CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [73]
Potentially, your phone system is a target for attack. Figure 3.8 shows a PBX system connected to a phone company using a T1 line. The phone company, in this illustration, is abbreviated CO (for central office). The phone company systems that deal with routing and switching of calls and services are located at the CO.
FIGURE 3.8 A modern digital PBX system integrating voice and data onto a single network connection
If your phone system is part of your data communications network, an attack on your network will bring down your phone system. This event can cause the stress level in a busy office to increase dramatically.
Find the Holes
The United States Department of Commerce, in conjunction with the National Institute of Standards and Technology, has posted an excellent article titled “Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else Does” at http://csrc.nist.gov/publications/nistpubs/800-24/sp800-24pbx.pdf. This document walks through system architecture, hardware, maintenance, and other issues relevant to daily administration as well as exam study.
The security problems in this situation also increase because you must work to ensure security for your voice communications. At the time the exam questions were written, there were no incidents you needed to be aware of involving phone systems being attacked by malicious code. Since then, some Voice over IP (VoIP) attacks have been reported, and such attacks will probably become a greater concern in the near future.
For the exam, know that because a PBX has many of the same features as other network components, it’s subject to the same issues, such as leaving TCP ports open. The PBX should be subject to audit and monitoring like every other network component.
Imagine that someone left a voice message for the president of your company. A phreaker (someone who abuses phone systems, as opposed to data systems) might intercept this message, alter it, and put it back. The result of this prank could be a calamity for the company (or at least for you). Make sure the default password is changed after the installation has occurred on the maintenance and systems accounts for a PBX, as you would for any network device.
Virtual Private Networks
A virtual private network (VPN) is a private network connection that occurs through a public network. A private network provides security over an otherwise unsecure environment. VPNs can be used to connect LANs together across the Internet or other public networks. With a VPN, the remote end appears to be connected to the network as if it were connected locally. A VPN requires either special hardware to be installed or a VPN software package running on servers and workstations.
VPNs typically use a tunneling protocol such as Layer 2 Tunneling Protocol (L2TP), IPSec, or Point-to-Point Tunneling Protocol (PPTP). Figure 3.9 shows a remote network being connected to a LAN using the Internet and a VPN. This connection appears to be a local connection, and all message traffic and protocols are available across the VPN.
FIGURE 3.9 Two LANs being connected using a VPN across the Internet
VPNs are becoming the connection of choice when establishing an extranet or intranet between two or more remote offices. The major security concern when using a VPN is encryption. PPTP offers some encryption capabilities, although they’re weak. IPSec offers higher security, and it’s becoming the encryption system used in many secure VPN environments.
Even though a VPN is created through the Internet or other public network, the connection logically appears to be part of the local network. This is why a VPN connection used to establish a connection between two private networks across the Internet is considered a private connection or an extranet.
As mentioned