Safe and Secure Faxing with Brooktrout Technology Intelligent Fax Boards

In today’s fast moving Internet economy, protecting your network from malicious hacker attack, virus, worm or fraud has become a serious requirement and not just a concern. Your world never stops - neither should your vigilance against attack.

Connecting a fax server to a network can save a company time and money in terms of reduced labor costs and improved productivity. However, for many IT professionals are concerned that someone may break into the network through their fax server. In addition, as companies migrate their voice and data networks to IP, IT administrators may be also concerned about the additional risk of security breaches.

This paper will look at three types of threats that corporate networks face and how using a TR1034™ series intelligent fax board from Brooktrout Technology instead of a data/fax modem can “hacker-proof” your fax server solution.

Brooktrout Technology’s “Fax Only” Security
Unlike other alternative fax boards that are dual-purpose fax and data modems, Brooktrout’s intelligent fax boards are single purpose fax boards that transmit information only via the T.30 and T.38 “fax only” protocols. For IT administrators, this translates to zero added security risk from their fax server, so long as the board that interfaces to the outside network is a Brooktrout TR1034 series intelligent fax board.

T.30 is a fax handshake protocol that describes the overall procedure for establishing and managing communication between two fax devices. With Brooktrout’s intelligent fax boards, trying to hack into a network is like trying to hack into a fax machine. T.30 does not allow for the processing of data or the transmission of data and only allows for the transfer of fax images (known as T.4 and T.6 images).

T.38 is an IP based protocol that closely inter-works with T.30 to enable the same fax procedures over IP in real-time. T.38 only handles images, not files that could potentially contain viruses, worms or Trojans. T.38 also only handles image data that is not executable.

A “fax-only” TR1034 intelligent fax board interprets the content of the data that was sent to it, either over the PSTN or over the IP network, prior to passing it on to the network. This interpretation means that malicious code cannot pass through it in any way. If it’s not a valid T.30 message, it gets dropped. If it’s in the image data, the error handling that is done during image decoding will throw it out.

Alternative fax boards, on the other hand, are in reality simple data modems that support both the V.90 and V.92 protocols, which are 56Kbps data transfer standards and have data exchange capability. Data modems are merely transport devices that do not interpret the data packets they are carrying. This means that when a data modem is connected to the network it’s just like having an IP connection to the computer network.

The fact that a data modem allows the transfer of data, and not just fax images like a Brooktrout intelligent fax board, makes a network very susceptible to security breaches by would be hackers, viruses, worms and Trojans.

When an organization decides to switch their fax traffic from PSTN to IP, a fax server running a TR1034 series intelligent fax board introduces no additional vulnerability to the network.

Still Secure Despite the Type of Threat
In the context of the types of security threats facing organizations, let’s look at how this fundamental difference between Brooktrout intelligent fax boards and alternatives translates to true security. IT administrators today need to be concerned about three main types of threats to their network:

• An attack on the network itself
• Privacy infringement
• Information content theft

Network Attack
A network attack, such as denial of service, consists of a virus or malicious attack by a hacker. This type of attack is in most cases stopped by the network’s security products, such as firewall and virus protection software. However, if a malicious packet did get through the firewall, then Brooktrout’s ‘fax only’ T.30/T.38 protocol will immediately recognize that it is a non T.4/T.6 or T.30/T.38 packet and drop it.

There are four main levels where a packet can be identified as an improper packet:

a) It is not a valid T.38 packet
b) It is not a proper T.30 message
c) It is not a proper T.4/T.6 image,
d) It is not a proper T.30 message or T.4/T.6 image for the point in the call that it appears

In the event that the network does not have an appropriate firewall, or was spawned within the company WAN by an employee, then the malicious packets will attempt to go through the Brooktrout intelligent fax board, which will examine the non- fax packet, recognize it as an invalid T.4/T.6 or T.30/T.38 fax packet, and drop it. If it is not a valid T.30 or T.38 packet, there is no communication path to the network.

