Secure dial-in modem 2

[FiveSwords]

I am trying to get a solution to the following:

I want to secure a dial-in modem by only allow one specific (public) A-party to dial in, e.g. by CLI. Since both parties are modems, DISA with AC is not an option.
I use ISDN (PRI) trunks with DID.

Any ideas?

 

[fcpli]

Mobile extension?????

 

[SYAR2003]

Mobile extension would work fine .

Make a mobile extension A with the remote modem
as a-number.

Make an internal extension B without did number.
(Then it can't be called from outside)

Make an R1 number for the mobile extension .

Make traffic class (TCMAS) for extension A and one for B
Have the matrix connections like that only A can call B.
No extensions or operators can exist in class 15 after this.
(Then no other internal extension can call it than the mob.ext A)

Result the remote modem calls R1 number gets new dialtone
and calls MD modem . ATDT"R1 number" ,,,,"modem" .
The remote modem is verified against NUTRI table .
And is the only one that can call to the md modem .


How does this sound?

../Syar

 

[FiveSwords]

Sounds good! I've toyed around with RE for this before, but didn't think of using TC yet.

I've tested it and (of course) it works ok!

This is what I did (for those interested in reproducing the result):
/* CREATE R1 NUMBER (0302846999) */
NANSI:NUMTYP=R1,NUMSE=6999;

/* CREATE SEPARATE ROW FOR TC-MATRIX */
TCMAS:CON=T,A=3,B=3;

/* PLACE CSP 12 IN ROW 03 IN TC */
GESPC:CSP=12,SERV=1000200000000,TRAF=0110040403,ROC=000001,CDIV=01511000,NPRES=1100;

/* CREATE RE FOR REMOTE MODEM (00302840914) */
GEDIIIR=6915,CSP=12,LIM=1;
REEXIIR=6915,REMNUM=00302846914,TYPE=FIX; /* FIRST 0 IS ROUTE ACCESS (TESTING FROM SAME PBX) */
NUTRI:ENTRY=00302846914,CNVTYP=6,TRC=11,PRE=6915;

/* CREATE INTERNAL MODEM (26915) */
EXTEIIR=26915,CAT=44,TYPE=EL6,EQU=002-0-42-01,ICAT=1000,ADC=001100000;
EXCACIR=26915,TRAF=00040403; /* PLACE IN ROW 03 IN TC */

The remote modem can now dial 0302846999 and after the RE-dial tone dial 26915 to gain access to the internal modem.

Thanks SYAR2003!

 

[SYAR2003]

Your welcome , but it was fcpli's idea in the first place.
So i'm giving him a star as well .

/Syar

 

[mdfan]

Is this a widely used method or was it just "taken out of the air" and tested in lab environment only ?

I agree , it is a good and cheap solution !

 

[SYAR2003]

I guess it was taken out of our heads just now .
I know A-number screening boxes with through
connection/direct to com port has been used .

But this is a cheap way .

Anyway remote maintnance modem should not be an md internal line ,but external . This to assure acess to the system
in several fault situations .

..........

 

[lalrl]

One Question:

why you are using type=fix? What would be different, if you would use type=mob?

 

[mdfan]

Agree ! TYPE=mob would still not destroy the security.
Perhaps the remote maintenance engineer has a home office ??

 

[SYAR2003]

All the numbers the mobile extension wants to login from
must be in the NUTRI table anyway .So security is not harmed .
The adminitrator of the md is in control .

....

 

[FiveSwords]

To mdfan: Altough tested in 'lab conditions', this IS intended to be a solution to a real life (and what a life it is!) problem.

To lalrl: Indeed, there was no special reason for using TYPE=FIX, other than the two modems being in fixed positions. Of course you can use this for a 'mobile modem' too. Anyway, this is not intended as a literal and rigid prescription. Adopt, adapt and improve all you want! (But don't forget to let us all know if you find any better solutions