Avaya

Modular Messaging Help

Home | Search | Site Index
Print | Back | Fwd | Legal | Close

 Getting Started 
 Installation 
 Administration 
 Maintenance 
 Reference 
Home > Getting Started > Modular Messaging and security

Modular Messaging and security

The telecommunications industry faces a growing threat of theft of customer services. Securing the telecommunications system and its networked equipment must be the primary concern of an organization. Diligent attention to system management and security can help reduce such risks considerably.

Avaya Modular Messaging is a mission-critical system for your internet messaging and communications network. This document describes how you can use the system administration tools to minimize unauthorized intrusions. It also provides safeguards and measures that you can take to ensure that the Modular Messaging servers operate in a secure manner.

Topics in this section include:

 

Customer responsibility for system security

No telecommunications system can be entirely free from the risk of unauthorized use. Customers have ultimate control over the configuration and use of the product. They are solely responsible for ensuring the security of their systems.

Customers who administer and use the system can tailor the system to meet their unique needs. Therefore, customers are in the best position to ensure that the system is secure to the fullest extent possible. Customers are responsible for keeping themselves informed of the latest information for configuring their systems to prevent unauthorized use. Customers must regularly implement security patches, hot fixes, and anti-virus updates. System managers and administrators are also responsible for reading all recommendations, installation instructions, and system administration documents provided with the product. This information can help them understand the features that might introduce risk of toll fraud and the steps they must take to reduce that risk.

Avaya does not guarantee that this product is immune from or will prevent unauthorized use of telecommunications services or facilities accessed through or connected to this product. Avaya is not responsible for any damages or charges that result either from unauthorized uses or from incorrect installations of the security patches that are made available periodically. To aid in combating these crimes, Avaya maintains strong relationships with its customers and supports law enforcement officials in apprehending and successfully prosecuting those responsible.

Report suspected security vulnerabilities with Avaya products to Avaya by sending an e-mail message to [email protected]. Reported vulnerabilities are prioritized and investigated. Any corrective action resulting from the vulnerability investigation are posted at http://support.avaya.com/security. Whether immediate support is required, report all toll fraud incidents perpetrated on Avaya services to Avaya Corporate Security at [email protected].

In addition to recording the incident, Avaya Corporate Security is available for consultation on:

  • Product issues

  • Investigation support

  • Law enforcement

  • Education programs

Security information

The following table contains a list of security concerns addressed in this documentation. Click a section title for more information.

Note: Each section applies to the following Avaya Modular Messaging offers unless noted specifically:

  • Messaging Application Server with Avaya Message Storage Server (MAS—MSS)

  • Messaging Application Server with Microsoft Exchange (MAS—Microsoft Exchange)

  • Messaging Application Server with Microsoft Exchange, customer provided equipment (MAS—Microsoft Exchange, customer provided equipment)

 

Section

Description

Security overview

Information about the Modular Messaging system. Describes the major areas in which the customer-premises-based systems are vulnerable. Provides information on the general security measures that can be taken to discourage unauthorized use.
Security enhancements for Release 3.1

The following security enhancements have been added to Modular Messaging for Release 3.1. These security enhancements apply only to Modular Messaging systems with the Avaya Message Storage Server (MSS).

  • Role-Based Access Control
  • Authentication of MSS logins using an Authentication, Authorization, and Accounting (AAA) sever
  • Improved logging of MSS administration activity
  • LDAP Directory updates using SSL encryption

System hardening

Information about the system hardening practices followed by Avaya to make the Modular Messaging system less susceptible to unauthorized access. Discusses the tools that you can use to track security holes in the system and actions that you can take to secure them.

Physical security

Information about how to physically secure the hardware components, prevent unauthorized access to the system console and documentation, and run backups and restores.

Telecommunications service thefts

Information about toll fraud. Discusses toll fraud issues, types, and occurrences. It also discusses unauthorized system uses, fraudulent call transfers, and types of private branch exchange (PBX) toll frauds. Provides information on the steps that you can take to prevent and minimize the occurrence of these types of frauds.

Adjuncts

Information about components and features that depend on the Avaya MAS and the Avaya MSS. Discusses preventive measures to limit the risk of unauthorized uses of the system through these adjuncts.

Network security

Information about networking security of the Modular Messaging system, the MAS and the MSS trusted server security, and intrusion detection systems.
Security in the Avaya Messaging Application Server Information about the MAS features that help reduce fraudulent long-distance chargers, unintended disclosure of confidential information, and decreased service of voice servers.
Security in the Avaya Message Storage Server Information about the MSS security, including Internet Protocol (IP) security, firewall and password protection, internal and external security of the trusted server, and traffic reports. Provides security measures that block calls, disable transfers outside the system, secure message delivery, and secure passwords.
Port administration Information about the communication between the MAS and the MSS, maintenance ports, and general recommendations on port administration.

Password and mailbox administration

Information about mailbox administration, password standards, password setting and naming conventions, trusted server passwords, subscriber password security, and password administration.

Access mechanisms

Information about ways that you can use Modular Messaging servers, and encrypt and authenticate secure access.

Private branch exchange security

Information about the security measures in the PBX to prevent fraudulent calls and unauthorized access.

Virus, worm, and spam protection

Information about the recommended security measures against viruses and worms.

Security policy

Information about the security policy and the recommended best practices.

Security-related maintenance

Information about the security-related maintenance activities for your system.

References

Information about the Avaya Toll Fraud Web sites and security information on the Internet.

Avaya Statement of Direction

To help customers make the best possible security-related decisions, Avaya commits to the following goals:

  • Avaya products and services offer the widest range of options available in the industry to help customers secure their communications systems in ways consistent with their telecommunications needs.

  • Avaya is committed to develop and offer services that, for a fee, reduce or eliminate customer liability for PBX toll fraud, provided that the customer implements prescribed security requirements in its telecommunications systems.

  • Avaya's product and service literature, marketing information, and contractual documents address, wherever practical, the security features of our offerings and their limitations, and the responsibility our customers have for preventing fraudulent use of their Avaya products and services.

  • Avaya sales and service people are the best informed in the industry on how to help customers manage their systems securely. In ongoing contacts with customers, they provide the latest and the most effective security-related information.

  • Avaya trains its sales, installation and maintenance, and technical support people to focus customers on known toll fraud risks, to describe mechanisms that reduce those risks, to discuss the trade-offs between enhanced security and diminished ease of use and flexibility, and to ensure that customers understand their role in the decision-making process and their corresponding financial responsibility for fraudulent use of their telecommunications system.

  • Avaya provides education programs to keep customers and Avaya employees apprised of emerging technologies, trends, and options in the area of telecommunications fraud.

  • Avaya promptly initiates ways to impede new fraudulent schemes as they are developed, share our learning with our customers, and work with law enforcement officials to identify and prosecute fraudulent users whenever possible.

  • Avaya intends to meet and exceed customer expectations and to provide services and products that are easy to use and that are of high value. This fundamental principle drives our renewed assault on fraudulent use by third parties of our customers' communications services and products.

Top of page

Home | Search | Site Index | Print | Back | Fwd | Legal | Close

©2007 Avaya Inc. All rights reserved. Last modified: