Potential Dialback Drawbacks; Port User Restrictions - Lantronix SCS Reference Manual

Security
If dialback is disabled for the site, the connection will proceed without the dialback step.
If normal dialback authentication is enabled for the site, the SCS will offer to call the PPP client back
at the site-specific telephone number listed in the dialback database. If the client refuses, the
connection will be terminated.
If insecure dialback is enabled for the site, the PPP client can choose to use the site-specific telephone
number or specify a different telephone number to use for the return call. If the client refuses to use
the site's telephone number and does not enter a valid alternate telephone number, the connection will
be terminated.
The caller should have the alternate telephone number handy when connecting
Note:
to the SCS to ensure that the connection does not time out before the number can
be entered.
To configure a site to allow insecure dialback, enter the following command on the SCS.
Local>> DEFINE SITE irvine AUTHENTICATION DIALBACK INSECURE
Insecure dialback is only offered under CBCP for PPP clients. It does not apply
Note:
to SLIP or Local mode dialback situations.

11.3.5 Potential Dialback Drawbacks

The Dialback system does not absolutely guarantee security. Depending on the modem in use and its
configuration, it may be possible for a determined attacker to penetrate the system. There are two windows
of vulnerability where an attacker could gain unauthorized access to the SCS. The first window exists after
the SCS hangs up the modem but before the modem dials the user back. The second is when a dialback
attempt fails but before the server reaches the end of the configured carrier wait time-out period (the default
setting is 60 seconds). Careful configuration and testing of the system during those short vulnerable periods
is required to ensure a high level of security.
If a second call arrives in the few moments after the server hangs up the modem but before the server issues
the dial command, security may be breached. Until the modem goes "off hook," it may answer another
incoming call and remain on-line, granting access to a possibly unauthorized user. This is highly unlikely
and the chances of unauthorized access can be reduced further by configuring the modem to answer only
after the second or third ring. Also, the modem must not answer the phone unless DTR is asserted. If
possible, the modem should be configured to only dial after detecting a dial tone, and hang up otherwise.

11.3.6 Port User Restrictions

You can constrain user access to specific ports on the SCS using the Set/Define Authentication User
<username> Port Serial <portlist> command. This command currently only affects users authenticated
against the local SCS database. The SCS rejects a user connection attempt to a port not on his or her port
target list. The syntax of the command is Set/Define Authentication User <username> Port [Target]
<portlist>.
To show the user's current port restrictions, use the Show/Monitor/List Authentication <username>
command. To reset the permissions back to the default, use the Set/Define Authentication User
<username> Port Factory command.
Figure 11-18: Configuring Insecure Dialback
11-8
Dialback