boxes that you cannot explain. Most eavesdropping by people who are not professionals is easy to detect.

Have your telephone line electronically “swept”

Using a device called a signal reflectometer, a trained technician can electronically detect any splices or junctions on your telephone line. Junctions may or may not be evidence of taps; in some sections of the country, many telephone pairs have multiple arms that take them into several different neighborhoods. If you do choose to sweep your line, you should do so on a regular basis. Detecting a change in a telephone line that has been watched over time is easier than looking at a line one time only and determining if the line has a tap on it.

Sweeping may not detect certain kinds of taps, such as digital taps conducted by the telephone company for law enforcement agencies or other organizations, nor will it detect inductive taps.

Use cryptography

The best way to protect your communications from eavesdropping is to assume that your communications equipment is already compromised and to encrypt all the information as a preventative measure. If you use a dialup connection to the Internet, you can use cryptographic protocols such as SSL and SSH to form a cryptographic barrier that extends from your computer system to the remote server. Packet-based encryption systems such as Point-to-Point Tunneling Protocol (PPTP) and IPsec can be used to encrypt all communications between your computer and a remote server, and you should assume that your Internet service provider is being eavesdropped upon.

A few years ago, cryptographic telephones or modems cost more than $1,000 and were available only to certain purchasers. Today, there are devices costing less than $300 that fit between a computer and a modem and create a cryptographically secure line. Most of these systems are based on private key cryptography and require that the system operator distribute a different key to each user. In practice, such restrictions pose no problem for most organizations. But there are also a growing number of public key systems that offer simple-to-use security that’s still of the highest caliber. There are also many affordable modems that include built-in encryption and require no special unit to work.

Managing Unauthorized Modems with Telephone Scanning and Telephone Firewalls

Many organizations have policies that forbid the installation and operation of modems without specific permission from the site security manager. Each authorized modem is then audited on a regular basis to assure that it is correctly configured and complies with the site’s policies regarding banners, usernames, passwords, and so forth.

Because it is so easy to install a modem, many organizations have modems of which they are unaware. There are two ways to deal with the threat of these so-called rogue modems: telephone scanning and telephone firewalls.

Telephone scanning

You can use a program called a telephone scanner to locate unknown and unauthorized modems. A telephone scanner systematically calls every telephone number in a predefined range and notes the banners of the systems that answer. Some telephone scanners can be programmed to attempt to break into the computer systems that they find by using a predetermined list of usernames and passwords. There are both free and commercial telephone scanners available with a wide range of options. Additionally, some computer-consulting firms will perform telephone scanning as part of a security audit.

Telephone firewalls

In some situations, the risk of penetration by modem is so high that simply scanning for unauthorized modems is not sufficient. In these situations, you may wish to use a telephone firewall to mediate telephone calls between your organization and the outside world.

Similar to an Internet firewall, a telephone firewall is a device that is placed between your telephone system and an outside communications circuit. Typically, a telephone firewall is equipped with multiple ports for digital T1 telephone lines: instead of plugging a PBX into a T1 from a telephone company, the PBX is plugged into the telephone firewall, and the firewall is plugged into the exterior T1s.

A telephone firewall analyzes the content of every telephone conversation. If it detects modem tones originating or terminating at an extension that is not authorized to operate a modem, the call is terminated, and the event is logged. Telephone firewalls can also be used to control fax machines, incoming phone calls, and even unauthorized use of long-distance calls and the use of 800 numbers and 900 services.

Limitations of scanning and firewalls

It is important to realize that neither telephone scanning nor telephone firewalls can do more than detect or control modems that use telephone lines that you know about. Suppose that your organization has a specific telephone exchange; in all likelihood, you will confine your telephone scanning and telephone firewall to that exchange. If some worker orders a separate telephone line from the phone company and pays for that line with his own funds, that phone number will not be within your organization’s telephone exchange and will, therefore, not be detected by telephone scanning. Nor will it be subject to a telephone firewall. A cell phone connected to a modem is also not going to be within your defined exchange.

In many cases, the only way to find rogue telephone lines is through a detailed physical inspection of wiring closets and other points where external telephone lines can enter an organization. In an environment that is rich with authorized wireless devices, it can be even harder to find unauthorized wireless devices.


[102] This is a term defined in federal law. We won’t provide a specific definition here, but if your system is involved in banking, defense, or support of any federally funded activity, your system may be included. You should consult with competent legal counsel for details.

[103] RADIUS , the Remote Authentication Dial In User Service, is a protocol designed to allow terminal servers to authenticate dialup users against a remote database. It is described in RFC 2138.

[104] Under the terms of the 1994 Communications Assistance to Law Enforcement Act, telephone providers have a legal obligation to make it impossible to detect a lawfully ordered wiretap. Those telltale clicks, snaps, and pops on a telephone line that indicate the presence of wiretaps have been relegated to movies, illegal wiretaps, and those weird situations in which the person conducting the wiretap is trying to “send a message” to the target.