What to know when branching out
I recently received a list of questions regarding T-1, channel banks and CSU/DSUs (channel service unit/data service unit) from the CEO of a credit union in New York State.
I recently received a list of questions regarding T-1, channel banks and CSU/DSUs (channel service unit/data service unit) from the CEO of a credit union in New York State. It seems that the credit union is in the process of opening a branch office about 30 miles from its main location, and in addition to his regular duties, the CEO is trying to "decode" our language so he can better understand what his consultants are saying.
T-1 is a "high speed" digital transmission method. (1.544 Mbits/sec) developed by AT&T in 1957 and implemented in the early 1960s to support long-haul pulse-code modulation (PCM) voice transmission.
Today, T-1 allows businesses to save money by tying two branch offices together for voice and data transmission. It can also be used to send long distance calls directly to a long distance carrier (bypassing the local phone company).
T-1 typically uses two pairs of copper conductors to carry up to 24 simultaneous channels that would normally need one pair of conductors each. Each 64-Kbit/sec channel can be configured to carry voice or data traffic. Each end of the T-1 circuit uses either a piece of equipment called a channel bank or a CSU/DSU.
The CSU is used on both ends of the circuit to terminate the T-1 circuit (also called a T-span) as well as to provide test and maintenance access for the service provider, who will usually require a CSU at the customer premises.
A DSU is used "downstream" of the CSU to convert the T-1 signal into a serial data stream for use with a router, which then converts the serial data stream into the appropriate LAN protocol.
These functions can be combined into one unit, the CSU/DSU, but the functions are the same.
A channel bank changes analog voice signals into digital data and multiplexes the conversations to flow together to the other end. The data bits are then decoded and conversations are separated though a similar piece of equipment. The transmitting portion of a channel bank digitally encodes the 24 analog channels, adds signaling information into each channel, and multiplexes the digital stream onto the conductors. The receiving portion does the same thing in reverse.
Some channel banks also have provisions for partitioning a portion of the T-1 bandwidth into a serial channel for use with a router, as with the DSU. This allows for mixed voice and data traffic on the same T-1 circuit.
A few words of caution
Based on the amount of traffic you will be handling, you may need something more than one T-1 line.
The following is a list of some of the common line designations:
- DS0—64 Kbits/sec;
- T-1—1.544 Mbits/sec (24 DS0 lines);
- T-3—43.232 Mbits/sec (28 T-1s);
- OC3—155 Mbits/sec (84 T-1s);
- OC12—622 Mbits/sec (4 OC3s);
- OC48—2.5 Gbits/sec (4 OC12s);
- OC192—9.6 Gbits/sec (4 OC48s).
Warning—Unsecured modems and wireless on your networks are open invitations to hackers
"Would you like to play a game, Doctor Falcon?"
In the 1983 movie War Games, a young computer whiz kid accidentally connects into a top-secret super-computer, which has complete control over the United States' nuclear arsenal. The computer then challenges him to a game where he naively starts the countdown to World War III.
Though just a bit of Hollywood, we can certainly see how easy it would be to outwit intricate network IP-based security measures by merely targeting a simple modem.
Hence, the name; "War dialing" is the scanning of telephone lines to find insecure modems that provide a back door route into "secure networks." The only tools the attacker needs to walk through an open door are a computer with a modem and a (freeware) software application.
What open door? Any unsecured modem; for example, a loan officer who wants access to her files from home because occasionally she takes work home. She did not want to bother any of the IT guys and she is certainly computer-savvy enough to install a modem and pcAnywhere on her office computer. (pcAnywhere is a simple program that allows a user to dial up a PC and connect to it via modem from a remote location.)
Equally dangerous is the VP who brings his laptop to the office and plugs it into a DHCP (dynamic host configuration protocol) network port. This protocol lets network administrators automate the assignment of network IP addresses. Translation—you plug in a device and it gets a network IP address.
A few things you can do to keep your network safer from a war-dialing attack:
- Written security polices. A great start, but without enforcement they are a waste of paper. Educate staff on the risks of attaching modems to the network.
- Regularly scheduled walk-throughs will let you find modems attached to office computers. And keeping accurate equipment records and floor plans will help you know where to look.
- Audit, monitor, and log your equipment for log-ins and any other possible attacks.
- Check the auto-answer configurations on any modems. This can also be used to secure your modems.
- And lastly, one of the more effective methods for blocking a war-dialing attack—use telephone numbers for your modems that are out of the range of your voice telephone lines, and keep them on a need-to-know basis.
Beware the killer app
With Wi-Fi standards in place, and access and point prices decreasing, wireless now makes sense, right? Well, that depends.
Everyone who wants to feel less tethered to the walls in their office can go to any office supply, electronics, or discount store and purchase a wireless access point and wireless network card. They will not need to bother the IT guys—just open the box and plug them in to create an immediate, unsecured backdoor to your network.
Any form of wireless communications that is not properly encrypted can be intercepted with the "right equipment," which in some cases can be nothing more than a low-end laptop computer with a cheap wireless card.
On "slow news" days, you can usually see footage of some reporter driving down the street reporting the number of wireless access points they have found with factory default security settings in insecure mode just waiting to be exploited. The attacker simply types in the default access password and they not only can use your LAN, but if their computer skills are sharp, they can control your LAN—and all the devices connected to it.
Even if you have followed the manufacturer's instructions and changed from the default setting, specialized freeware packet sniffing and discovery software can be used—and the attackers are still in.
A few things you can do to keep your network safer from a roving NIC:
- Written security policies with enforcement and staff education;
- Ensure that all wireless gateways and access points are properly secured, including changing factory default settings;
- Use network-level or session-level encryption to protect transmissions from being intercepted and replayed;
- Conduct regularly scheduled walk-throughs to perform technical vulnerability tests of wireless gateways and access points. This can be done using any of a number of wireless LAN detection and testing tools on a laptop with a wireless NIC or PDA. Both freeware and commercial tools are available.
Donna Ballast is BICSI's standards representative, and a BICSI registered communications distribution designer (RCDD). Send your questions to Donna at: firstname.lastname@example.org