Security enhancements for Release 3.1

Role-Based Access Control

Role-Based Access Control (RBAC) gives customers the ability to create administration accounts (logins) on the MSS based on customer-defined roles. Customer-defined roles can be tailored to give each administrator only the access privileges that are needed to perform that administrator's job.

When you set up an administrative role, you specify which web-administration pages the role can access and the access type. The access type can be read and write or read only. The administrative roles you create can have access privileges that are the same as the sa (system administrator) or vm (voice messaging administrator) account, or you can create administrative roles that have different access privileges. The sa account provides access to all customer-accessible system functions. The vm account provides access to all subscriber-management functions.

When an administrative role is created, the role is assigned a role identifier (Role ID). Role identifiers are then used to assign access privileges to administration accounts on the MSS. For customers who use an Authentication, Authorization, and Accounting (AAA) sever to authenticate administration accounts on the MSS, accounts that will be authenticated by the AAA server, must also be defined on the AAA server.

Authentication of MSS logins using a AAA sever

An Authentication, Authorization, and Accounting (AAA) server is an optional, customer-provided server that can be used to authenticate the credentials of administrators logging in to the MSS. The MSS can be configured to use one or two Remote Authentication Dial-In User Service (RADIUS), Lightweight Directory Access Protocol (LDAP), or Active Directory AAA servers to authenticate logins. For RADIUS servers, administration accounts on the MSS that will be authenticated by the AAA server, must also be defined on the AAA server.

Improved logging of MSS administration activity

Information about administration activity on the MSS is always sent to logs on the MSS server. In addition to logging this information locally, for Release 3.1, the MSS can be configured to send logging information to an external, customer-provided server using the syslog protocol (RFC 3164). Only one syslog server can be administered, however, that server can be configured as a syslog relay server that forwards logging information to multiple syslog servers. Logging information stored on the MSS can be viewed using the web-administration interface.

For Release 3.1, in addition to information that was logged for previous releases, the MSS logs the following information about administration activities:

User name and role ID of the administrator

Log ins, log outs, failed log ins, failed LDAP binds (connects), and password expiration warnings

Identification of the web page or LDAP object that was changed

Date and time, including time zone, that the change was made

Whenever web-page data is changed and saved, field values (changed and unchanged) and button pushes are logged

For LDAP changes, the IP address or fully qualified domain name of the client that made the change

The requested LDAP operation and result (success or failure)

LDAP Directory updates using SSL encryption

The Modular Messaging system can receive LDAP directory updates from other Modular Messaging systems or from Message Networking systems. Directory updates enable these systems to share subscriber information, which makes it easier for subscribers on different systems to exchange voice or email messages. In past releases, authentication was required for directory updates, but there was no way to enforce encryption of the content of the directory update (subscriber information). For Release 3.1, Modular Messaging and Message Networking systems can be administered to enforce Secure Sockets Layer (SSL) encryption of incoming directory updates.