Q

What security measures should I take with PSTN connections?

We have browser-based software running in IIS NT4. The branches access our application using IE 5.5 and above. Our clients wish to allow their branches to connect to the central server over normal public switched telephone network (PSTN) connections thru modems on the serial ports. What kind of security measures do you suggest for securing this mode of application/data access? Can encryption be incorporated? What needs to be done for the same? As of now, the client does not want to allow access over the Web and the IIS server is also not on the Web. Do we necessarily need to go in for server certificates for this scenario to implement SSL (Secure Sockets Layer)? Can encryption be handled in SSL without needing client authentication?
Whoa, sounds like you've got to explore quite a number of things. First, you can implement encryption with the Windows dial-up RAS clients and a Windows Server RAS service. You must be careful with the clients -- not every remote access authentication protocol can be used if you want encryption. You might want to consider, however, the added protection of a VPN. A Windows NT 4.0 server with RAS service installed can be configured to provide a Point-to-Point Tunneling Protocol (PPTP) VPN and Windows clients have this option built in.

Remember, in either of these two cases, when encryption is configured, data will be encrypted as it passes from the client to the RAS server. Data that travels from the RAS server to resources on the internal network will not be encrypted. If you opt to provide the additional protection of SSL for connections between the client and the Web server, you will only need a certificate for the server. If all you want to accomplish is server...

authentication (the clients know they are communicating with the correct server) and server-to-client encryption, you can add client certificates (to authenticate clients to the Web server) and this would add protection. Someone who can obtain a valid user identity and password could connect to the RAS server on dialup, but could not authenticate to the Web server.

In either case, unless the SSL certs are issued by a known public certificate authority (CA), you will need to obtain a copy of the root CA's cert and add it to the certificate stores of the clients, or allow them to accept it from the server the first time they log on.

I can't recommend to you the best configuration for your setup, only you, with help from your client and your company, can decide the level of security that is necessary, and the proper way to implement it.

This was first published in March 2003

Dig deeper on Network intrusion detection and prevention and malware removal

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close