8.5 Fax server

Description

This chapter deals with information transfer via facsimile (fax). When selecting safeguards in the area of IT baseline protection, it should be borne in mind that no distinction has been made between different transmission standards (e.g. CCITT Group 3). This module only considers fax traffic generated using a fax server. A fax server in this sense is an application which is installed on an IT system and provides services on a network enabling other IT systems to send and/or receive faxes.

Fax servers are usually integrated into existing E Mail systems. Thus, it is possible for incoming fax documents to be delivered to users by E Mail. Outgoing documents are passed to the fax server either via a printer queue or else by E Mail. If the fax server is integrated into an E Mail system it is also possible to send out "serial letters" either by fax or by E Mail. If the recipient has access to E Mail then he receives the message free of charge by E Mail, otherwise it comes by fax. The document sent or received by a fax server is a graphics file which cannot be directly edited in a word processing system. However, archiving is possible in either case. This can be done either through the fax server software or else in document management systems.

Fax server applications are available for a number of operating systems, e.g. for various Unix derivatives, Microsoft Windows NT and Novell NetWare. The threats and safeguards associated directly with whichever operating system is used are not considered in this module. Those aspects are considered in Section 6.1 and the section that is specific to the particular operating system.

Fax servers also often have a binary transfer mode capability. This enables any data which is not in fax format to be transmitted. These transmissions do not constitute fax transmissions. Therefore any special threats and safeguards relating to this service are not considered in this section. If the binary transfer mode is permitted, then Section 7.2 Modems should also be used.

Threat Scenario

The following typical threats are assumed for fax information transfer over a fax server as part of IT baseline protection:

Organisational Shortcomings

• T 2.7 Unauthorised use of rights
• T 2.9 Poor adjustment to changes in the use of IT
• T 2.22 Lack of evaluation of auditing data
• T 2.63 Uncontrolled use of Faxes

Human Failure

• T 3.3 Non-compliance with IT security measures
• T 3.14 Misjudgement of the legal force of a fax

Technical Failure

• T 4.15 Fax transmission errors
• T 4.20 Data loss due to exhausted storage medium

Deliberate Acts

• T 5.2 Manipulation of data or software
• T 5.7 Line tapping
• T 5.9 Unauthorised use of IT systems
• T 5.24 Replay of messages
• T 5.25 Masquerading
• T 5.27 Repudiation of a message
• T 5.30 Unauthorised use of a fax machine or fax server
• T 5.31 Unauthorised reading of fax transmissions
• T 5.32 Evaluation of residual information in fax machines and fax servers
• T 5.33 Impersonation of wrong sender on fax transmissions
• T 5.35 Deliberate overload through fax transmissions
• T 5.39 Infiltrating computer systems via communication cards
• T 5.90 Manipulation of address books and distribution lists

Recommended Countermeasures (S)

For the implementation of IT baseline protection, selection of the required packages of safeguards ("modules"), as described in Sections 2.3 and 2.4, is recommended.

As a first step a comprehensive set of security guidelines for the fax server should be prepared (see S 2.178) and a suitable fax server should be procured (see S 2.181 Selection of a suitable fax server). These should be used as the basis for developing appropriate procedures. Finally, Fax Officers should be appointed for the fax server (see S 3.10 Selection of a trustworthy administrator or deputy and S 2.180 Setting up a fax mail centre). Both the security guidelines and the procedures based on them and the appointment of Fax Officers should be effected in writing. These specifications should then be implemented in the form of specific security measures. As well as secure operation of the fax server, it is especially important that the users should adhere to the relevant security precautions and instructions.

The safeguard package for the "Fax server" application is listed below:

Organisation

• S 2.30 (2) Provisions governing the configuration of users and of user groups
• S 2.64 (1) Checking the log files
• S 2.178 (1) Creation of security guidelines for the use of faxes
• S 2.179 (1) Procedures controlling the use of fax servers
• S 2.180 (1) Configuration of a fax mail centre
• S 2.181 (1) Selection of a suitable fax server

Personnel

• S 3.4 (1) Training before actual use of a program
• S 3.5 (1) Education on IT security measures
• S 3.10 (1) Selection of a trustworthy administrator or deputy
• S 3.11 (1) Training of maintenance and administration staff
• S 3.15 (1) Information for all staff about the use of faxes

Hardware & Software

• S 4.36 (2) Blocking fax recipient numbers (optional)
• S 4.37 (2) Blocking fax sender numbers (optional)

Communication

• S 5.24 (1) Use of a suitable fax cover sheet
• S 5.25 (2) Using transmission and reception logs
• S 5.26 (2) Announcing fax messages via telephone (optional)
• S 5.27 (2) Acknowledging successful fax reception by telephone (optional)
• S 5.28 (2) Acknowledging correct fax origin by telephone (optional)
• S 5.73 (1) Secure operation of a fax server
• S 5.74 (1) Maintenance of fax server address books and distribution lists
• S 5.75 (1) Protecting against overloading the fax server

Contingency Planning

• S 6.69 (1) Contingency planning and operational reliability of fax servers