[IDS] HCD_PSTN_Fax_Enabled attribute

[IDS] HCD_PSTN_Fax_Enabled attribute

[IDS] HCD_PSTN_Fax_Enabled attribute

Randy Turner rturner at amalfisystems.com
Sat Aug 15 01:46:00 UTC 2009


Yes, allowing *anyone* to send faxes of confidential information is  
definitely a security threat.  And while it may
bypass traditional network perimeter security mechanisms, it will not  
completely bypass PBX/Centrex security mechanisms
that are designed to (at a minimum) log all PSTN traffic inbound and  
outbound of a secure network, it can also apply policy
to fax transmissions if the "PSTN perimeter" security mechanisms  
detect T.30 negotiation.

I think in general, the analog fax threat is more likely than a data/ 
fax modem exploit, but at the moment, NAC/NAP systems
only seem to care about the data network and not the PSTN network.

Interestingly enough, going back to my iFax comment awhile back, when  
enterprises do fully adopt a "converged" packet-switched
topology, then everything can go through a common security policy  
enforcement mechanism.

Randy


On Aug 14, 2009, at 6:26 PM, Ira McDonald wrote:

> Hi,
>
> We appear to have talked past each other here.
>
> I have never heard of anyone actually worrying
> that a data fax connection could somehow bridge
> ONTO the customer's local intranet.
>
> But certainly allowing PSTN FAX *at all* will break
> the security perimeter for classified or sensitive
> documents.  An authorized user (low authorization)
> who is disgruntled (80+% of all security exploits per
> SANS) can send a document outside the intranet.
>
> That's a real threat, not in the least imaginary.
>
> Cheers,
> - Ira
>
> Ira McDonald (Musician / Software Architect)
> Chair - Linux Foundation Open Printing WG
> Blue Roof Music/High North Inc
> email: blueroofmusic at gmail.com
> winter:
>  579 Park Place  Saline, MI  48176
>  734-944-0094
> summer:
>  PO Box 221  Grand Marais, MI 49839
>  906-494-2434
>
>
>
> On Fri, Aug 14, 2009 at 8:46 PM, Randy Turner<rturner at amalfisystems.com 
> > wrote:
>>
>> In my analysis of the data/fax modem solution, it looks like the  
>> device
>> would have to be massively compromised to engage in such an exploit  
>> - and if
>> compromised to this extent, any information coming from this device
>> regarding it's security posture is probably suspect at best, and  
>> worthless
>> at worst.
>> By "massively compromised" in the above sentence, I mean that the  
>> system
>> code load would probably have to be replaced with a malicious  
>> software load
>> and/or the system code would have to be "supplemented" by additional
>> significant software to cause a data/fax modem exploit to occur.
>> I too think that the data/fax exploit is highly unlikely, and if is  
>> does
>> happen, we have not provided enough posture information to detect  
>> it and
>> effect a change in how the device's security posture is evaluated  
>> by a
>> health validator.
>> Randy
>>
>> On Aug 14, 2009, at 5:36 PM, Brian Smithson wrote:
>>
>> In my previous experience with government agencies,
>> the primary concern about PSTN Fax was that it could be
>> used *from a compromised system or by a rogue walkup
>> user* to export documents and system configuration
>> information invisibly, i.e., w/out passing through a firewall
>> and w/out any chance of detection by smart routers
>> (ones with embedded firewalls).
>>
>> Also know as "sending a fax"?
>>
>>
>> My understanding of the concern about PSTN fax modems is that  
>> someone could
>> establish a data session on the fax modem through which they gain  
>> access to
>> the customer network, circumventing the firewall. But I have never  
>> heard of
>> any actual exploits, nor even the technical possibility of an  
>> exploit, so I
>> consider it to be an irrational fear. I guess its easier to visualize
>> someone sneaking things past a firewall through a fax modem than it  
>> is to
>> visualize something like XSS or SQL injection  :-).
>>
>> --
>> Regards,
>> Brian Smithson
>> PM, Security Research
>> PMP, CSM, CISSP, CISA, ISO 27000 PA
>> Advanced Imaging and Network Technologies
>> Ricoh Americas Corporation
>> (408)346-4435
>>
>> Ira McDonald wrote:
>>
>> Hi Randy,
>>
>> Not that I know of.
>>
>> In my previous experience with government agencies,
>> the primary concern about PSTN Fax was that it could be
>> used *from a compromised system or by a rogue walkup
>> user* to export documents and system configuration
>> information invisibly, i.e., w/out passing through a firewall
>> and w/out any chance of detection by smart routers
>> (ones with embedded firewalls).
>>
>> Cheers,
>> - Ira
>>
>> Ira McDonald (Musician / Software Architect)
>> Chair - Linux Foundation Open Printing WG
>> Blue Roof Music/High North Inc
>> email: blueroofmusic at gmail.com
>> winter:
>>  579 Park Place  Saline, MI  48176
>>  734-944-0094
>> summer:
>>  PO Box 221  Grand Marais, MI 49839
>>  906-494-2434
>>
>>
>>
>> On Thu, Aug 13, 2009 at 9:55 PM, Randy Turner<rturner at amalfisystems.com 
>> >
>> wrote:
>>
>>
>> Are there any documents on the internet that you guys know about that
>> describe existing attack vectors on PSTN/Analog Fax lines?
>>
>> Randy
>>
>>
>> On Aug 13, 2009, at 6:44 PM, Ira McDonald wrote:
>>
>>
>>
>> Hi Randy,
>>
>> It's not that we don't care about IFax.
>>
>> It's that all forms of Internet Fax have protocols and IP
>> ports that would be reported in HCD_Firewall_Setting.
>>
>> But many businesses and government agencies ALSO
>> want to close the "back door" of PSTN Fax.
>>
>> Cheers,
>> - Ira
>>
>> Ira McDonald (Musician / Software Architect)
>> Chair - Linux Foundation Open Printing WG
>> Blue Roof Music/High North Inc
>> email: blueroofmusic at gmail.com
>> winter:
>>  579 Park Place  Saline, MI  48176
>>  734-944-0094
>> summer:
>>  PO Box 221  Grand Marais, MI 49839
>>  906-494-2434
>>
>>
>>
>> On Thu, Aug 13, 2009 at 9:02 PM, Randy Turner<rturner at amalfisystems.com 
>> >
>> wrote:
>>
>>
>> Hi All,
>>
>> When we came up with this attribute, we include PSTN in the name,  
>> which
>> means we only care about PSTN fax, and not internet-fax options  
>> such as
>> T.38
>> or other fully capable iFax features.
>> Did we mean to do this? We only care about PSTN? Which I assume to  
>> mean
>> analog fax?
>>
>> Randy
>>
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>>
>> _______________________________________________
>> ids mailing list
>> ids at pwg.org
>> https://www.pwg.org/mailman/listinfo/ids
>>
>>
>>
>>
>>
>>
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>> _______________________________________________
>> ids mailing list
>> ids at pwg.org
>> https://www.pwg.org/mailman/listinfo/ids
>>
>>
>


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.




More information about the ids mailing list