The principle of Xiscan is a good one. It takes the idea of war dialing software, which hackers have used to their advantage for many years to scan telephone networks in an attempt to locate entry points, and turns it against the enemy.
Xiscan works in the same way that the hackers have always used automated telephone dialers – to probe for weaknesses in the network. The difference is that it is designed to be used within the network, to locate rogue modems and bring users to heel.
The basic idea is that if hackers can use automated dialers to gain an advantage over legitimate users, then why can't the legitimate user do the same? It is a very good question – and there is something very satisfying about the idea of wrestling control of hacker-type tools, and using them for legitimate ends. Xiscan takes the wardialer idea and turns it on its head, using it as a way to monitor the network from within.
There are typically two different 'rogue modem' scenarios, and each raises different problems.
The first is when the user within sets up his own dial-up connection as an adjunct to official modems, bypassing the firewall in the process. This creates the problem that hackers can get network information through the use of the rogue modem, and also that the content of material the user downloads cannot be controlled.
This is less of an issue, however, than users, such as lazy technical support staff who want to monitor a site remotely, setting up remote dial-in modems. This is not necessarily a problem if the dial-in modems are known about and adequate security measures are taken, but often this is not the case. The network manager might not be aware of their existence.
The problem is that if hackers can get access to these rogue dial-in modems then they are clean in to the system – and all the time and money spent securing all 'legitimate' entry points will have been in vain. Having security that does not work is probably worse than having no security at all, because the user is lulled into a false sense of security.
There is also the concern that some pieces of kit can have embedded modems built in which allow the vendor to support them remotely. This may be a good thing but the network manager needs to know about it.
Xiscan is a telephone audit software package, built around a core relational database. It consists of four separate tools: configuration manager, to set up the database; Xiscan Interactive, which runs scans; Xiscan command line, which runs the scans automatically; and Report Generator which queries scan results to combine together.
The manager component of Xiscan is written in Java 2, using the Java database connectivity protocol (JDBC) to access the underlying database (Access or Oracle).
Xiscan only recommends using an Oracle database on a higher spec machine because of memory requirements. The installation allows both Oracle and Access files to be installed, so that the user can start with an Access database and – if necessary – progress to Oracle.
In terms of operating systems, Xiscan has been validated to run
on Windows NT 4 and 2000 Professional.
The documentation says that "as a result of a lack of official support for Windows XP in some of the third-party software deployed in Xiscan, we are currently unable to officially endorse its use on Windows XP." This does not however mean that it will not run on XP Professional.
Xiscan needs to be loaded with appropriate telephone numbers on the network – which can sometimes be a time-consuming, one-off task. Armed with this information it can be configured to dial ranges of numbers. It scans various sites, regardless of their physical location.
It comes either as a product – suitable for large companies – or as a managed service, which is more suitable for smaller companies without the in-house resources.
One point that needs to be made is that while Xiscan is a very useful tool in the fight against hackers, users have to be very careful when they set it up (which Xiscan does point out in the documentation). In the wrong hands of course, the information that Xiscan collects would be, ironically, very useful to the hacker – providing the location of modems, and sending the dial strings unencrypted.
For this reason, Xiscan is set up automatically to be dial-out only. The password on the database needs to be reset from the default before use (the default setting is changeme). On an Oracle installation both the sys and system passwords need to be reset.
The caveat is that Xiscan is only one part of the security jigsaw, and is a complement to, rather than a replacement for, a firewall. But it is exceedingly useful. The point also needs to be made that companies also need to have a policy that users should not attach unapproved equipment to the network, and that doing so is a disciplinary offense. The policy should dictate that any ad hoc modem connections are explicitly forbidden.
This threat, backed up by active monitoring, should be enough to protect the network.