[IDS] HCD_PSTN_Fax_Enabled attribute

[IDS] HCD_PSTN_Fax_Enabled attribute

William Wagner wamwagner at comcast.net
Sat Aug 15 14:38:12 UTC 2009


I also recall requirements for assurance that there be no connection between
the PSTN modem (fax or data) and the network. Back when I was selling NICs,
this concern seemed remote since (as Randy suggested) it would have required
major FW changes in this case to both the MFD and the NIC, a truly remote
possibility. I don't recall any concern over the ability to send or receive
PSTN Fax; certainly, all that was needed was to not provide a phone line.
But as Brian indicates, "Fax-network separation" with respect to incoming
products was the issue.

 

Of course, to an extent modern MFDs do provide this PSTN-Network connection
in that FaxIn services can direct their received products to a network
destination. Although these products are nominally images, it would seem
that this path might present a vulnerability.

 

Bill Wagner

 

From: ids-bounces at pwg.org [mailto:ids-bounces at pwg.org] On Behalf Of Brian
Smithson
Sent: Saturday, August 15, 2009 7:11 AM
To: Ira McDonald
Cc: ids at pwg.org
Subject: Re: [IDS] HCD_PSTN_Fax_Enabled attribute

 

I have never heard of anyone actually worrying
that a data fax connection could somehow bridge
ONTO the customer's local intranet.

"Fax-network separation" is a common requirement for US gov't sales. It is
often certified as part of common criteria certification.We ended up
covering it (in a more general way) in the 2600.1 protection profile.

Regarding PSTN fax, maybe we should take a closer look at the "PSTN fax
enabled" attribute. If the issue is outbound faxing, then the attribute
should be "outbound PSTN fax enabled" because someone might want to accept
incoming faxes but not allow outgoing. Otherwise, why did they buy a fax in
the first place? If the issue is establishing a data modem connection into
the network, then maybe it should be "Data modem enabled" because, for
example, one could conceivably have a modem enabled for V.92 but disabled
for T.30.



--
Regards,
Brian Smithson
PM, Security Research
PMP, CSM, CISSP, CISA, ISO 27000 PA
Advanced Imaging and Network Technologies
Ricoh Americas Corporation
(408)346-4435



Ira McDonald wrote: 

Hi,
 
We appear to have talked past each other here.
 
I have never heard of anyone actually worrying
that a data fax connection could somehow bridge
ONTO the customer's local intranet.
 
But certainly allowing PSTN FAX *at all* will break
the security perimeter for classified or sensitive
documents.  An authorized user (low authorization)
who is disgruntled (80+% of all security exploits per
SANS) can send a document outside the intranet.
 
That's a real threat, not in the least imaginary.
 
Cheers,
- Ira
 
Ira McDonald (Musician / Software Architect)
Chair - Linux Foundation Open Printing WG
Blue Roof Music/High North Inc
email: blueroofmusic at gmail.com
winter:
  579 Park Place  Saline, MI  48176
  734-944-0094
summer:
  PO Box 221  Grand Marais, MI 49839
  906-494-2434
 
 
 
On Fri, Aug 14, 2009 at 8:46 PM, Randy Turner
<mailto:rturner at amalfisystems.com> <rturner at amalfisystems.com> wrote:
  

In my analysis of the data/fax modem solution, it looks like the device
would have to be massively compromised to engage in such an exploit - and if
compromised to this extent, any information coming from this device
regarding it's security posture is probably suspect at best, and worthless
at worst.
By "massively compromised" in the above sentence, I mean that the system
code load would probably have to be replaced with a malicious software load
and/or the system code would have to be "supplemented" by additional
significant software to cause a data/fax modem exploit to occur.
I too think that the data/fax exploit is highly unlikely, and if is does
happen, we have not provided enough posture information to detect it and
effect a change in how the device's security posture is evaluated by a
health validator.
Randy
 
On Aug 14, 2009, at 5:36 PM, Brian Smithson wrote:
 
In my previous experience with government agencies,
the primary concern about PSTN Fax was that it could be
used *from a compromised system or by a rogue walkup
user* to export documents and system configuration
information invisibly, i.e., w/out passing through a firewall
and w/out any chance of detection by smart routers
(ones with embedded firewalls).
 
