Port administration

This section discusses port administration in Modular Messaging systems with Avaya Messaging Application Server (MAS) and Avaya Message Storage Server (MSS).

Topics in this section include:

• Messaging Application Server and Message Storage Server

• Maintenance ports

• General recommendations

Messaging Application Server and Message Storage Server

All communication between the MAS and the MSS is carried over a private local area network (LAN). The MAS and the MSS have two Ethernet ports each. One of the two ports is connected to the Layer 2 switch used to create the private LAN.

The private LAN Ethernet ports must be dedicated for communication between the MAS and the MSS. Do not connect other traffic to the Layer 2 switch. All the user logins between the MAS and the MSS on the private LAN are encrypted using a challenge-and-response mechanism. User passwords, encrypted using the 3DES algorithm, are transmitted between the MAS and the MSS on the private LAN using Lightweight Directory Access Protocol (LDAP). The MSS verifies that the LDAP connection originates from the administered IP address only. If you choose to connect another switch, connect the MAS and the MSS to a separate Layer 3 switch over a virtual LAN (VLAN).

Modular Messaging uses the second Ethernet port present on the MAS and the MSS to connect those devices to the customer corporate LAN. The connection provides industry-standard protocols from the MSS such as POP3, IMAP4, and SMTP. The connection also provides administration with a Web browser. The MAS provides Subscriber Options and Voice Mail System Configuration (VMSC) support. The MAS can provide Web Messaging and Web Subscriber Options. However, the Modular Message Web Client cannot be installed on the MAS.

Modular Messaging also supports the Secure Sockets Layer (SSL) versions of the POP3, IMAP4, SMTP, HTTP, and LDAP protocols.

Maintenance ports

Avaya provides Secure Services Gateway (SSG) for product maintenance connections between Avaya and Avaya products at customer sites. The SSG connection is TCP/IP based.

Modular Messaging also provides dial-up modem access. Avaya Services personnel use dial-up modem access for troubleshooting and maintenance purposes. Maintenance ports are a prime target for fraud. Hackers use various devices to dial into ports and hack passwords to gain control over the system. They then manipulate system settings to commit fraud or cause other damage to the system. Many security risks arise from incoming callers accessing outgoing facilities. Other endpoints in your system can be dialed as internal calls. The endpoints can also be accessed from voice mail, automated attendant, or remote access. Toll hackers usually target the administration port to gain control over the maintenance and administration capabilities of the system. To enhance the security of your system, you must monitor users entering and leaving the system, and system administration. Consider the following topics when you secure dial-up port access to your system.

Remote Port Security Device

Dial-up ports help improve productivity, but they also provide potential access to hackers. For greater security, consider using the Remote Port Security Device (RPSD). The RPSD offers enhanced protection for dial-up access.The RPSD gives you a single-channel protection system. The single-channel protection helps prevent unauthorized access to the dial-up communications ports on your system.

The RPSD helps to:

• Protect remote locations that communicate with a central network through dial-up lines

• Safeguard companies that remotely administer the private branch exchange (PBX) and voice mail systems

• Ensure that critical network routing information and PBX feature translations are not compromised

• Control the access to dial-up ports used by remote maintenance or service personnel

You can also perform MSS administration through a Web browser. If a customer uses a Web browser with an external virtual private network (VPN) connection to the corporate internal LAN, you might not need a dial-up connection.

Access Security Gateway

Access Security Gateway (ASG) uses a challenge-and-response mechanism for secured access to dial-up communication ports. The gateway is an optional authentication interface that you can use to secure remote logins to the MSS. For more information about ASG and Avaya Modular Messaging security, see ASG Key User Guide, 585-212-012.

General recommendations

For more information on registered ports, search the Internet Engineering Task Force (IETF) Web site, or the Microsoft TechNet Web site. Some guidelines to help you ensure port security include:

• Use Class of Restriction (COR) to restrict access to administration ports. If you use personal computer emulation programs to access administration capabilities, do not store the following information:

  • Dial-up numbers

  • Logins

  • Passwords as part of an automatically executed script

• Use the monitoring tool to check the performance of your system. For more information, see SPM - Port Monitor. You can also generate reports for port statistics, port usage, and port states. Examine system usage and port usage reports regularly. For more information about the various reports that you can generate, see Reporting Tool.

• To reduce the system vulnerability to toll fraud, restrict the port that the Remote Maintenance Board (RMB) uses to place outbound calls. For example, restrict outbound calls to specific remote maintenance telephone numbers.

• Evaluate the need for Direct Inward System Access (DISA). If this feature is not vital to your organization, consider not using it or limiting its use. Protect your DISA telephone number and password. Give the telephone number and password only to people who need them. Ensure that the telephone number and password are kept secret.

• Consider using port scanners for checking any vulnerabilities on your system.

Top of page