Security Management Guide (G06.29+, H06.08+, J06.03+)

ManualsBrandsHP ManualsServerHP NonStop G-Series

111

112

113

114

115

116

117

118

119

120

Concerns for the System Administration Team

Security Management Guide — 522283-021

6 - 16

Automatic Terminal Authentication

4. The computer terminates the connection and then calls the user back at a

prearranged phone number.

5. The user (or the user’s modem) answers, reestablishes modem connections, and

then continues the logon sequence.

Because the list of phone numbers for any particular user is limited and prearranged,

the chances for intrusion are limited. A logon attempt is unsuccessful when initiated

from a telephone number not on the prearranged list.

In selecting a call-back product, consider these points:



Choose a product that uses a different phone line to call back. Products that use

the same phone line for incoming and outgoing phone calls can be subverted.



Also with separate incoming and outgoing phone lines, no call-back routine is

totally secure (because of protocol limitations between modems and phone

company equipment). Do not rely on a call-back routine as the only means of

authentication.



Have additional authentication take place after the phone connection is

reestablished. For example, if the user selects the wrong location code, the return

call goes to another site, where a waiting modem automatically connects with the

computer. If no additional authentication is required, any person near that terminal

can access the system.



Make special provisions for rovers. A rover is a dial-up user who has no permanent

location (computer service personnel, callers who dial out through PBX systems,

and so forth). To accommodate legitimate rovers, provide a standard dial-up port

that is heavily audited and alarmed, or have a method by which an operator can

connect to a requested phone number.

Automatic Terminal Authentication

Some terminals can be programmed to hold an answer-back string of characters. By

setting a terminal’s answer-back string to a value unknown to the user, you can create

an additional authentication method.

Upon request from the computer, the terminal transmits this string automatically. For

example, if all remote terminals are programmed with unique strings, the dial-up logon

sequence can query the terminal to verify that the terminal is correct. If the terminal

can be remotely programmed, the logon procedure can also update the terminal with a

newly selected value for the next logon, attempt providing a handshake, or initial

interchange, that an intruder would find hard to imitate.

Supplement such authentication with other mechanisms in a secure environment.

Screening Dial-Up Users

Give dial-up access to users who really need it and who will take extra care in

protecting your organization’s resources. Your policy and procedures regarding dial-up