S 5.73 Secure operation of a fax server

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Fax Mail Centre, Administrator

Secure operation of a fax server requires that communication be secure both locally and also over the public network. Fax servers accept incoming fax transmissions from other fax servers or fax machines and, if the automatic fax routing function has been activated, then route them to the users connected. Outgoing fax transmissions sent by the connected users are received by fax servers and then sent on to the recipients. Fax servers also need to ensure that local fax transmissions, i.e. fax transmissions from one workstation to another within the same organisation (or organisational unit), are sent on internally only and not over the public network.

Once the fax server has been purchased and installed, its operating system and the fax server application need to undergo thorough testing in the interests of its secure operation. If any error messages are generated, the configuration settings should be altered whenever this is possible. The test phase should be followed by a pilot run. The fax server should not be cleared for live operation until it has been demonstrated to be running without errors in this phase as well. The configuration parameters should be documented meticulously, as should all changes to the configuration settings.

Fax servers store all incoming and outgoing fax transmissions. The length of time for which these are stored depends on the features of the fax server application and the configuration. It may, for example, be possible that outgoing fax transmissions are only held temporarily until a given fax job has been completed and then are deleted. It could also be the case that incoming fax transmissions are only stored temporarily until they have been rerouted to the recipients and then are deleted. However, another possibility is that all incoming and outgoing fax transmissions are held on the fax server until they are specifically deleted by the users concerned or by the fax mail centre or administrator. On some fax servers it is also possible to have the data deleted automatically after a defined period of time. Thus, for example, all fax transmissions more than three months old could be deleted automatically. Depending on the policy adopted, it is necessary to lay down procedures governing the deletion of fax data on the fax server. A procedure should be laid down at the same time as to where and to what extent fax data should be archived. As a general rule, fax data should not remain on the fax server any longer than absolutely necessary.

Steps must be taken to ensure that unauthorised persons cannot access fax transmissions. In the first instance, this will involve protecting the fax server physically against unauthorised access. The only way to achieve physical security is by locating the server in a secure server room or server cabinet (see module S 2.4 Server room and module M2.7 Protective cabinets).

In order to ensure fault-free operation of the fax server, it is also necessary to specify who is responsible for the administration of the hardware components, the operating system and the fax server application. A fax mail centre should be set up (see also S 2.180 Setting up a fax mail centre). The administration personnel and the staff employed in the fax mail centre must be given training on the operating system and fax server application. The users must also be trained to operate the fax client application in order to avoid any disruptions caused by improper use.

The following permissions can often be granted to users and user groups on fax servers in respect of incoming fax transmissions:

The following rights can often be granted in respect of outgoing fax transmissions:

The permissions should be granted as stipulated in the fax security guidelines (see also S 2.178 Drawing up a set of security guidelines for the use of faxes).

Unless technical measures are in place to ensure that fax transmissions are forwarded immediately, it is also necessary to ensure that access rights are granted such that only authorised users can access the relevant "mailboxes" on the server.

Access to temporary areas, in which the fax server application stores fax transmissions temporarily prior to their being sent out or distributed to recipients, should generally only be granted to privileged users (e.g. administrators, fax mail centre).

The connections of the fax server to the private branch exchange or to the public switched telephone network should be checked at regular intervals to ensure that they are working properly. If the fax server is linked to internal communications systems, e.g. to an e-mail system or a workflow management system, the operation of these connections should also be checked at regular intervals.

Regular checks must also be performed to ensure that there is still sufficient hard disk space available for the storage of fax transmissions (see also S 5.75 Protecting against overloading the fax server). If the hard disk space is exhausted, no further fax transmissions can be received or sent.

The fax server activities must be logged as specified in the fax security guidelines, and the logs must be examined at regular intervals (see also S 2.64 Checking the log files and S 5.25 Using transmission and reception logs). When specifying the extent and content of logs, due regard should be paid to involving the Personnel and/or Supervisory Board early on.

Reservations regarding the use of fax servers are often due to the fact that an IT system which is integrated in the LAN can be accessed over the public telecommunications network.

The careful selection and configuration of communications cards, operating system and fax server application and the secure positioning of the server in the network topology can reduce the threat of intrusion in the network or the fax server to a minimal residual risk.

If active ISDN cards are in use, it will be necessary to disable any features which are not necessary for receiving and sending faxes (see S 4.59 Deactivating of ISDN board functions which are not required).

If dedicated fax cards are used, once again it will be important to find out at the outset exactly what features are provided. Any features which are not required should be disabled as far as possible.

The fax service should be the only service provided by the fax server. In particular, a fax server should not be used concurrently as a data server, printer server, e-mail server or Internet server or as a remote access computer. The installation of the operating system must be as "lean" as possible in order to counter the probability of intrusion over the telecommunications network. This means that services and protocols which are not really necessary for operations should not be installed. Example: If the Telnet service is not started on a fax server, it will not be possible for an attack to occur from this source. When deciding which services and protocols are necessary, it should always be borne in mind that, in many cases, threats only arise from the combination of different services and protocols.

The secure positioning of the fax server in the network topology depends partly on whether there is a firewall in use in the organisation and, if so, which type.

A fax server has at least one interface to the telecommunications network and at least one interface to the LAN. The fax server should be placed in the network such that, in the event of a successful attack on the fax server, it is not possible for the intruder to penetrate the entire network. Nor should it be possible, however, for the fax server to be penetrated successfully from within the network. It is conceivable, for example, that an attack could be launched by an intruder from the Internet. If such an attack succeeds, the perpetrator would then be able to arrange for faxes to be sent out via the fax server of the organisation under attack. This will incur telephone charges but, worse still, it could harm the company's reputation. If the attack is successful, the intruder will also be able to view the fax transmissions stored either permanently or temporarily on the fax server, despite not being authorised to do so. There is a similar threat of attacks from insiders over the LAN.

A fax server is not normally the only IT component which is connected to an external network; therefore, there will generally be a barrier to protect the internal network against external networks (see also S 3.1 Security gateway (firewall)).

If there is a screened subnet acting as an Internet firewall (configuration 1 from S 2.73 Selecting suitable basic structures for security gateways), the fax server should be positioned between the inner packet filter and the application gateway (see Figure "Inclusion of a fax server into a firewall system"). The application gateway and the outer packet filter provide sufficient protection against attacks from the insecure network. The fax server is protected against attacks from the internal network by the inner packet filter.

Inclusion of a fax server into a firewall system
Figure: Inclusion of a fax server into a firewall system

Under all other firewall combinations, especially those with only one packet filter, or if there is no firewall, the fax server should be linked directly into the secure network. If the protection requirement is such that the resulting residual risk is viewed as unacceptable, either a separate packet filter should be provided or the private branch exchange must be configured in order to permit outgoing connections only. In the latter case, a conventional fax machine or a stand-alone system with an appropriate fax application must be used for incoming fax transmissions, which means that incoming fax transmissions can then only be forwarded manually to the recipients.

Review questions:

© Federal Office for Information Security. All rights reserved.