Also know as "sending a fax"?
 
 
My understanding of the concern about PSTN fax modems is that someone could
establish a data session on the fax modem through which they gain access to
the customer network, circumventing the firewall. But I have never heard of
any actual exploits, nor even the technical possibility of an exploit, so I
consider it to be an irrational fear. I guess its easier to visualize
someone sneaking things past a firewall through a fax modem than it is to
visualize something like XSS or SQL injection  :-).
 
--
Regards,
Brian Smithson
PM, Security Research
PMP, CSM, CISSP, CISA, ISO 27000 PA
Advanced Imaging and Network Technologies
Ricoh Americas Corporation
(408)346-4435
 
Ira McDonald wrote:
 
Hi Randy,
 
Not that I know of.
 
In my previous experience with government agencies,
the primary concern about PSTN Fax was that it could be
used *from a compromised system or by a rogue walkup
user* to export documents and system configuration
information invisibly, i.e., w/out passing through a firewall
and w/out any chance of detection by smart routers
(ones with embedded firewalls).
 
Cheers,
- Ira
 
Ira McDonald (Musician / Software Architect)
Chair - Linux Foundation Open Printing WG
Blue Roof Music/High North Inc
email: blueroofmusic at gmail.com
winter:
  579 Park Place  Saline, MI  48176
  734-944-0094
summer:
  PO Box 221  Grand Marais, MI 49839
  906-494-2434
 
 
 
On Thu, Aug 13, 2009 at 9:55 PM, Randy Turner
<mailto:rturner at amalfisystems.com> <rturner at amalfisystems.com>
wrote:
 
 
Are there any documents on the internet that you guys know about that
describe existing attack vectors on PSTN/Analog Fax lines?
 
Randy
 
 
On Aug 13, 2009, at 6:44 PM, Ira McDonald wrote:
 
 
 
Hi Randy,
 
It's not that we don't care about IFax.
 
It's that all forms of Internet Fax have protocols and IP
ports that would be reported in HCD_Firewall_Setting.
 
But many businesses and government agencies ALSO
want to close the "back door" of PSTN Fax.
 
Cheers,
- Ira
 
Ira McDonald (Musician / Software Architect)
Chair - Linux Foundation Open Printing WG
Blue Roof Music/High North Inc
email: blueroofmusic at gmail.com
winter:
 579 Park Place  Saline, MI  48176
 734-944-0094
summer:
 PO Box 221  Grand Marais, MI 49839
 906-494-2434
 
 
 
On Thu, Aug 13, 2009 at 9:02 PM, Randy Turner
<mailto:rturner at amalfisystems.com> <rturner at amalfisystems.com>
wrote:
 
 
Hi All,
 
When we came up with this attribute, we include PSTN in the name, which
means we only care about PSTN fax, and not internet-fax options such as
T.38
or other fully capable iFax features.
Did we mean to do this? We only care about PSTN? Which I assume to mean
analog fax?
 
Randy
 
 
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
 
_______________________________________________
ids mailing list
ids at pwg.org
https://www.pwg.org/mailman/listinfo/ids
 
 
 
 
 
 
 
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
_______________________________________________
ids mailing list
ids at pwg.org
https://www.pwg.org/mailman/listinfo/ids
 
 
    

 
  


-- 
This message has been scanned for viruses and 
dangerous content by  <http://www.mailscanner.info/> MailScanner, and is 
believed to be clean. 


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pwg.org/pipermail/ids/attachments/20090815/e661e0b3/attachment-0001.html>


More information about the ids mailing list