Integrating Modem Pools with Firewalls



next up previous contents
Next: Next Steps Up: Putting the Pieces Previous: Screened Subnet Firewall

Integrating Modem Pools with Firewalls

Many sites permit dial-in access to modems located at various points throughout the site. As discussed in section gif, this is a potential backdoor and could negate all the protection provided by the firewall. A much better method for handling modems is to concentrate them into a modem pool, and then secure connections from that pool.

The modem pool likely would consist of modems connected to a terminal server, which is a specialized computer designed for connecting modems to a network. A dial-in user connects to the terminal server, and then connects (e.g., telnets) from there to other host systems. Some terminal servers provide security features that can restrict connections to specific systems, or require users to authenticate using an authentication token. Alternatively, the terminal server can be a host system with modems connected to it.

  
Figure: Modem Pool Placement with Screened Host Firewall.

Figure gif shows a modem pool located on the Internet side of the screened host firewall. Since the connections from modems need to be treated with the same suspicion as connections from the Internet, locating the modem pool on the outside of the firewall forces the modem connections to pass through the firewall.

The application gateway's advanced authentication measures can be used then to authenticate users who connect from modems as well as from the Internet. The packet filtering router could be used to prevent inside systems from connecting directly to the modem pool.

A disadvantage to this, though, is that the modem pool is connected directly to the Internet and thus more exposed to attack. If an intruder managed to penetrate the modem pool, the intruder might use it as a basis for connecting to and attacking other Internet systems. Thus, a terminal server with security features to reject dial-in connections to any system but the application gateway should be used.

  
Figure: Modem Pool Placement with Screened Subnet and Dual-Homed Firewalls.

The dual-homed gateway and screened subnet firewalls provide a more secure method for handling modem pools. In figure gif, the terminal server gets located on the inner, screened subnet, where access to and from the modem pool can be carefully controlled by the routers and application gateways. The router on the Internet side protects the modem pool from any direct Internet access except from the application gateway.

With the dual-homed gateway and screened subnet firewalls, the router connected to the Internet would prevent routing between Internet systems and the modem pool. With the screened subnet firewall, the router connected to the site would prevent routing between site systems and the modem pool; with the dual-homed gateway firewall, the application gateway would prevent the routing. Users dialing into the modem pool could connect to site systems or the Internet only by connecting to the application gateway, which would use advanced authentication measures.

If a site uses any of these measures to protect dial-in access, it must rigidly enforce a policy that prevents any users from connecting modems elsewhere on the protected subnet. Even if the modems contain security features, this adds more complexity to the firewall protection scheme and adds another ``weak link'' to the chain.



next up previous contents
Next: Next Steps Up: Putting the Pieces Previous: Screened Subnet Firewall



John Wack
Thu Feb 9 18:17:09 EST 1995