The International Journal of Computer Security |
||||||||||||||
November 2000 Xiscan by Steve Gold |
||||||||||||||
For Almost nine months ago, the last time that this writer looked in depth at the telecommunications security product marketplace, the products available fell fairly neatly into two distinct categories computer telephony security and telecommunications access security. Today, the mainstream market acceptance of Java, as well as the arrival of Pentium processors surpassing the 1GHz mark in speed terms, has meant that multi-tasking really has become the order of the day. Coupled with the client-server aspects of Java, the telecommunications application protocol interface (TAPI) and telecom security API products seen only last year have given way to Java-coded applications in the telecommunications security area. Yet, despite these resounding changes changes that have rippled through all aspects of the access security arena the two fundamental product categories remain relatively intact. Xiscan, however, like the portfolio of telecommunications security from another British firm, Bromsgrove-based Informer Systems, actually bridges the product categories of computer telephony security and telecom-munications access security effectively. Xiscan is coded in Java 2, allowing the software to run across multiple platforms, and, while it is now accepted that Suns original write once, read anywhere philosophy underlying Java is unlikely to be achieved within the linear microprocessor environment, this multi-platform aspect makes Xiscan extremely attractive. Because Java 2 is a very high-level language, Xiscan is offered as either a shrink-wrapped purchase or as a consultancy service. This review covers the former purchase option. At its most basic, the software will assess your telecommunications access system and determine whether you have a network access problem. It does this by taking a complete inventory and creating a level of understanding of all the access points in an organisation. Xiscan supports multiple modems, greatly shortening the time needed to do a full network inventory, both on PABXs, Featureline installations and even on PSTN dialling hunt groups. Like all good IT security products, the software does not stop at the audit and recommendation level, but it can form one of the building blocks of an organisations risk analysis function, allowing all management IT staff to establish and police a more effective security policy. The most interesting aspect of Xiscan is that it works in a similar fashion to a war dialler, a hacking utility first seen in the late 1980s when modems became relatively cheap and plentiful. By scanning large, defined sets of telephone numbers to locate unauthorised entry points, the package can determine whether the target extension is a voice line or is connected to a modem or fax. If a remote modem is detected, Xiscan captures the information detailing the system to which that modem is attached. Installing the software is a snip from CD-ROM, and the support documentation is excellent, as are the firms online resources via its web site. However, immediate support is usually only available during office hours within the UK. Once installed and running under Windows NT, it becomes clear that Xiscan is actually two sets of components: a control workstation and a dial host, which are separate, yet interlinked. The control workstation is usually a single machine from which Xiscan is controlled. This holds the database repository, and is also where the configuration manager, Xiscan interactive and Xiscan command line interface tools are executed. Central to the Xiscan interactive and Xiscan command line interface tools is the dial manager, which allocates telephone numbers to and retrieves results from individual modems. It achieves this by allocating a dedicated channel for each modem. The dial agent runs as a transient CGI program, acting as a simple channel between the dial manager and a specific dial engine, passing commands and data in and receiving result data back. The dial manager stores the returned data in its core database. The second main component, the dial host, is a machine to which modems are physically attached. Dial hosts run a web server, dial agent programs and dial engine processes. For security, it is desirable to devolve all aspects of the dial hosts across a networks resources, separate from the control workstation, but, for audit purposes, both can be run on the same machine (co-located). Because the software is Java 2 coded, it will interface with almost any database engine technology using what it calls its generic interface. For ease of use, the various components can be relocated to a given network to meet changing needs, although the audit trail log is always maintained. Even when co-located, the softwares host requirements are still quite modest for an NT4 environment, with a minimum specification of a 266 Pentium II processor with 64Mb of memory and 10Mb of hard disk space. Unlike some of the non-Java competition, Xiscan is open to enhancements for its product from third-party vendors, since Xiscan is fully open to future enhancements. Xiscan is designed to allow arbitrary user actions to be configured into the system. Technically it would be possible for an unscrupulous insider to replace a user-supplied action with a trojan. In truth, of course, such an insider could achieve far more with less effort since the tool itself potentially holds a blueprint for hacking an entire organisation within its database. The current recommendation is that Xiscan is used as an isolated system with high physical and logical security. This is not a package to be taken lightly. Its many facets will take time to get to grips with and it is almost certain that, while answering a number of IT security questions, the software will, after a given period of time, create many more questions than the IT manager originally asked before buying the application. Against this backdrop, therefore, Xiscan should be viewed as contributing only a part to the wider picture of an organisations IT resource security systems and procedures. |
||||||||||||||
|
||||||||||||||
|
||||||||||||||
|
||||||||||||||
Copyright © 2000 West Coast Publishing. Reprinted from SC Magazine, William Knox House, Brittanic Way, Llandarcy, Swansea SA10 6EL. All rights reserved. |