384    Chapter 6 • Infrastructure Security: Devices and Media

             that they need to perform maintenance or prepare an update.This limits the sus-
             ceptibility to direct remote access attacks.
                 PBXes are also vulnerable to DoS attacks against their external phone lines.
             There is also the possibility of them being taken over remotely and used to make
             unauthorized phone calls via the company’s outgoing lines.Voicemail capability can
             also be abused. Hackers who specialize in telephone systems, called phreakers, like to
             take control over voicemail boxes that use simple passwords, and change the pass-
             words or the outgoing messages.
                 Many smaller organizations are now using PBXes for telephony needs.This is
             due to the availability of cheap or free PBX systems running software released
             under the GPL license.An example of this is the Asterisk open source PBX avail-
             able at www.asterisk.org/.With the high availability of this type of software at low
             costs, it is natural for smaller companies to adopt these solutions. Software like this
             suffers from the same types of vulnerabilities as standard PBXes if not properly
             configured; therefore it should be closely examined as a security risk.

             Virtual Private Network

             The most common alternative to running RAS servers for remote access is to pro-
             vide remote access via a virtual private network (VPN).A VPN allows end users to
             create a secure tunnel through an unsecured network to connect to their corporate
             network.Typically, users simply dial into their Internet Service Provider (ISP) and
             then use a software client to create the VPN connection to their corporate net-
             work.At that point, the user’s system functions as if it were located on their LAN.
                 In large environments,VPNs are generally less expensive to implement and
             maintain than RAS servers, because there is no incoming telephone line or modem
             overhead. In addition, a higher level of security can be implemented as communi-
             cations are encrypted to create a secure tunnel.VPNs can also be used to link mul-
             tiple networks securely.This gives administrators the ability to use existing
             connections to the Internet to build their WAN rather than creating new links
             between networks with additional leased lines.
                 VPNs use a variety of protocols to support this encrypted communication,
             including Secure Internet Protocol (IPSec), Layer 2 Tunneling Protocol (L2TP),
             Point-to-Point Tunneling Protocol (PPTP), and SSH. IPSec is the most popular
             protocol used for dedicated VPN devices followed by L2TP and PPTP. SSH is
             available for VPNs running under the Windows platform, but it is typically used
             more frequently in UNIX-based VPNs.






          www.syngress.com