Unlike a Brooktrout intelligent fax board, a dual-purpose fax and data modem that supports V.90 or V.92 would allow these packets through when in a non-fax mode.

Privacy Infringement
A privacy attack involves a fax being intercepted in transit and read by someone other than the designated recipient or fax machine. In a real-time fax over IP setting, a Brooktrout IP enabled intelligent fax board does not pose any additional risk to privacy. This is because the IP portion of the fax traffic once again is contained within a properly configured and secure enterprise WAN. Within this enterprise WAN there are two scenarios in which a FoIP transmission can take place.

The first scenario is a fax origination on the PSTN, being sent over the PSTN to a T.38 endpoint, as shown in the diagram below.

In this scenario, the PSTN portion of the fax transmission is secure, just like today’s standard PSTN based fax transmissions, because hacking into a PSTN line requires physical access to the line or switching equipment. In addition, the T.30 protocol only permits passage of T.4/T.6 image streams between Group 3 fax image transmission devices, so there are no opportunities to add rogue content. Also, in most countries around the world there exist Federal Laws that prevent wiretapping, a legal method that also ensures that the PSTN portion of the fax transmission is safe. On the IP portion of the fax transmission, when the fax passes through the T.38 gateway, it travels across the enterprise WAN, or private IP network, which under normal good business practices is also safe and secure from external threats because it is internal to the company.

The second scenario is a T.38 endpoint sending a fax to another T.38 endpoint that is connected to an IP WAN, as depicted in the diagram below.

In this scenario the fax originates from an IP endpoint and is converted from T.38 to T.30, where it then travels over the PSTN to a gateway located on the company WAN. As in Scenario 1, when the fax is on the company WAN it is located behind the company’s firewall and is safe and secure. The only breach in security can occur if a malicious employee internal to the company attempts to snoop the IP traffic inside the WAN. This is an IP network issue that needs to be addressed for all IP applications; fax presents no additional security issues of this sort. An example of a solution to cover passage within an enterprise is the use of a VPN to connect the T.38 gateway and T.38 endpoint, or T.38 endpoint to T.38 endpoint, in order to limit the risk to only include those people authorized to use the corporate VPN resources.

Content Attack
The final type of attack is a content attack, which means that the fax content is intercepted and altered. Again in this case this is very difficult to do in PSTN mode due to wire tapping laws and the difficulty with intercepting a fax transmission over the PSTN. In IP mode, the fax would travel over IP only over the enterprise WAN, which again would be protected behind a properly configured firewall. Even within the corporation, a hacker would need complex software tools in order to decode the fax image, T.30 protocol and ASN.1 (Abstract Syntax Notation) which underpins T.38. It would be virtually impossible to decode, change and re-encode T.38 packet content in real-time without causing the session to end due to timeouts. Again, with any IP network these are network security issues that would be addressed by standard network security products. The public portion of the fax transmission would travel over the PSTN via T.30 and would be at no greater risk than if it were transmitted in standard PSTN format.

Summary
The TR1034 series of intelligent fax boards from Brooktrout Technology provide safe, secure and reliable fax transmission capability.

For PSTN connections, Brooktrout intelligent fax boards use the T.30 “fax only” protocol, which does not have any data exchange capability, unlike fax boards that support the V.90 or V.92 protocol.

For IP connections Brooktrout intelligent fax boards support the T.30 and T.38 fax protocols only, again two “fax only” protocols that do not allow the transmission of data. In addition, installing a real-time fax over IP solution into an organizations network does not pose any additional risk, as the IP enabled fax server will always sit within a WAN and behind a properly configured firewall. Brooktrout’s on-board “fax-only” processing will immediately recognize the non-T.30/T.38 packets attempting to enter the network through the fax server and drop them. If it is not a valid T.30 or T.38 packet, there is no communication path to the network through a Brooktrout intelligent fax board.

Consequently, installing a Brooktrout based fax over IP solution poses no added threat to your network security. Remember, trying to gain access to your organization’s network through a Brooktrout based fax server would be like trying to hack into a fax machine. Call Meridian now on 02 4878 9520.

» back to top