| The Modular Messaging system is designed to be located securely
within the network and should not be directly connected to the Internet.
Modular Messaging connects to your TCP/IP and the telephony network. You
should leverage the existing network security policy to protect
the system from malicious activities from external and internal
sources. Although protecting information may be a high priority,
protecting the integrity of your network should not be less important.
When your network is connected to the Internet, it is exposed to
various types attacks including Network packet sniffers, IP spoofing,
password attacks, Denial-of-service attacks, and application layer
attacks. A breach of integrity can be extremely dangerous and can
open the doors for continued attacks on your system. Your network,
security and applications teams should work together to plan and
manage security. You should consider the measures described below
for reducing security risks when deploying the Modular Messaging
System into your network:
Internet Firewalls
An Internet firewall is a system or a group of systems that enforces
a security barrier between your network and the Internet. The firewall
determines which inside services can be accessed from outside and
which outside services can be accessed by insiders. It is advisable
that you install the Modular Messaging system in a trusted network
behind your corporate firewall. When you set up a firewall server,
identify the type of networks that are attached to the firewall
server. It is also advisable to explicitly identify the untrusted
networks from which the firewall can accept requests. Ensure that
all the traffic to and from the Internet passes through the firewall.
Intrusion Detection System (IDS)
An Intrusion Detection System (IDS) can be used for detecting
unauthorized break-ins to your systems. It is advisable to implement
a network-based intrusion detection system as a secondary security
system. Following are some of the reasons for adding an IDS to your
network. IDS:
-
Cross-checks incorrectly configured firewalls
-
Detects attacks that firewalls legitimately allow through (such
as attacks against Web servers)
-
Detects failed hacking attempts to get into your system
-
Detects insider hacking
MAS and MSS Private Network Security
MAS acts as a trusted server for the configuration of MSS. Therefore,
no authentication is required for data transfer between MAS and
MSS. All communication between the MSS and the MAS is carried over
a private LAN. The MSS and the MAS come with two Ethernet connections
each, for a total of at least four ports for Modular Messaging.
The system is shipped with a Layer 2 switch, which creates the Private
LAN. One port on each server is connected to the switch. To assure
the highest level of security, ensure that no other traffic is connected
to the switch. In cases where customers need to use their own switches,
Avaya recommends that the MAS and MSS be connected to a separate
Layer 3 switch over a VLAN. This segments traffic by routing only
between these two systems on the Private LAN’s dedicated Ethernet
ports. The messages in the user mailboxes are neither stored nor
backed up in encrypted form and are also not encrypted in transit
by the message retrieval protocols used between the MSS and MAS.
The private LAN between the MSS and the MAS should be maintained
as private only with the MAS and the MSS located within close physical
proximity.
Trusted Server
A trusted server can be a computer or a software application that
is given privileged access to the MSS. It uses its own login and
password to access the MSS services. The MSS verifies that the IP
packets come from administered IP address of the trusted servers.
The first step in securing the system is to make certain that only
trusted systems are working together. An example of trusted server
for Modular Messaging is Mailbox Manager (MBM). You must administer
the passwords that the trusted server application requests to access
the MSS. Avaya recommends that you change the trusted server passwords
on a regular basis. To understand how to set up a trusted server,
see "Setting up the trusted servers" in the
Installation Guide (pdf).
Modular Messaging connects to your corporate LAN and allows desktop
access to messages and remote administration. The system supports
IMAP4, POP3 client access, which can be disabled if required. You
can also network Modular Messaging with other voice mail systems
using the Avaya Message Networking with the Avaya S3210 Message
Server over the LAN. See Networking for
more information on Modular Messaging networking.
Top of page
|
