RE: fax software in the domain
From: Ed Spencer (espencer_at_usa.net)
Date: 07/29/04
- Previous message: Sabo, Eric: "RE: Network spyware detection"
- In reply to: Henry, Christopher M.: "RE: fax software in the domain"
- Next in thread: Rocky Heckman: "RE: fax software in the domain"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Henry, Christopher M.'" <chenry@radiologycorp.com>, "'Philip Wagenaar'" <p.wagenaar@accon.nl>, <security-basics@securityfocus.com> Date: Thu, 29 Jul 2004 10:41:23 -0800
As with all things security, there is a pick list of things that can be
implemented technologically. The amount of security implemented is
based on the risk vs. the benefits/need/cost to the organization.
If the modems were only being used for faxing then the steps you've
mentioned would indeed be satisfactory. I'm concerned with the fact
that these are dual use devices and can function as a network device as
well. In an organization that uses proxy servers and/or internet
monitoring software there is a desire to bypass those devices for access
to the internet (by some people). You could easily set up the computer
to dial a local ISP, resulting in the possibility of access to your
network behind the well thought out and costly firewall, DMZ, etc. Yes,
the connection is temporary and low bandwidth, but it's not well
protected.
I'm not saying that developing profiles for each machine, and going
through some of the extreme steps mentioned are absolutely necessary.
Pick the level of protection you need - as with many things there is a
point of diminishing returns that can be reached pretty quickly. That
being said, in many organizations the implementation that you mentioned
would indeed be enough to satisfy their security needs. Given the
limited information about the company in the original post we often give
the most extreme lockdown scenario hoping the end user has enough
knowledge and experience to implement a level appropriate for the
organization.
On a side note, I'm sure you've heard of the ping-o-death, have you not
heard of the ring-of-death attack? ;-)
Thanks for pointing out the level of diminishing returns,
Ed Spencer.
-----Original Message-----
From: Henry, Christopher M. [mailto:chenry@radiologycorp.com]
Sent: Tuesday, July 27, 2004 11:00 AM
To: Philip Wagenaar; security-basics@securityfocus.com
Subject: RE: fax software in the domain
I have been reading through all these posts and I am wondering if this
is not a bit of over kill. I have 3 computers on my network that require
the use of a modem. The only steps I took were
1. make sure the app or the PC does not answer calls
2. In my PBX I only allow out going calls over this line
It would be a pain in ass to try to maintain a second security policy
for these PC and really I don't want to deal with it. Also to the
outside the modems are invisible so there is really no way for an
attacker to dial in. Even if you don't have a PBX, as long as nothing
answers the modem line everything be fine, after all what are they going
to do ring your modem to death?
This communication is intended only for use by the addressee. It may
contain confidential or privileged information. If you are not the
intended recipient, please contact us immediately and then delete this
message from your system. You should not copy or use it to disclose its
contents to any other person. Thank you.
-----Original Message-----
From: Philip Wagenaar [mailto:p.wagenaar@accon.nl]
Sent: Tuesday, July 27, 2004 3:15 AM
To: security-basics@securityfocus.com
Subject: Betr.: RE: fax software in the domain
Hi,
Usually the phone numbers of a company are in the same range, the same
way usually as they IP addressed that they get assigned from their ISP.
An attacker might look up your company's phonenumber and try to dial the
numbers below and above it.
Ie. your company's phonenumber is 555-2345. An attacker might try all
the numbers in the 555-234x range.
You could add an extra layer of security by changing by connecting the
fax to a phoneline with a phonenumber that is not 'near' your company's
phonenumber(s).
So if your company's phonenumber is 555-2345, the faxline would have a
totally diffrent number like 555-8896.
Met vriendelijke groet,
Philip Wagenaar
Junior Projectleider ICT
AccoN Accountants & Adviseurs
ICT Project Bureau
Postbus 5090
6802 EB Arnhem
The Netherlands
tel. +31 (0)26-3842384
fax. +31 (0)26-3630222
mobile: +31 (0)6-25388935
MSN/E-mail: p.wagenaar@accon.nl
Yahoo: philip_wagenaar
http://www.accon.nl
>>> "Depp, Dennis M." <deppdm@ornl.gov> 26-07-04 19:50 >>>
Ensure the modem is not configured to accept incoming calls. Also don't
allow bridging or connection sharing on this pc. I don't know if its
possible to restrict access to ISPs or not.
Dennis
-----Original Message-----
From: Juan B [mailto:juanbabi@yahoo.com]
Sent: Saturday, July 24, 2004 6:06 AM
To: security-basics@securityfocus.com
Subject: fax software in the domain
Hi,
Im my domain we have w2k servers and the workstations we use xp pro.
On the station of one employee he must use also a fax with a modem
connected to the telefhone line.
I think that this is a security problem.
I cant remove the fax from his pc .my question is what are the steps to
protect this pc from being a security problem to all the network ?
thanks !!
__________________________________
Do you Yahoo!?
Yahoo! Mail is new and improved - Check it out!
http://promotions.yahoo.com/new_mail
------------------------------------------------------------------------
--- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------ ---- ------------------------------------------------------------------------ --- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------ ---- ################################################################## Dit e-mailbericht is uitsluitend bestemd voor de geadresseerde. De informatie hierin is vertrouwelijk, zodat het derden niet is toegestaan om daarvan kennis te nemen of dit te verstrekken aan andere derden. Indien u dit e-mail bericht ontvangt terwijl het niet voor u bestemd is, verzoeken wij u contact op te nemen met de afzender en de informatie te verwijderen van iedere computer. Bij voorbaat dank. ================================================================== The information transmitted in this e-mail is intended only for the person or entity to which it is addressed and contains confidential information. Any review, retransmission or other use by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. Thank you. ################################################################## ######################################################################## ############# This e-mail message has been scanned for Viruses and Content and cleared by MailMarshal ######################################################################## ############# ------------------------------------------------------------------------ --- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------ ---- ------------------------------------------------------------------------ --- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------ ---- --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.727 / Virus Database: 482 - Release Date: 7/26/2004 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.727 / Virus Database: 482 - Release Date: 7/26/2004 --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
- Previous message: Sabo, Eric: "RE: Network spyware detection"
- In reply to: Henry, Christopher M.: "RE: fax software in the domain"
- Next in thread: Rocky Heckman: "RE: fax software in the domain"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
