Transcript Public Telephone Network

Wardialing and Modem Security
Lesson 19
From Maximum Security, 3ed
• Page 627, items that will make an intruder’s
life a little harder and your data a little more
secure:
• “Do restrict or forbid the use of modems on
desktops; they are the number one method of
bypassing your organization’s security
checkpoints.”
• “Do remember that your phone PBXs also must
be secured.”
Networks
Crunchy on the Outside…
…Chewy on the Inside
What is the Network?
There is a growing connectivity between the
Data Network
and the
Telephone Network
Network Security Technologies
Have Focused Almost Entirely on the TCP/IP
Network…
The Weakest Link is Now the Phone
Network.
The Data Network
• One pipe
• High speed
• Thousands of connections
• Controlled and monitored
• One chokepoint
… your Internet connection is just a dedicated,
high-speed telephone line.
The Telephone Network
Public Switched
Telephone Network
(PSTN)
• Thousands of pipes
• Low speed
• Uncontrolled
• Unmonitored
• No chokepoint
… think of your telephone network as thousands of
low-speed internet connections.
The TCP/IP Network
Internet
Attacker
Router
Web
Server
Firewall
Intrusion
Detection
Users
The Actual Network
Internet
Public Telephone
Network
Router
Web
Server
Firewall
Intrusion
Detection
RAS
(Dial-in Servers)
Users
PBX
Security in The Actual Network
Internet
Attacker
Public Telephone
Network
Router
Web
Server
Firewall
Intrusion
Detection
RAS
(Dial-in Servers)
Users
PBX
Security in The Actual Network
“2-4% of all
telephone lines have
active modems”
Internet
Attacker
Public Telephone
Network
Router
Web
Server
Firewall
Intrusion
Detection
RAS
(Dial-in Servers)
Users
PBX
Unauthorized access to ISP’s
Virus protection
mechanisms can
be circumvented
Proprietary data
can be uploaded by
users
Internet
Public Telephone
Network
Router
Web
Server
Firewall
Intrusion
Detection
RAS
(Dial-in Servers)
Users
PBX
Wardialers
• Step 1, Phone number footprinting
• Public Domains Wardialers
• ToneLoc
• THC
• Commercial
• PhoneSweep
• TeleSweep Secure
War Dialing the ‘Bay’
• In ’97, Peter Shipley dialed the San Francisco
Bay area looking for systems answered by a
modem. He eventually finished the entire range
but the final report hasn’t been published.
Early results reported, however, included:
• 1.4 million numbers dialed
• 500 an hour, 12,000 a day
• 14,000 of the lines dialed were reportedly modems
Some interesting results:
• An East Bay medical facility gave unrestricted modem access to
•
•
•
•
patient records.
An Internet company offering financial services did not require a
password to modify its modem-accessible firewall.
A Fortune 100 company’s air conditioner and environmental
control units could be easily changed by modem allowing lights
to be turned off or heating/air conditioning to be changed.
Only 3 of every 1000 modem lines he checked posted a warning
banner (a requirement for gov. machines).
Some of the welcome banners gave the name of the operating
system, release, and name of corporation.
Carrier Exploitation
Once you have a number, now what?
Check the wardialing log, you can get some clues, then dial back.
CONNECT 57600
HP995-400:
Expected a HELLO command. (CIERR 6057)
Many default sequences (e.g. HP MPE-XL systems)
CONNECT 57600
HP995-400: HELLO FIELD.SUPPORT
PASSWORD=TeleSup
Default for pcAnywhere -- no password/userid
and…you can always try brute force password guessing if nothing
else works!
The Current Prevention Approach
• Policy
• Scanning (ad hoc War Dialing)
• Administrative Action
Current Scanning Challenge
•
•
•
•
•
•
Window of Visibility
Time / Scalability
Vulnerability Measurement
Cost (Long Distance Charges)
Data Collection and Consolidation
Logging / Reporting
Solution
A better approach than the ad-hoc wardialing, is to
apply the same type of control that is found on the IP
network to the telephone network.
Thus, the solution is a firewall for the telephone network
The Telephone Network
Public Switched
Telephone Network
(PSTN)
• Thousands of pipes
• Low speed
• Uncontrolled
• Unmonitored
• No chokepoint
… think of your telephone network as thousands of
low-speed internet connections.
A Firewall for Phone Lines
Public Switched
Telephone Network
(PSTN)
• One virtual pipe
• Controlled and monitored
… get your hands around the problem, and take
control of the telephone network.
Remote Enterprise-wide Telecom
Firewall Protection
Internet
Public Telephone
Network
Router
Web
Server
Firewall
Voice
Modem
• Detect
• Log
• Alarm
• Block
Intrusion
Detection
RAS
(Dial-in Servers)
Telecom
Firewall
Users
PBX
Fax
Remote Enterprise-wide Telecom
Firewall Protection
Internet
Attacker
Public Telephone
Network
Router
Web
Server
Firewall
Voice
• Detect
• Log
• Alarm
• Block
Intrusion
Detection
RAS
(Dial-in Servers)
Modem
Telecom
Firewall
Users
PBX
Fax
TeleWall Telecommunications Firewall
Protect Phone-to-Switch
• Telephone fraud is a tremendous problem
(1999: $5B)
• Most PBX’s have a remote dial-up port for
maintenance purposes.
• Often protected with a numeric password
• The same device used to protect against
attacks to unauthorized modems can be
used to protect the PBX as well.
PBX Hacking
• Dial-up connections are the most frequent means
of remotely managing a PBX. Also frequently
used for vendor external support.
• Just like computers with default passwords, PBX’s
often have default access codes.
• What companies should do is remove defaults and
if a problem occurs, then provide access code to
vendor, unfortunately…this seldom is done.
Remote Enterprise-wide Telecom Firewall
Protection
Internet
Attacker
Public Telephone
Network
Router
DTMF Signaling Detection
Web
Server
Firewall
• Detect
• Log
• Alarm
• Block
Intrusion
Detection
RAS
(Dial-in Servers)
Telecom
Firewall
Users
PBX
IP Telephony Security Issues
GW
10/100
PBX
Router
PSTN
Internet
User Connected
Modem (IP Phone)
Telecommunication Firewalls
•
•
•
•
•
•
•
•
•
•
Log call progress
Characterize call traffic
Enforce Security and Usage Policy
Control remote maintenance facility and port access
Report resource utilization
Fraud detection/prevention
Trunk line status and usage
Emergency notification
ROI
Protection of VoIP
Extensions to Telecomm
Firewalls
•
•
•
•
Telephone bill reconciliation package.
Secure Voice
Secure VoIP
Additional ‘password’ (DTMF signaling) for
increased security.
• Securing of SCADA (Supervisory Control and
Data Acquisition) systems.
• Roosevelt Dam in Arizona