Hi
My boss wants to have modem installed on a computer inside our network for reciving fax.
Pl. advice me on the threats and how this can be safeguarded.
Printable View
Hi
My boss wants to have modem installed on a computer inside our network for reciving fax.
Pl. advice me on the threats and how this can be safeguarded.
Why not use a fax machine?
If he must use a PC it could be a stand alone machine not connected to the rest of the network.
The machine should be locked down quite tightly and only a few authorised users should have the username/password to use the machine.
The main risk from outside would probably come from wardialers but I don't know how common that is now.
The risk from inside would be that you now have an unmonitored connection to the internet for uses to start downloading pron or whatever without being monitored.
ONLY if the machine is a dedicated Fax server.... ie Win2k3 with either the crappy MS fax software .. or the GFI fax server software.. With user access limited to viewing the incoming fax's.. server lock out..
If it is on an individuals PC... follow Aspman's advice.. best keep the modem away from the abUSERS..
Thanks for the reply.
Business demands this machine to be connected to the inside network and to internet through LAN. We are planning to put an desktop firewall, Host based IPs and going to use it only for receiving fax. Planning to close every other port?
Is this still vulnerable? Pl. suggest.
Stick it in the DMZ?
Threat
1. A search for modems connected to the phone lines (war-dialling) will easily lead hackers to the computer. It will be an easy target, through which further penetration into network would be easy.
Vulnerability
2. Many rules set in the corporate firewall to protect the network from various threats are by-passed by installing a modem. Script Kiddies / Hackers may exploit this for further penetration / intrusion into the network.
3. Even if an host based firewall and Intrusion detection is installed, it cannot replace the corporate firewall. Host based intrusion detection system would be a reactive control.
Impact
4. If hackers manage to exploit the soft target and install a Root Kid it would be very difficult to trace the existence, and the damage caused would be high.
There are many instance where the hackers were able to use HTTP tunnel and deploy the malicious payload.
Solution
1. If the server connected with Modem is stand alone certain threats can be minimized.
2. The server should be hardened as specified in server hardening policy, should have latest antivirus, Desktop firewall, Host based IDS/IPS.
3. All the ports should be closed except the port required for receiving the fax.
Pl. suggest how this can be improved further
The vulnerbility will depend on how it is connected. If the modem only connects when there is a incoming call then it should not be that vulnerable. If you need to keep a session open on the computer it should have as few rights as possiable. I would create an account locally on the post for the reception of the faxs. Another thing to considier is how you are going to manage the faxes that are recieved.
I'm not sure on the feasibility of this but:
Can you log all calls to the modem and can caller ID be logged with the call.
Muracu makes a good point. you're thinking a bit too much about outside-in threats. The more likely threat is from inside-out. If the faxes that will be recieved will contain anything sensitive (names account numbers anything) then the machine should be locked down to particular users.
(Without revealing too much...)
Why do you need a PC to receive these faxes?
Why does the machine need to be part of the network?
Why does it need internet access?
How sensitive is the material that will be received by fax, who is going to need it and how often will they arrive?
If the information was to be very sensitive:
No Pc get a fax machine/stand alone PC and put it in a locked room away from doors or windows with a log of who has the key at any time and a policy of what the action will be for having the key without permission or losing it.
If it is a PC it should be locked down tighter than a ducks arse. Use an alternative OS if you can be confident of hardening it. The fax number should not be published and should not be part of the standard business range i.e. if the normal phone number is 0800 102010 the fax shouldn't be 0800102011.
Less sensitive:
PC on an untrusted link to the rest of the network (someone good with networking could suggest a proper set up). The pc could reside in the DMZ(orange) portion of your firewall and therefore can connect to the network but is not trusted by it.
The machine should still be isolated either physically in a locked room or through username/passwords.
Permissions on the machine should be set so that the internet connection cannot be changed to go through the modem. Bios passwords should be in place to prevent anyone booting from a CD OS and then using the modem. Remove the removable media drives even.
You should definitely have some sort of policy in place to govern the use of this machine and the action that will be taken if it is misused.
(Without revealing too much...)
Why do you need a PC to receive these faxes?
We need to recieve certain documents from our people travelling and from there houses.
Why does the machine need to be part of the network?
It has to send the faxes by e-mail
Why does it need internet access?
Its going to be accessed through SSH or VPN by process owners from different locations of the world
How sensitive is the material that will be received by fax, who is going to need it and how often will they arrive?
Sensitive and we will be reciving very often.
Thank you for all the suggestions.
You might have a problem there with VPN.
A VPN is only as secure as the machines at either end so it's no use if you cannot guarentee the security of your fax PC or the remote machines. Maybe you ment an SSL VPN like Netilla? That might be an option though expensive.
Are the remote users using machines that are controlled by the company or just their own home pcs? If you control the remote machines also that will make you options easier as you can trust (to a certain extent) both ends of the connection. If it's a home pc at the other end you would need to treat it as if it were compromised.
If the material is sensitive then you will need to control access to it. Having it in a locked room wouldn't work because you are getting frequent messages and users will just leave the door open for convienience.
It's also going to be down to how many people need to see the faxes. If it's only one then you have as secured workstation which only allows the authorised user to log in. If you have lots of users who can access the information that's going to be more difficult. You'd definitely need to ensure that full event logging is enabled to record who uses the machine and when.
I think you have three sperate issues to think about
1) security of a machine which will have a 'backdoor' and the potential to be a point of entry into your network.
2)The need to provide remote access to this machine (possibly from unsecured PCs)
3)Control of sensitive information within the business itself.
i use GFI faxmaker for exchange using it to print out faxs to different tcp printers on the network routed by subject. i keep the server in a locked room, keep it updated with patches and virus defs, watch it like i do all the other servers and have had no trouble with it in the past four years. i have never seen a vuln released for this software...not that there couldn't be a first time but it's record is pretty good. BTW using a digiboard it has eight modems and the worst that's happens is the occasional sandwich menu from the local deli when someone give out the number.
I have a relatively old HP multitasking device............I believe that it does photocopying, answering, FAX and printing................might it not be possible to use such a device?
I would have thought it would be relatively simple to isolate something like that.
I cannot quite visualise the requirements here? Just put two PCs on his desk?
:confused:
You say that you need to send the faxes by email. Have you looked into something along the lines of eFax (http://www.efax.com)? We use it where I work, and from what you said it might be along the lines of what you want. You register a number for your fax and your faxes get sent on to you as e-mails. As far as I know they are only in the UK but I'm sure that there must be a US version for those of you accross the pond.
thank you all.
I am going to put a machine connected to 5 telephone lines through which I will recieve fax from my people trvelling outside. This machine is not going to be connected to Internet using the modems but if required we will connect the machine to internet through LAN.
As you all suggested connecting the machine to Internet we have to evaluate the business benefits to threats.
Once the fax is recieved it will be converted and sent as mail to the respective preson.
As you all suggested we will take the required security measures covering both security from inside and outside.
seriously, look in to GFI faxmaker. it has the ability built in to email faxs received. there's a version for both exchange and for regular smtp (exchange being irregular). its really very trouble free.
whatever you decide, as long as you treat your fax server like you should every other server you should be fine. its not like the modems are connecting to a RAS server. the REAL big threat to networks was the 'personal' RAS server allowing users to connect to their network computers from home if they had a modem and a phone line to use...on win95 no less...and we wonder why modems have such a bad name
qwertyman66 we use something like that here in the US. oddley enough it's called efax :-) .
each deptmaent here has an efax folder listed under public folders on the exchange server. seems to work quite well but i dont like it because i wasn't consulted before they decided to use it.
Thank you all for your valuable suggestions.