Avaya

Modular Messaging Help

Print | Back | Fwd | Close
Home | Search the Help
 Getting Started 
 Administration 
 Maintenance 
 Reference 
Home > Getting started > Modular Messaging and Security > Port administration

Port administration

MAS and MSS

All communication between the Messaging Application Server (MAS) and the Message Storage (MSS) is carried over a private LAN. The MAS and the MSS have two Ethernet ports each. One of the two ports is connected to the Layer 2 switch used for creating the private LAN. To ensure the security of these ports, no other traffic should be connected to this switch. The Ethernet ports must be used only for communication between the MAS and the MSS over a private LAN. All the user logins between the MAS and the MSS on the private LAN are encrypted using a challenge/response mechanism. User passwords, encrypted using the 3DES algorithm are transmitted between the MAS and the MSS on the private LAN using LDAP. The MSS verifies that the LDAP connection originates from the administered IP address only. If you choose to connect another switch, it is recommended that the MAS and the MSS are connected to a separate Layer 3 switch over a VLAN.

Modular Messaging uses the second Ethernet port for standard e-mail client access using industry standard protocols such as POP3, IMAP4, and SMTP over the LAN. Modular Messaging supports the Secure Socket Layer (SSL) versions of these protocols. You can set the SSL options in the standard e-mail account options window. See Client Access to a Subscriber Mailbox (pdf) for more information.

Maintenance ports

Modular Messaging provides dial-up modem access, which is used by Avaya services personnel for troubleshooting and maintenance purposes. Maintenance ports are a prime target for fraud. Hackers use various devices to dial into the port numbers and hack passwords to gain control over the administrative commands. They then manipulate system settings to commit fraud or cause other damage to the system. Many security risks arise from allowing incoming callers to access outside facilities. There are other endpoints in your system that can be dialed as internal calls and can be accessed either from voice mail, auto attendant, or remote access. Typically, toll hackers target the administration port to gain control over the maintenance and administration capabilities of the system. To enhance the security of your system, you must monitor access, egress and system administration. You can consider the options described below for securing dial-up port access to your system.

Remote Port Security Device (RPSD)

Dial-up ports help improve productivity, but they also provide potential access to hackers. For greater security, consider using the Remote Port Security Device (RPSD). RPSD offers enhanced protection for dial-up access. RPSD gives you a single channel protection system that enhances your ability to prevent unauthorized users or hackers from accessing the dial-up communications ports of your system.

The RPSD helps to:

  • Protect remote locations that communicate with a central network via dial-up lines

  • Safeguard companies that remotely administer PBX and voice mail systems

  • Ensure that critical network routing information and PBX feature translations are not compromised

  • Control access of dial-up ports by remote maintenance or service personnel

Access Security Gateway (ASG)

The Access Security Gateway (ASG) uses a challenge and response mechanism for secured access to dial-up communication ports. The Access Security Gateway (ASG) is an optional authentication interface that you can use to secure remote logins to the Message Storage Server (MSS). See ASG for more information on maintaining ASG logins. For more information on administering ASG on Modular Messaging, see Access Security Gateway (ASG). For more information about ASG and Avaya Modular Messaging security, see ASG Key User Guide, 585-212-012.

General recommendations

For more information on registered ports, search the Internet Engineering Task Force (IETF) Web site, or the Microsoft TechNet Web site. Following are some guidelines to help you ensure port security:

  • Use Class Of Restriction (COR) to restrict access to administration ports. If you use PC-based emulation programs to access administration capabilities, never store dial-up numbers, logins, or passwords as part of an automatically executed script.

  • Use the monitoring tool to check the performance of your system. See Using Port Monitor for more information. You can also generate reports for port statistics, port usage, and port states. Always look at system usage and port usage reports. See Reports for more information on the various reports that you can generate.

  • To reduce the system’s vulnerability to toll fraud, outward restrict the port to which the Remote Maintenance Device (RMB) is connected. Block out-of-hours calling by turning off remote access features at an intercom 10 administration telephone whenever possible.

  • Evaluate the necessity for Direct Inward System Access (DISA). If this feature is not vital to your organization, consider not using it or limiting its use. Protect your DISA telephone number and password. Give them only to people who need them, and impress upon these people the need to keep the telephone number and password secret.

  • Consider using port scanners for checking any vulnerabilities on your system.

Top of page

Home | Search the Help | Print | Back | Fwd | Close

©2003 Avaya Inc. All rights reserved. Last modified 24 November, 2003