Access mechanisms

Avaya Modular Messaging supports various access mechanisms, depending on the way it is configured. Modular Messaging provides added functionality including remote administration and desktop client access to mailboxes using Microsoft Outlook or a Web browser, by connecting to the customer’s LAN. The system supports standard and SSL versions of IMAP4, POP3 and SMTP client access, which can be disabled if required. You can also network Modular Messaging with Modular Messaging or other voice mail systems using the Avaya Message Networking with the Avaya S3210 Message Server over the LAN. See Networking for more information on Modular Messaging networking.

If customers want to have remote LAN administration, but want to prevent desktop GUI access, the system can be configured to disable client IMAP4, POP3, and LDAP access (or via appropriate administration of an external firewall). Again, from a security viewpoint, this would lock down the system, but at a cost to the functionality and productivity benefits. In addition, the LAN connection is required if customers want to network Modular Messaging with other voice mail systems using Avaya Message Networking with the Avaya S3210 Message Server.

Like most voice mail systems, customers should be aware that messages in user mailboxes are neither stored nor backed up in encrypted form. Therefore, Avaya recommends that customers take precautions to limit physical access to Modular Messaging and it's backups.

TUI access

Subscribers can access their mailboxes using the telephone user interface (TUI). For TUI access, Modular Messaging uses an IMAP4 login sequence with the MAS, using the mailbox ID and password provided by the user. Callers are required to specify the correct mailbox number and the password. The TUI does not let the caller know if the mailbox number specified is valid unless the correct mailbox number and password is provided.

For enhancing security, administrators should use the following methods:

• Use minimum password length (6-15 characters)

• Ensure that initial passwords do not use easily determined patterns based on mailbox number

• Use password aging

• Force password change during user’s first login

• Ensure that checks for trivial passwords are always enabled. For example, users can never set the password to be the same as the mailbox ID.

Note: For Modular Messaging Audix TUI subscribers, administrators can set a password that violates the password setting rules. In such a case, Modular Messaging forces those subscribers to specify a new and valid password when they log on to their mailboxes for the first time.

Client LAN access

E-mail clients

Depending on the configuration, users can access their mailboxes with mail clients such as Microsoft Outlook or Outlook Express that use the standard POP3 and IMAP4 protocols. These clients as well as the Client Add-in for Microsoft Outlook access the Modular Messaging MSS over the LAN on its second Ethernet port. These clients also use authenticated SMTP for sending messages and anonymous LDAP for directory access. Modular Messaging also supports SSL versions of POP3, IMAP4, and SMTP protocols. Users can enable SSL encryption while setting up their Modular Messaging account in standard e-mail clients. Although Outlook with the Avaya plug-in cannot be configured to use SSL versions of these protocols it uses CRAM-MD5 authentication mechanism that does not expose the user's password. Other clients including Outlook Express, transmit passwords as plain text across the corporate LAN when connecting to the MSS with POP3, IMAP4, or SMTP. For clients connected to Modular Messaging with the S3400 Message Server, the MSS requires SMTP user authentication to verify that the sender of a message is from within the domain. This feature assures that spammers cannot send messages from the system.

Anyone who is able to observe such packets in transit can gain access to subscriber accounts and steal messages or potentially commit toll fraud. For maximum protection on passwords, follow the recommendations on using SSL encryption or exclusively use clients supporting CRAM-MD5 authentication such as Outlook with the Avaya plug-ins. Unless SSL connections are used, message content is transmitted in plain text. Customers for whom privacy of message content is critical should use only SSL capable clients.

Modular Messaging also supports the STARTTLS (Transport Layer Security) protocol for IMAP4, POP3, and SMTP. This protocol provides communications privacy over the Internet. The TLS protocol allows applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. Administrators can enable IMAP4 access on the message server and inform subscribers to configure their e-mail clients to use STARTTLS to get an SSL operation over the standard IMAP4 port. The same applies to SMTP and POP3 as well.

Modular Messaging Web Client

The Avaya Modular Messaging Web Client provides a web based visual client interface to the messages stored on the Avaya Message Storage Server (MSS). Subscribers can use a web browser to access and manage their messages just like they would do from standard e-mail applications. The web server providing the Web Client interface uses IMAP4, SMTP, and LDAP protocols to access the MSS. It is recommended that system administrators configure the Microsoft Internet Information Server (IIS) on this web server to allow client SSL connections, in which case all communication between the client and the web server will be secured.

