Which of the following can BEST eliminate dial-up access through a Remote Access Server as a hacking
vector?

A.
Using a TACACS+ server.

B.
Installing the Remote Access Server outside the firewall and forcing legitimate users to authenticate to the
firewall.

C.
Setting modem ring count to at least 5

D.
Only attaching modems to non-networked hosts.

Explanation:
As client computers used to have built-in modems to allow for Internet connectivity, organizations commonly
had a pool of modems to allow for remote access into and out of their networks. In some cases the modems
were installed on individual servers here and there throughout the network or they were centrally located and
managed. Most companies did not properly enforce access control through these modem connections, and
they served as easy entry points for attackers.
Installing the Remote Access Server outside the firewall and forcing legitimate users to authenticate to the
firewall can best eliminate dial-up access through a Remote Access Server as a hacking vector. This solution
would mean that even if an attacker gained access to the Remote Access Server, the firewall would provide
another layer of protection.
Incorrect Answers:
A: Using a TACACS+ server does provide a good remote access authentication and authorization solution.
However, to best eliminate dial-up access through a Remote Access Server as a hacking vector, you should
place the remote access server outside the firewall.
C: Setting modem ring count to at least 5 may deter wardialers but it does not eliminate dial-up access through
a Remote Access Server as a hacking vector.
D: Only attaching modems to non-networked hosts do not eliminate dial-up access through a Remote Access
Server as a hacking vector. Besides being impractical, the non-network hosts would be vulnerable to attack.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, p. 695