OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: ISDN Callback, encrypted channel, etc. on RH 7
From: Marnix Petrarca (MxpMULTIWEB.NL)
Date: Wed Nov 29 2000 - 05:09:40 CST

Hi, - No you're not daft. But tapping has been automated here these days
and there are a LOT of ISDN tricks around with that little 16-bit
steering-channel on top of the two 64kbit data lines (do you remember the
higher-voltage pulse that can put an analog based EM-switch go from off to
on(=listen)? And there's competition ontop of these that are developing an
increasing awareness of spying-tools (software/hardware), but in the end
you're right, it's like in wartime, it's all about delay. Anything can be
broken in time. But I'm not specifically hiding from THEM (Hi there!)

Legislation in Holland has been changed a couple of yrs ago re these
issues - and for ANY telecom-provider too in that respect: Not only did they
have to install the equipment necessary to make it possible for the
Government to bug ISDN lines (remotely and easily) and future infrastructure
like xDSL, but the providers also had to pay for it themselves!! It doesn't
surprise you that especially the latter made the argument in Holland most
ignitious;-) - they do say the Dutch invented the copper-wire, don't they?

Anyhow, as for the VPN - that's the next step. What I'll do is this: The
Win2K side just doesn't do Linux I'm afraid, and actually I like the
experiment. When I am dialled into the Linux box and have finished the
callback sequence I am on a network (mine, outer ring) that has a 24/7
connection to the Internet through another RH Linux 7 box firewalled with
IPChains plus Snort, PortSentry etc. which is connected via a cable-modem
(now 4Mbit, soon 10Mbit DOCSIS standard) to the ISP.
I will then (try to) create an encrypted VPN/SSH tunnel from RH1/ISDN
through RH2/CBM to another site on the untrusted internet (RH3) I have to
communicate with. Should work, don't you think?

I've read a number of HowTo's on ISDN/Callback but actually I'm not rich
enough to have to buy say 4 or 5 packages before things start to work with
ISDN-2 overhere. I can tell you of the most rediculous testing-situations
where I made things work on location1, went to location2 and it wouldn't
work. This way I have found in most cases that usually the ISDN wasn't
properly installed/configured to begin with - which makes the initial
testing loop near endless sometimes.

Thanks a LOT for your time, dear Nikola and Matt! I think the proposed
schemes will work smoothly and when they do, you will be among the first to
know. I greatly appreciate it.

Till then,

Regards -- MarnixDaemonLabs.com, Hoorn, The Netherlands.

-----Original Message-----
From: Focus on Linux Mailing List
[mailto:FOCUS-LINUXSECURITYFOCUS.COM]On Behalf Of Matt Block
Sent: Monday, November 27, 2000 3:29 AM
To: FOCUS-LINUXSECURITYFOCUS.COM
Subject: Re: ISDN Callback, encrypted channel, etc. on RH 7

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

First, RE: ISDN Callback, etc....

There are several very low monetary cost methods of doing callback in
Linux, and of course there are HOWTOs on the subject. The simple
answer is, if you are willing to invest a few hours to do it
yourself, do it yourself- you will understand it better, and can put
in whatever security you like.

You can use a callback user, as Nikola Krgovic recommends. You can
also use mgetty to never pass off to the login shell; ie- mgetty
answers the ISDN device (or causes it to answer,) then requests a
username and handles passing it off where it needs to go without ever
checking /etc/passwd for the appropriate behavior (since it needn't
ever tickle login).

Linux will handle multilink properly.

The real issue is on the Win2k box, about which I know very little.
It is the Win2k box that must negotiate PPP or whatever properly, and
handle the VPN setup and whatnot. I know that Zebedee will run on
Win2k (anyhow, it runs on NT, and I suspect it will run on 2k) and
will handle most of this for you.

The solution I would propose, then, looks something like this:

  use mgetty on the Linux box to answer the call, and
  fire up pppd using the username as the id of the line to connect,
starting multilink as appropriate and,
  cause it to fire up Zebedee or some other VPN-cruft to handle
compression, encapsulation, and encryption

I have used each of the parts of this system, but I've never put them
together. I don't see why they won't work as I've described. I've
never dealt with ISDN in Europe, and understand it can be very
different from the states, so triple check me on everything related
to that (a double-check may be sufficient for most of the other
stuff).

Last note - SSH could be used instead of the VPN, and it would have
many of the same benefits. I'm a little fuzzy on why the VPN would
be necessary, though- VPN and SSH are both designed to allow
relatively secure communication over an untrusted network (often as
not, the Internet). In this case, however, the network _should_ be
entirely trusted, being as it consists of only the ISDN interface on
the Win2k box and the ISDN interface on the Linux box. Unless you
suspect that your lines are tapped, this should be relatively secure
without encryption. If your lines are tapped, I'm not sure how much
the encryption will help matters, but perhaps I'm daft.

  -- Matt
  Brainbench Linux MVP

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBOiHG/lNf3RYCWalgEQJiyQCgn+8MGb4ps32vxJUnE3Wyn1hnA80AoKjI
zkV88Yeb1ApInHNogJcrs2O/
=/Ato
-----END PGP SIGNATURE-----