S 4.3 Modem
Description
A modem is used to link a data terminal, e.g. a PC, with other data terminals via the public telephone network to allow the exchange of information. A modem converts digital signals from the data terminal into analogue electric signals which can be transmitted via the telephone network. For two IT systems to be able to communicate, they must be equipped with the required communication software.
A distinction is drawn between external, internal and PCMCIA modems. An external modem is an independent unit with a separate power supply, usually connected to the IT system via a serial interface. Internal modems are plug-in modem boards without a separate power supply. A PCMCIA modem is a credit-card sized plug-in board normally connected to laptops via a PCMCIA interface.
This module does not cover data transmission via ISDN. For information on this please refer to modules S 3.1 Telecommunications system and S 4.5 LAN connection of an IT system via ISDN.
Threat scenario
The following typical threats are assumed for modem operation as part of IT-Grundschutz:
Human Error
| T 3.2 | Negligent destruction of equipment or data |
| T 3.3 | Non-compliance with IT security measures |
| T 3.5 | Inadvertent damaging of cables |
Deliberate Acts
| T 5.2 | Manipulation of information or software |
| T 5.7 | Line tapping |
| T 5.8 | Manipulation of lines |
| T 5.9 | Unauthorised use of IT systems |
| T 5.10 | Abuse of remote maintenance ports |
| T 5.12 | Interception of telephone calls and data transmissions |
| T 5.18 | Systematic trying-out of passwords |
| T 5.23 | Malicious software |
| T 5.25 | Masquerade |
| T 5.39 | Infiltrating computer systems via communication cards |
Method recommendation
To secure the information system examined, other modules will need to be implemented in addition to this module. These modules are selected based on the results of the IT-Grundschutz modelling process.
A host of safeguards must be implemented for the use of a modem, starting in the planning phase and continuing through the purchase phase to the operation phase. The steps to take to accomplish this as well as the safeguards to implement in each phase are listed in the following.
Planning and design
Before a modem is set up, checks should be carried out to determine whether the local conditions necessitate the installation of overvoltage protection. Decisions should also be made stipulating who will be allowed to use the modem and in what circumstances.
Purchasing
Safeguard S 2.59 Procurement of a suitable modem contains the most important criteria to be considered when selecting a modem.
Implementation
Before using the modem for the first time, it must be duly configured, with the utmost care being taken to ensure that any existing passwords preset by the manufacturer are changed. The installation of a modem must not entail the development of additional, unprotected access to a computer network, bypassing a firewall for example.
Operation
A secure administration system and usage policy must be in place in order to ensure that the use of a modem does not constitute an additional security risk. This can only be achieved if staff are appropriately trained in its use. In terms of training, staff should be aware that viruses can infiltrate the system via a modem link and that they are therefore responsible for ensuring that all the data transmitted are checked for viruses.
In order to hinder external attacks via the modem link, consideration should be given as to whether the modem can be configured in such a way that all the connections have to be set up from inside to outside and incoming connections put through via a callback procedure.
The safeguards package for "Modems" is presented below.
Planning and design
| S 2.42 | (A) | Determination of potential communications partners |
| S 2.61 | (A) | Provisions governing modem usage |
| S 4.34 | (Z) | Using encryption, checksums, or digital signatures |
| S 5.32 | (A) | Secure use of communications software |
Purchasing
| S 2.59 | (Z) | Procurement of a suitable modem |
Implementation
| S 1.38 | (A) | Suitable installation of a modem |
| S 2.46 | (A) | Appropriate key management |
| S 2.204 | (A) | Prevention of insecure network access |
| S 4.7 | (A) | Change of preset passwords |
| S 5.30 | (Z) | Activating an existing call-back option |
| S 5.31 | (A) | Suitable modem configuration |
Operation
| S 2.60 | (A) | Secure administration of a modem |
| S 3.17 | (A) | Briefing personnel on modem usage |
| S 4.33 | (A) | Use of a virus scanning program on exchange of data media and during data transfer |
| S 5.44 | (Z) | One-way connection setup |