On Tue, 10 Oct 2000 [EMAIL PROTECTED] wrote:
> Actually this has been the norm for quite a while. Simpler methods would
> be to setup the modem support as a dialback so that the vendor has to use a
> dedicated line in order for the remote modem to dial it back after the
> first call. If you add layers to the support requirement (i.e.
Don't forget when doing dial-back that you *have* to make sure the modem
is set to drop carrier when it loses DTR (and that the application drops
DTR and your serial cable is complete enough to have DTR, DSR and DCD
lines- not a wired-together cheapo hybrid...)
It really sucks if you _expect_ dial-back and the application _thinks_ the
modem hung up and dialed, but the far end is still connected and just
answers the "call back."
Most vendors have a single-solution outbound modem server, I've always
found it easier to have the modem powered off until the vendor needs to
get in.
Don't forget to have the vendor's representative sign an acceptible usage
policy that matches your security policy for 3rd party access.
> administrative, physical, and technical overhead), one diminishes the cost
> effectiveness of vendor support. Also look into the possibility of using a
> Sentry DialBack Device which allows for the turning on/off of remote
> devices via a time block schedule.
>
> Also restrict the use of where the dial-up user can go
This becomes next-to-impossible if it's access straight into a server that
needs a lot of connectivity. Once again, some of us are left wishing for
an MLS system that allows permissions down to the network layer (Red Book
B2.)
> Adding another layer may complicate matters: With a SecurID token card
> authentication, one has to setup the ACE server, setup users, set up NTP
> since SecurID relies on a reliable clock in order to sync with the Token.
I've never had to set up NTP for an ACE server. If I did, I'd probably
try to use GPS as the stratum-1 device. If you've got good hardware,
clock drift shouldn't be an issue, especially if you mandate a test on a
regular basis so the server can sync to the token.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