Subscriber Options

Avaya also provides the Subscriber Options desktop utility. This program allows client users to self-administer changes in their password and general mailbox options over the LAN. When setting a password with Subscriber Options, the new password is transmitted to the MAS in encrypted format. The MAS then decrypts this and encrypts it using the Data Encryption Standard (3DES) before sending it to the MSS. The MSS decrypts it and encrypts it using 3DES with a different key before storing it.

LDAP access

Modular Messaging MSS provides an LDAP interface that can be used for accessing directory data. The LDAP version is the Simple Authentication that allows anonymous access to end users. The LDAP connection is a plain text (not SSL) connection.

Dial-up modem access

Modular Messaging servers provide dial-up modem access, which is used by Avaya services personnel for troubleshooting and maintenance. An MAS provides a modem for Remote Access Server (RAS) connectivity. These remote access services can be accessed by only those users who are added to the Avaya services group. These access restrictions are regulated by Avaya. Windows Terminal Services (also known as Remote Desktop Connection) can be used over RAS to perform administrative tasks. The MSS supports Secure Shell (SSH) for remote login access and sftp file transfer over a LAN. All transmissions through this channel are encrypted using Secure Shell or Secure Socket Shell (SSH).

The MSS also includes an onboard Remote Maintenance Board (RMB) that provides dial-up modem access to the Avaya services personnel. Access to this modem is controlled by the Access Security Gateway (ASG) that employs a challenge and response mechanism for authentication. Remote services technicians establish an IP connection over the modem (protected by ASG) and then, on that IP connection, uses SSH (to gain shell access) or HTTPS (to run web forms) or SFTP (for example, to transfer log files). Each of these protocols is encrypted, so even someone "listening" on the modem connection will not pick up anything useful.

ASG reduces the possibility of unauthorized remote access to the MSS. See Adjuncts for more more information on ASG. It is strongly recommended that customers invest in security adjuncts, that typically use one-time passcode algorithms. These security adjuncts discourage hackers. To reduce the system’s vulnerability to toll fraud, outward restrict the port to which the Remote Maintenance Device (RMB) is connected. For more information on Remote Maintenance Board (RMB), see Remote Maintenance Board (RMB) CYN23AP and CYN24AP PCI Version Release 1.0 Reference (585-310-263, pdf). This document is available to certified personnel through the Avaya Web site.

You can also set up a Point-to-Point (PPP) server for remote access to the MSS. PPP service can be configured to enable remote access for local and remote machines. It is necessary for administrators to administer point-to-point protocol logins and passwords for the system. PPP logins are mainly used for maintenance. See the Modular Messaging installation guide (pdf) for more information on how to administer PPP logins.

Maintenance ports are a prime target for fraud. Hackers use various devices to dial into the port numbers and hack passwords to gain control over the administrative commands. They then manipulate system settings to commit fraud or cause other damage to the system. Many security risks arise from allowing incoming callers to access outside facilities. There are other endpoints in your system that can be dialed as internal calls and can be accessed either from voice mail, auto attendant, or remote access. Typically, toll hackers target the administration port to gain control over the maintenance and administration capabilities of the system. To enhance the security of your system, you must monitor access, egress and system administration.

Message Networking (MN) access

The Avaya Message Networking system is a network integrator, allowing the Avaya Modular Messaging system to communicate with other messaging servers that use supported industry standard and Avaya proprietary protocols. Remote systems can send messages from subscribers on their systems to the Modular Messaging system using plain-text, non-authenticated, SMTP. Messages transmitted in this manner are subject to "eavesdropping" via LAN sniffing (the message content can contain WAV for audio files.) It is necessary that LAN segments between networked systems are secured such that unprivileged users cannot intercept packets in transit. The remote nodes can send directory updates via LDAP using a non-standard LDAP port (56389). This LDAP connection is plain text (not SSL) but uses a CRAM-MD5 SASL login mechanism where the password is not sent in plain text. These remote directory updates do not include subscriber passwords and therefore do not have a security concern.

For more information on Message Networking system features and functionality, please see the Message Networking online Help or contact your sales representative.

Top of page