[IDS] HCD_PSTN_Fax_Enabled attribute

[IDS] HCD_PSTN_Fax_Enabled attribute

Brian Smithson brian.smithson at ricoh-usa.com
Sat Aug 15 11:11:10 UTC 2009


>
> I have never heard of anyone actually worrying
> that a data fax connection could somehow bridge
> ONTO the customer's local intranet.
"Fax-network separation" is a common requirement for US gov't sales. It
is often certified as part of common criteria certification.We ended up
covering it (in a more general way) in the 2600.1 protection profile.

Regarding PSTN fax, maybe we should take a closer look at the "PSTN fax
enabled" attribute. If the issue is outbound faxing, then the attribute
should be "outbound PSTN fax enabled" because someone might want to
accept incoming faxes but not allow outgoing. Otherwise, why did they
buy a fax in the first place? If the issue is establishing a data modem
connection into the network, then maybe it should be "Data modem
enabled" because, for example, one could conceivably have a modem
enabled for V.92 but disabled for T.30.

--
Regards,
Brian Smithson
PM, Security Research
PMP, CSM, CISSP, CISA, ISO 27000 PA
Advanced Imaging and Network Technologies
Ricoh Americas Corporation
(408)346-4435



Ira McDonald wrote:
> Hi,
>
> We appear to have talked past each other here.
>
> I have never heard of anyone actually worrying
> that a data fax connection could somehow bridge
> ONTO the customer's local intranet.
>
> But certainly allowing PSTN FAX *at all* will break
> the security perimeter for classified or sensitive
> documents.  An authorized user (low authorization)
> who is disgruntled (80+% of all security exploits per
> SANS) can send a document outside the intranet.
>
> That's a real threat, not in the least imaginary.
>
> Cheers,
> - Ira
>
> Ira McDonald (Musician / Software Architect)
> Chair - Linux Foundation Open Printing WG
> Blue Roof Music/High North Inc
> email: blueroofmusic at gmail.com
> winter:
>   579 Park Place  Saline, MI  48176
>   734-944-0094
> summer:
>   PO Box 221  Grand Marais, MI 49839
>   906-494-2434
>
>
>
> On Fri, Aug 14, 2009 at 8:46 PM, Randy Turner<rturner at amalfisystems.com> wrote:
>   
>> In my analysis of the data/fax modem solution, it looks like the device
>> would have to be massively compromised to engage in such an exploit - and if
>> compromised to this extent, any information coming from this device
>> regarding it's security posture is probably suspect at best, and worthless
>> at worst.
>> By "massively compromised" in the above sentence, I mean that the system
>> code load would probably have to be replaced with a malicious software load
>> and/or the system code would have to be "supplemented" by additional
>> significant software to cause a data/fax modem exploit to occur.
>> I too think that the data/fax exploit is highly unlikely, and if is does
>> happen, we have not provided enough posture information to detect it and
>> effect a change in how the device's security posture is evaluated by a
>> health validator.
>> Randy
>>
>> On Aug 14, 2009, at 5:36 PM, Brian Smithson wrote:
>>
>> In my previous experience with government agencies,
>> the primary concern about PSTN Fax was that it could be
>> used *from a compromised system or by a rogue walkup
>> user* to export documents and system configuration
>> information invisibly, i.e., w/out passing through a firewall
>> and w/out any chance of detection by smart routers
>> (ones with embedded firewalls).
>>
>> Also know as "sending a fax"?
>>
>>
>> My understanding of the concern about PSTN fax modems is that someone could
>> establish a data session on the fax modem through which they gain access to
>> the customer network, circumventing the firewall. But I have never heard of
>> any actual exploits, nor even the technical possibility of an exploit, so I
>> consider it to be an irrational fear. I guess its easier to visualize
>> someone sneaking things past a firewall through a fax modem than it is to
>> visualize something like XSS or SQL injection  :-).
>>
>> --
>> Regards,
>> Brian Smithson
>> PM, Security Research
>> PMP, CSM, CISSP, CISA, ISO 27000 PA
>> Advanced Imaging and Network Technologies
>> Ricoh Americas Corporation
>> (408)346-4435
>>
>> Ira McDonald wrote:
>>
>> Hi Randy,
>>
>> Not that I know of.
>>
>> In my previous experience with government agencies,
>> the primary concern about PSTN Fax was that it could be
>> used *from a compromised system or by a rogue walkup
>> user* to export documents and system configuration
>> information invisibly, i.e., w/out passing through a firewall
>> and w/out any chance of detection by smart routers
>> (ones with embedded firewalls).
>>
>> Cheers,
>> - Ira
>>
>> Ira McDonald (Musician / Software Architect)
>> Chair - Linux Foundation Open Printing WG
>> Blue Roof Music/High North Inc
>> email: blueroofmusic at gmail.com
>> winter:
>>   579 Park Place  Saline, MI  48176
>>   734-944-0094
>> summer:
>>   PO Box 221  Grand Marais, MI 49839
>>   906-494-2434
>>
>>
>>
>> On Thu, Aug 13, 2009 at 9:55 PM, Randy Turner<rturner at amalfisystems.com>
>> wrote:
>>
>>
>> Are there any documents on the internet that you guys know about that
>> describe existing attack vectors on PSTN/Analog Fax lines?
>>
>> Randy
>>
>>
>> On Aug 13, 2009, at 6:44 PM, Ira McDonald wrote:
>>
>>
>>
>> Hi Randy,
>>
>> It's not that we don't care about IFax.
>>
>> It's that all forms of Internet Fax have protocols and IP
>> ports that would be reported in HCD_Firewall_Setting.
>>
>> But many businesses and government agencies ALSO
>> want to close the "back door" of PSTN Fax.
>>
>> Cheers,
>> - Ira
>>
>> Ira McDonald (Musician / Software Architect)
>> Chair - Linux Foundation Open Printing WG
>> Blue Roof Music/High North Inc
>> email: blueroofmusic at gmail.com
>> winter:
>>  579 Park Place  Saline, MI  48176
>>  734-944-0094
>> summer:
>>  PO Box 221  Grand Marais, MI 49839
>>  906-494-2434
>>
>>
>>
>> On Thu, Aug 13, 2009 at 9:02 PM, Randy Turner<rturner at amalfisystems.com>
>> wrote:
>>
>>
>> Hi All,
>>
>> When we came up with this attribute, we include PSTN in the name, which
>> means we only care about PSTN fax, and not internet-fax options such as
>> T.38
>> or other fully capable iFax features.
>> Did we mean to do this? We only care about PSTN? Which I assume to mean
>> analog fax?
>>
>> Randy
>>
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>>
>> _______________________________________________
>> ids mailing list
>> ids at pwg.org
>> https://www.pwg.org/mailman/listinfo/ids
>>
>>
>>
>>
>>
>>
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>> _______________________________________________
>> ids mailing list
>> ids at pwg.org
>> https://www.pwg.org/mailman/listinfo/ids
>>
>>
>>     
>
>   

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pwg.org/pipermail/ids/attachments/20090815/eb2afd29/attachment-0001.html>


More information about the ids mailing list