Dial-in remote access presents a particularly sticky situation regarding the hardening of your network infrastructure. One of the biggest problems is how hard it can be to truly control dial-in access. Even though your security policy should expressly prevent anyone from doing this, people may install modems on their desktops to use pcAnywhere, and suddenly you go from having a couple of highly controlled ingress points on your network to dozens of uncontrolled and largely unprotected ingress points on your network. This problem, as well as the popularity of VPN connections, has caused a marked decline in the use of dial-in connections on corporate networks.
Today you are better served to not provide any dial-in access but rather to provide your users with a global Internet dialer and VPN software, allowing them to connect via VPN to your network over their dial-in Internet connection. This allows you to control all your remote access connections at your VPN devices, thus simplifying the management of dial-in users because they effectively become just another VPN connection. In the event that you require dial-in remote access, however, you can do three things to harden that access:
Centralize your dial-in access. By locating your dial-in access to a centralized location, such as a DMZ, you can filter and control the types of traffic you want to allow from your dial-in connections in a much easier fashion using your firewalls and routers for traffic filtering as well as IDS/IPS hardware to detect unauthorized traffic. For example, Figure 5-10 shows how you could locate your dial-in concentrator in a DMZ, allowing you to filter and control the kinds of traffic your remote users can pass to your internal network through your firewall and intrusion-detection system.
Figure 5-10: Dial-in access network design
Require authentication of all connections. Ensure that every dial-in connection has been authenticated, preferably using RADIUS, TACACS+, Active Directory, NDS, or local user databases, similar to how you configure your VPN connections to only allow authorized users to connect. Authentication will be covered in more detail in Chapter 9.
Require callback or caller ID verification of as many connections as possible. Unfortunately, because most of your dial-in connections will be traveling users without a designated callback number, this might prove to be an impossible task. However, if you know that a dial-in connection is always going to be initiated from the same phone number, your dial-in access should be configured to drop the initial phone call and dial the user back at the specified location in order to establish a connection. Configuring callback or caller ID verification is typically done on the device, although many authentication servers, such as TACACS+ and Windows Authentication, provide callback and caller ID verification to be configured for the user. For example, if you are using a Windows server to provide dial-in access, you can configure the callback options as part of the user settings in the Active Directory Users and Computers MMC snap-in.