Network Computingwww.networkcomputing.com

Did your parents ever keep a spare key hidden under a rock when you were a kid, in case you forgot your key? What if a burglar had come along and kicked over that rock, exposing the key? Your house could have been robbed quite easily. A similar situation exists when you're setting up a dial-up backdoor connection. The advantage is that even if your network goes down, you can still connect. The disadvantage is that this connection bypasses the firewall and may be discovered. Programs called war dialers dial every phone number or exchange your business has and look for modems. These programs often are run at night when nobody is in the office and are so simple even the most neophyte script kiddie can use them.

This is not to say that dial-up access is an inherent security risk; networks have had remote-access servers and dial-up connections for years. And sometimes the only way to take care of a problem is remotely. You can use a remote-access server to connect to the internal network or use a VPN to gain access to the network.

Some vendors sell devices that connect only to a console port by dial-up. They are called modems--perhaps you used one of them in the past. Make sure the dial-up connector requires some form of password authentication. Keep in mind your production network may be down or unreachable during this time, so in certain environments don't buy a dial-up adapter that does authentication via a Microsoft Windows NT domain or RADIUS server, for example. Wouldn't it be horrible if your router went down and your backdoor couldn't talk to the PDC (primary domain controller), so you could not connect?

For added security, keep a password on the console device you are trying to access. That way, anyone dialing in will need two sets of passwords, doubling the level of security. By following these steps, you can make a cheap dial-up console server with Linux. You can throw in a modem and make the Linux box act as a PPP server as well.

Special encryption modems also are available. Phone lines can be tapped, some quite easily from outside the house--especially residential lines. Some products to prevent tapping include the Randata SecurPac and SecureTel Sentry Modem. With this type of product, each byte of data is encrypted, removing all viewable information about the remote system. No IP addresses are exposed and there are no TCP signatures--just pure Layer 1 encryption.

The other nice thing about this setup is that you need an encryption modem on both ends to connect, and most script kiddies don't own one. This makes it harder to crack through a backdoor. A product like this can also be used to send secure fax messages without the need for a VPN or fax server. Key exchange is handled by the modem, which uses standard AT commands. No new software or training is required.

These products use a variety of encryption methods: DES (Data Encryption Standard), AES (Advanced Encryption Standard), 3DES, Skipjack and proprietary ciphers. Encryption modems are available for ordinary telephone lines and for ISDN, frame relay and other serial connections. For a while, the government played around with these for voice/data phones using the Clipper chip.

Depending on your area and telephone setup, you can have caller ID turned on. Place a caller ID box between the dial-up connector and the wall jack. This will log the telephone numbers of everyone who tries to dial into your network, as well as provide a date and time stamp (and, if you're lucky, caller's name or business as well). This is an excellent way of tracking who is calling and detecting hacking attempts, even if the dial-up connector doesn't support caller ID.

The caller information is transmitted between the first and second rings. Your dial-up connector must be set not to pick up before the second ring--not all boxes support this capability. Check with the vendor to find out how many rings are necessary before the connector picks up.

Another good idea if you're using caller ID is to block anonymous calls. This will reduce the calls you receive from "private" phone numbers, though you won't be able to eliminate them entirely. A trick that works on any phone is to dial a special combination (such as *82) before the number to shield your name and number from being picked up by caller ID.

Likewise, some people request a permanently private number. These can be overridden on a per-call basis, and as such there is little excuse to allow an anonymous incoming call. Caller ID is not a panacea; you may receive many "unavailable information" calls, and good luck with someone dialing in internationally.

You should always treat setting up remote access with even more caution than you'd use with your normal network. Not all consoles are password-protected, and others may let you see but not change various configurations or settings. Backdoors bypass the firewall and might not be caught by intrusion-detection systems. And security breaches might be harder to track. However, with the proper security provisions, planning and organization, you can safely set up remote console access.