Many sites permit dial-in access to modems located at various points
throughout the site.
As discussed in section 
, this is a potential backdoor
and could negate all the protection provided by the firewall.
A much better method for handling modems is to concentrate them
into a modem pool, and then secure connections from that pool.
The modem pool likely would consist of modems connected to a terminal server, which is a specialized computer designed for connecting modems to a network. A dial-in user connects to the terminal server, and then connects (e.g., telnets) from there to other host systems. Some terminal servers provide security features that can restrict connections to specific systems, or require users to authenticate using an authentication token. Alternatively, the terminal server can be a host system with modems connected to it.
Figure: Modem Pool Placement with Screened Host Firewall.
Figure shows a modem pool located on the Internet side of
the screened host firewall.
Since the connections from modems need to be treated with the
same suspicion as connections from the Internet, locating the modem
pool on the outside of the firewall forces the modem connections to pass
through the firewall.
The application gateway's advanced authentication measures can be used then to authenticate users who connect from modems as well as from the Internet. The packet filtering router could be used to prevent inside systems from connecting directly to the modem pool.
A disadvantage to this, though, is that the modem pool is connected directly to the Internet and thus more exposed to attack. If an intruder managed to penetrate the modem pool, the intruder might use it as a basis for connecting to and attacking other Internet systems. Thus, a terminal server with security features to reject dial-in connections to any system but the application gateway should be used.
Figure: Modem Pool Placement with Screened Subnet and Dual-Homed Firewalls.
The dual-homed gateway and screened subnet firewalls provide a more
secure method for handling modem pools.
In figure ,
the terminal server gets located on the inner, screened
subnet, where access to and from the modem pool can be carefully
controlled by the routers and application gateways.
The router on the Internet side protects the modem pool from any direct
Internet access except from the application gateway.
With the dual-homed gateway and screened subnet firewalls, the router connected to the Internet would prevent routing between Internet systems and the modem pool. With the screened subnet firewall, the router connected to the site would prevent routing between site systems and the modem pool; with the dual-homed gateway firewall, the application gateway would prevent the routing. Users dialing into the modem pool could connect to site systems or the Internet only by connecting to the application gateway, which would use advanced authentication measures.
If a site uses any of these measures to protect dial-in access, it must rigidly enforce a policy that prevents any users from connecting modems elsewhere on the protected subnet. Even if the modems contain security features, this adds more complexity to the firewall protection scheme and adds another ``weak link'' to the chain.