Moden inside company network

[anban]

Hi

My boss wants to have modem installed on a computer inside our network for reciving fax.

Pl. advice me on the threats and how this can be safeguarded.

[Aspman]

Why not use a fax machine?

If he must use a PC it could be a stand alone machine not connected to the rest of the network.
The machine should be locked down quite tightly and only a few authorised users should have the username/password to use the machine.

The main risk from outside would probably come from wardialers but I don't know how common that is now.
The risk from inside would be that you now have an unmonitored connection to the internet for uses to start downloading pron or whatever without being monitored.

[Und3ertak3r]

ONLY if the machine is a dedicated Fax server.... ie Win2k3 with either the crappy MS fax software .. or the GFI fax server software.. With user access limited to viewing the incoming fax's.. server lock out..

If it is on an individuals PC... follow Aspman's advice.. best keep the modem away from the abUSERS..

[anban]

Thanks for the reply.

Business demands this machine to be connected to the inside network and to internet through LAN. We are planning to put an desktop firewall, Host based IPs and going to use it only for receiving fax. Planning to close every other port?

Is this still vulnerable? Pl. suggest.

[Aspman]

Stick it in the DMZ?

[anban]

Threat

1. A search for modems connected to the phone lines (war-dialling) will easily lead hackers to the computer. It will be an easy target, through which further penetration into network would be easy.


Vulnerability


2. Many rules set in the corporate firewall to protect the network from various threats are by-passed by installing a modem. Script Kiddies / Hackers may exploit this for further penetration / intrusion into the network.

3. Even if an host based firewall and Intrusion detection is installed, it cannot replace the corporate firewall. Host based intrusion detection system would be a reactive control.

Impact

4. If hackers manage to exploit the soft target and install a Root Kid it would be very difficult to trace the existence, and the damage caused would be high.

There are many instance where the hackers were able to use HTTP tunnel and deploy the malicious payload.


Solution

1. If the server connected with Modem is stand alone certain threats can be minimized.
2. The server should be hardened as specified in server hardening policy, should have latest antivirus, Desktop firewall, Host based IDS/IPS.
3. All the ports should be closed except the port required for receiving the fax.


Pl. suggest how this can be improved further

[MURACU]

The vulnerbility will depend on how it is connected. If the modem only connects when there is a incoming call then it should not be that vulnerable. If you need to keep a session open on the computer it should have as few rights as possiable. I would create an account locally on the post for the reception of the faxs. Another thing to considier is how you are going to manage the faxes that are recieved.

[Aspman]

I'm not sure on the feasibility of this but:

Can you log all calls to the modem and can caller ID be logged with the call.

Muracu makes a good point. you're thinking a bit too much about outside-in threats. The more likely threat is from inside-out. If the faxes that will be recieved will contain anything sensitive (names account numbers anything) then the machine should be locked down to particular users.

(Without revealing too much...)
Why do you need a PC to receive these faxes?
Why does the machine need to be part of the network?
Why does it need internet access?

How sensitive is the material that will be received by fax, who is going to need it and how often will they arrive?

If the information was to be very sensitive:

No Pc get a fax machine/stand alone PC and put it in a locked room away from doors or windows with a log of who has the key at any time and a policy of what the action will be for having the key without permission or losing it.
If it is a PC it should be locked down tighter than a ducks arse. Use an alternative OS if you can be confident of hardening it. The fax number should not be published and should not be part of the standard business range i.e. if the normal phone number is 0800 102010 the fax shouldn't be 0800102011.

Less sensitive:

PC on an untrusted link to the rest of the network (someone good with networking could suggest a proper set up). The pc could reside in the DMZ(orange) portion of your firewall and therefore can connect to the network but is not trusted by it.
The machine should still be isolated either physically in a locked room or through username/passwords.

Permissions on the machine should be set so that the internet connection cannot be changed to go through the modem. Bios passwords should be in place to prevent anyone booting from a CD OS and then using the modem. Remove the removable media drives even.

You should definitely have some sort of policy in place to govern the use of this machine and the action that will be taken if it is misused.

[anban]

(Without revealing too much...)
Why do you need a PC to receive these faxes?
We need to recieve certain documents from our people travelling and from there houses.

Why does the machine need to be part of the network?
It has to send the faxes by e-mail

Why does it need internet access?
Its going to be accessed through SSH or VPN by process owners from different locations of the world

How sensitive is the material that will be received by fax, who is going to need it and how often will they arrive?
Sensitive and we will be reciving very often.

Thank you for all the suggestions.

[Aspman]

You might have a problem there with VPN.
A VPN is only as secure as the machines at either end so it's no use if you cannot guarentee the security of your fax PC or the remote machines. Maybe you ment an SSL VPN like Netilla? That might be an option though expensive.

Are the remote users using machines that are controlled by the company or just their own home pcs? If you control the remote machines also that will make you options easier as you can trust (to a certain extent) both ends of the connection. If it's a home pc at the other end you would need to treat it as if it were compromised.

If the material is sensitive then you will need to control access to it. Having it in a locked room wouldn't work because you are getting frequent messages and users will just leave the door open for convienience.

It's also going to be down to how many people need to see the faxes. If it's only one then you have as secured workstation which only allows the authorised user to log in. If you have lots of users who can access the information that's going to be more difficult. You'd definitely need to ensure that full event logging is enabled to record who uses the machine and when.

I think you have three sperate issues to think about

1) security of a machine which will have a 'backdoor' and the potential to be a point of entry into your network.
2)The need to provide remote access to this machine (possibly from unsecured PCs)
3)Control of sensitive information within the business itself.