1 reply to this topic

[banj0]

Question posed on another site I frequent. Any thoughts? Below is the original post, and a follow up from someone else. Any additions/subtractions to this from you network people?

"I know we have some IT-oriented guys among our membership. Hopefully one of you can answer this.
I tried to find information on this question on my own, but have come up short.

Picture a company with many employees, and a well-regulated LAN. Call this company Acme.
Lte's say that Acme has a particular building through which many suppliers and contractors visit and do business. Let's say that these suppliers and contractors do not have access to Acme's intranet. However, they can use their own laptops to access their own ISP's or company intranet remotely, using Acme's phone lines. Acme's phones all run through a switchboard.
Is it possible for Acme to monitor the content and traffic of the suppliers other than the number they use to connect to thier ISP?
Can you run a firewall at a switchboard to monitor what sites a supplier using your phone line is visiting? Could you potentially see if Acme company information was being digitally transferred out via phone lines?

Thanks in advance for any responses."
__________________



In all actuality you are asking a ton of complex questions. I will try to answer as best I can for each question. Prepare for a long response.

1)Is it possible for Acme to monitor the content and traffic of the suppliers other than the number they use to connect to thier ISP

Yes - if they are running SLIP or PPP over the modem, and the OS on
which they're running allows tcpdump (or other pcap-based sniffers such as Ethereal) to capture on SLIP or PPP links, you can sniff the traffic on that modem. This would require a second computer on the same phone listening to passing traffic from the original computer. (Very, very complex setup - I actually have never tried it, this just a theroy.)

2) Can you run a firewall at a switchboard to monitor what sites a supplier using your phone line is visiting?

If by switchboard you actually mean phone switch. Yes and no. By dialing out on a phone line the connection to ISP is being made by usually PPP (Point to Point Protocol) and thus the packet exchage occurs between the 2 devices that create the PPP connection (in this case the client modem and ISP modem ) so you cannot really restrict traffic once the connection is made. You can however restrict what numbers can be dialed out at the phone switch thus preventing the connecting phone call to ever occur.

3)Could you potentially see if Acme company information was being digitally transferred out via phone lines.

Based on the scenario you gave, the clients using the phone lines should not even be close to accessing secure information because they are not even on the same network. Even if they where connected to the LAN there should be numerous other security measures in place to prohibet unauthorized access of data. IE Usernames\Passwords, file permissions etc.

As for the transfor of the data, refer to the answer for question 1 - packet sniffing reveals most everything. If they are transferring it this solution would show it to you.

2 more cents. If the reason for allowing access to phone lines is for the use of internet there are far more efficent, higher performing and more secure ways of allowing this. I won't go into great detail but I would suggest either LAN access on it's own VLan (virtual lan - requires layer 3 switch), proxy access etc."




This level of detail is way over my head. But I am curious as to the correct answers to these questions. TIA for what I perceive to be a complex answer.

[chriso_86]

Well, the one guys that responded saying that your phone line is on a completely different network is probably totally wrong. I am not sure how you system is setup but most companies phone networks are linked to the regular LAN network. In my own company I can get into my phone system and manage it therefor if I can do that someone can also get in the reverse way. In my securities class we learned that many people overlook their phone system as a possible entry for hackers. I would suggest not doing it that way. If you have network with Cisco switches or many other nice brands you could always setup a vlan. This segments your network into different lans by virutally seperating your switch to send traffic to different places. If you setup a seperate vlan for those people you don't want in your network you could have all that traffic go straight to the router and out to the net and bipass the rest of the network. If you have any other specific questions feel free to ask, not sure how much help I can be since I am still early on in my networking administration degree.