S 5.31 Suitable modem configuration
Initiation responsibility: Administrator, IT Security Officer
Implementation responsibility: User, Administrator
Most modems operate using the Hayes standard (also referred to as the AT standard). It is an unstandardised, manufacturer-dependent "de facto" standard. The basic instruction sets of the various modems are largely concurrent. Great discrepancies are found in the extended instruction sets. It is important to examine the command set of the modems used to see if the functions described in the following are implemented and whether an incorrect configuration can result in security gaps.
The settings selected should be stored in the non-volatile memory of the modem (see also S 1.38 Suitable installation of a modem). In addition, the settings selected should be printed on paper so that they can be compared to the current settings at any time.
The following illustrates several security-related configurations:
Auto-answer
The S0 register can be used to set the modem so that incoming calls are automatically answered after a predefined number of rings. Setting S0=0 prevents automatic answering and forces all calls to be answered manually.
This setting should be selected when you want to prevent connections from being established from the outside undetected. A callback mechanism should be used otherwise (see S 5.30 Activating an existing call-back option).
Remote configuration of modems
Some modems can be set up so that they can be configured by a remote modem. It must be ensured that this feature is disabled. For more information on the problems related to remote maintenance using modems, see S 5.33 Secure remote maintenance.
Password-protected storage of (callback) numbers
When storing telephone numbers or callback numbers in the non-volatile memory of the modem, many models allow the numbers to be protected by a password. If this feature is available, then it should be used, and the passwords should be selected according to S 2.11 Provisions governing the use of passwords. On some modems, it is possible to display a list of the telephone numbers with the corresponding passwords by entering a certain command. For this reason, only authorised persons should have access to a modem (see S 1.38 Suitable installation of a modem).
Review questions:
- Are the modems configured so that there are no remaining security gaps?
- Is the modem configuration documented?
- Prevention of unnoticed connections established from the outside: Is the automatic call acceptance option disabled?
- Is the remote maintenance option of the modem disabled?