Message Networking Help

Home | Search
Print | Back | Fwd | Close

Admin

Maintenance

Reference

Home > Getting started > Concepts and features > System security > Feature security

Feature security

This topic provides security information for the following Message Networking features:

FTP
Enterprise Lists
CDR
SMTP access
LDAP
SNMP
Network access
Network messages
Network protocols

FTP

Message Networking provides authenticated FTP access for specific applications, including the following:

Subscriber Imports
Report Exports
CDR Exports
Customer Downloadable Service Packs (software updates)

FTP access into Message Networking requires the use of the icftp login ID and password. This login ID is set to a default value when the Message Networking system is initially installed, but you are required to change the password during system administration.

Message Networking’s FTP access is limited to the /iclog/icftp directory. This directory has a budgeted maximum amount of storage that cannot be exceeded by the FTP user. That is, importing more data than can be stored is prevented by the Message Networking system.

Message Networking systems are shipped with the FTP feature deactivated by default. If you activate FTP to use it for a task, such as exporting a report, it is recommended that you deactivate it when you complete the task.

Enterprise Lists

The administration of Enterprise Lists is limited to administrators logged into the Message Networking system and applications accessing the Message Networking LDAP interface (see LDAP for security considerations for the Message Networking LDAP server).

Senders must know the list ID network address (or corresponding ASCII name) of the list to which they want to send a message, and the sender's network address must be granted permission to use the list by the administrator.

CDR

Message Networking provides a seven-day cyclical file that records all information about the messages that pass through the system. This file is not a copy of the actual message (messages are transient and are deleted from the system after delivery), but is a record that the message was sent.

Access to this information requires administrative system access (tsc, sa, craft, dadmin, and icftp logins).

The CDR feature has actually been used in the past by system administrators to track and capture unauthorized users that gained access to a remote machine server mailbox and sent disruptive messages from that mailbox.

SMTP access

Message Networking does not scan attachments in incoming messages for viruses. It is strongly recommended that you deploy a third-party email virus scanner. Such scanners are available in a number of forms including both standalone email relay hosts and firewall/router based scanning systems.

Message Networking, which receives incoming email for end users via SMTP on TCP/IP port 25, supports the administrative ability to allow or block SMTP usage by individual subscribers or ranges of subscribers (by Network Address) as well as by domain definitions.

LDAP

Message Networking uses LDAP for updates between Message Networking systems and Modular Messaging systems (using port 56389). Message Networking also provides an LDAP-based interface (using standard LDAP port 389) that can be used both to obtain directory data. The Message Networking LDAP-based interface requires authenticated access. If you are not using SSL for LDAP, the version of LDAP supported is the standard, unencrypted, version, and any adjunct processors using authenticated LDAP will transmit their login credentials in plain text, so security of the link between these processors and the server is important.

Message Networking supports SSL for both incoming and outgoing LDAP client connections. Message Networking uses standard LDAP port 389 for LDAP client access. If you want to use SSL for LDAP transmissions, you must configure it on the LDAP client you are using. There is no administration required on the Message Networking system to enable SSL for LDAP. See LDAP Server Access for additional information.

Note: If you are using certain older versions of ldapsearch from the command line, and you want to use -ZZ, you must enter the fully qualified domain name (FQDN) for the host on which the LDAP server is running. Newer versions do not require you to enter the FQDN.

SNMP

SNMP, the current working standard of the TCP/IP protocol suite, is used to transfer network management information. Through SNMP, various elements of a network can communicate with each other regardless of their underlying architecture. Message Networking supports its own implementation of SNMP, which allows network system administrators to monitor remote Message Networking elements from a central location.

The Message Networking system supports SNMP versions 2c and 3. For version 2c, the network management station uses community strings to secure access to SNMP information. For version 3, the network management station uses views to secure access to SNMP information. See Simple Network Management Protocol overview for more information on SNMP on Message Networking.

System access

Message Networking does not allow subscribers into the server for mailbox access. Message Networking strictly serves as a postmaster, receiving and sending networked messages. The only login access to the system is by system administrators using the standard login IDs (for example, sa, craft).

Message Networking Release 2.0 provides a secure web connection that requires the administrator’s browser to have a security certificate.

Network messages

Access to all messages processed by Message Networking require the following:

tsc login access
Knowledge of the directories where the actual messages are stored.
A process that continuously monitors the system (Message Networking messages are transient and deleted from the system once delivered).
A transcoder or player for each of the voice formats supported by the system (proprietary and non-proprietary).

Network protocols

The following table lists the networking protocols supported by Message Networking and the security-related considerations for each.

Protocol	Security considerations
AMIS	Standard protocol. Requires authentication of Callback Number on both ends. Requires proper military tone sequence for session setup. Actually plays voice message over analog line.
Octel Analog Networking	Proprietary protocol. Requires authentication of Octel Serial Number on both ends. Supports encryption of touch-tone values. Requires proper military tone sequence for session setup. Actually plays voice message over analog line.
AUDIX Digital	Proprietary protocol. Uses port 5500 (listen port). Uses CELP voice encoding (proprietary). Requires authentication of password and machine name on both ends.
Aria Digital	Proprietary protocol. Uses port 4000 (listen port). Uses SBC voice encoding (proprietary). Requires authentication of Octel Serial Number on both ends.
Serenade Digital	Proprietary protocol. Uses port 22136 (listen port). Requires IP address of both systems to be administered on each end. Does not have any password authentication. Uses CVSD voice encoding (proprietary).
SMTP/MIME	Standard protocol. Please refer to the general notes in this document regarding SMTP/MIME Internet access. Uses port 25. Uses GSM. G.711 (mu and A law) voice encoding. Message Networking provides individual subscriber, range of subscribers, and domain blocking.
LDAP-Based Subscriber Directory Updates	Subscriber directory updates based on LDAP. Provides directory adds/changes/deletes. Has an all directory pull and push capability. For Message Networking, port 56389 is used. For MMA, port 55389 is used.
VPIMv2	Standard protocol. See SMTP/MIME (uses port 25). Uses ADPCM voice encoding.
LDAP server access	Standard protocol. Uses port 389.

Top of page