Re: flexfax: Security Question

[Damian A Ivereigh <damian@cisco.com>]

Guy Pelletier wrote:
> 
> Hi,
> 
> We have the HylaFAX server running on an Ultra-10 Solaris box
> connected to our CORWAN (internal network).
> 
> Hardware info:
>         Modem - USRobotics Courier V Everything (56kbps)
>         Plugged into an Ultra- 10
>         Ultra 10 Running the HylaFAX server Version 4.0 patch level 2
> 
> Because of secutiry issues in trying to get our security department
> to provide us with a faxing line they need to some security
> information.
> 
> Below is the discussion that I have been having with them. I'm wondering
> if someone can provide me an answer to their question.
> 
> First email ...
> 
> ----------
> Guy;
>         Can you provide some information on how the HylaFax server works and
> how it protects against modem connectivity.
> 
> Regards..
> ----------
> 
> my reply ...
> 
> ----------
> 
> Just so that I don't provide any incorrect information, I think it would be
> best for me to point you to the HylaFAX website.
> There you should be able to find alot of useful information.
> 
> http://www.sisis.de/hylafax/
> 
> Although one thing that we have done is:
> In the Solaris AdminTool we have setup up the faxing port where service
> enable is not enabled (this disables getty for that port).
> Not disabling this, conflicts with HylaFAX which manages the port itself
> with it's own process.
> 
> Guy
> 
> ----------
> 
> and finally his reply to which I have no answer ...
> 
> ----------
> 
> Guy;
>         Unfortunately I do not have the time to research the HylaFax product
> that you would like to use. Do you have someone there that is familiar with
> the product and can explain to me what the security features are to prevent
> non-fax access.
> 
> ----------

Having just gone through the same hooplah with our security boys, if I
understand correctly they want to make sure that there is no possibility
of anyone connecting in using this modem. My answer was three lines of
security, the first two of which only work if you do not need to recieve
faxes:-

1) If you are going through a PABX, you may be able to configure the
PABX to not accept incoming calls to this line, or even not associate
the line with a telephone number.

2) You configure the modem to not answer calls (set RingsBeforeAnswer to
zero). Call the number to make sure this works.

3) When you faxsetup, when it asks for the name of the getty program
(for recieving data calls), change this to something innoccuous like
/bin/false. You may be able to change this editing etc/setup.cache as
well. Thus you won't get a live getty if a data call comes in (actually,
the line will disconnect).

You will also need to think about how you prevent a future
misconfiguration. Some testing of this frequently, particularly if you
are relying on only the third method. You might consider having a
machine that automatically dials your faxmodem every day or so and
attempts to make a data call. If it succeeds then it should page someone
or something like that.

Security people take modems very seriously and rightly so, they are a
potentially big hole in any firewall your company has. One of the
problems with firewalls, is they tend to make people less security
concious inside the firewall. Thus any cracker breaking in through the
firewall can have a field day once inside.

The key thing is to work with them and try and convince them you
understand the implications of a screw up and have taken steps to
prevent it. Hopefully you will earn their trust in the process. 

Hope this helps.

Damian


-- 
 ______________________________________________________________________
* Damian Ivereigh     *      ||        ||      * Cisco Systems, Inc.   *
* MIS Printer Admin   *    .||||.    .||||.    * Sydney, Australia     *
* Linux Bigot         * ..:||||||:..:||||||:.. * +61 2 8448 7344       *
* damian@cisco.com    *   cisco Systems, Inc.  * Fax: +61 2 8448 7228  *
*______________________________________________________________________*