What security measures should I take with PSTN connections?
We have browser-based software running in IIS NT4. The branches access our application using IE 5.5 and above. Our clients wish to allow their branches to connect to the central server over normal public switched telephone network (PSTN) connections thru modems on the serial ports. What kind of security measures do you suggest for securing this mode of application/data access? Can encryption be incorporated? What needs to be done for the same? As of now, the client does not want to allow access over the Web and the IIS server is also not on the Web. Do we necessarily need to go in for server certificates for this scenario to implement SSL (Secure Sockets Layer)? Can encryption be handled in SSL without needing client authentication?
Whoa, sounds like you've got to explore quite a number of things. First, you can implement encryption with the Windows dial-up RAS clients and a Windows Server RAS service. You must be careful with the clients -- not every remote access authentication protocol can be used if you want encryption. You might want to consider, however, the added protection of a VPN. A Windows NT 4.0 server with RAS service installed can be configured to provide a Point-to-Point Tunneling Protocol (PPTP) VPN and Windows clients have this option built in.
Remember, in either of these two cases, when encryption is configured, data will be encrypted as it passes from the client to the RAS server. Data that travels from the RAS server to resources on the internal network will not be encrypted. If you opt to provide the additional protection of SSL for connections between the client and the Web server, you will only need a certificate for the server. If all you want to accomplish is server authentication (the clients know they are communicating with the correct server) and server-to-client encryption, you can add client certificates (to authenticate clients to the Web server) and this would add protection. Someone who can obtain a valid user identity and password could connect to the RAS server on dialup, but could not authenticate to the Web server.
In either case, unless the SSL certs are issued by a known public certificate authority (CA), you will need to obtain a copy of the root CA's cert and add it to the certificate stores of the clients, or allow them to accept it from the server the first time they log on.
I can't recommend to you the best configuration for your setup, only you, with help from your client and your company, can decide the level of security that is necessary, and the proper way to implement it.
This was first published in March 2003