S 5.48 Authentication via CLIP/COLP

Initiation responsibility: PBX System Manager, IT Security Officer

Implementation responsibility: Administrator

Integrated Services Digital Networks (ISDN) allow the signalling of call numbers not only to public exchanges but also directly to the participating communications partners. These ISDN functions are termed:

The call number display can be evaluated by each communications partner for the purpose of authentication.

Method of operation

First, the calling subscriber sends a call request to the digital exchange assigned to him/her. The digital exchange forwards this call request, together with the number of the calling subscriber, to the communications partner being called in the ISDN. The digital exchange on the other side then forwards the call request to the ISDN communications unit of the subscriber being called. On the basis of the forwarded call number, the communications unit (e.g. an ISDN router or PBX) can then identify the calling subscriber (CLIP). On positive identification, the call request is accepted and the exchange of data can begin.

An advantage of this function is that identification is performed by the equipment (ISDN router, PBX) of the communications partner, who is thus in full control of the identification process.

A disadvantage of this function is that call numbers transmitted via the D-channel of an ISDN are always vulnerable to manipulation (see T 5.63 Manipulation via the ISDN D-channel). Simple authentication using forwarded call numbers is thus only possible in conjunction with a callback function (see S 5.49 Callback based on CLIP/COLP) or a D-channel filter (see S 4.62 Use of a D-channel filter) which detects attempts to manipulate protocols.

Review questions:

© Federal Office for Information Security. All rights reserved.