| The Modular Messaging system is designed to be located securely
within the network and should not be directly connected to the Internet.
Modular Messaging connects to your TCP/IP and the telephony network.You
should leverage the existing network security policy to protect
the system from malicious activities from external and internal
sources. Although protecting information may be a high priority,
protecting the integrity of your network should not be less important.
When your network is connected to the Internet, it is exposed to
various types attacks including Network packet sniffers, IP spoofing,
password attacks, Denial-of-service attacks, and application layer
attacks. A breach of integrity can be extremely dangerous and can
open the doors for continued attacks on your system. Your network,
security and applications teams should work together to plan and
manage security. You should consider the measures described below
for reducing security risks when deploying the Modular Messaging
System into your network:
Internet firewalls
An Internet firewall is a system or a group of systems that enforces
a security barrier between your network and the Internet. The firewall
determines which inside services can be accessed from outside and
which outside services can be accessed by insiders. It is advisable
that you install the Modular Messaging system in a trusted network
behind your corporate firewall. When you set up a firewall server,
identify the type of networks that are attached to the firewall
server. It is also advisable to explicitly identify the untrusted
networks from which the firewall can accept requests. Ensure that
all the traffic to and from the Internet passes through the firewall.
Intrusion detection system (IDS)
An Intrusion Detection System (IDS) can be used for detecting
unauthorized break-ins to your systems. It is advisable to implement
a network-based intrusion detection system as a secondary security
system. Following are some of the reasons for adding an IDS to your
network. IDS:
-
Cross-checks incorrectly configured firewalls
-
Detects attacks that firewalls legitimately allow through (such
as attacks against Web servers)
-
Detects failed hacking attempts to get into your system
-
Detects insider hacking
Trusted server
A trusted server can be a computer or a software application that
is given privileged access to the MSS. It uses its own login and
password to access the MSS services. The MSS verifies that the IP
packets come from administered IP address of the trusted servers.
The first step in securing the system is to make certain that only
trusted systems are working together. An example of trusted server
for Modular Messaging is Mailbox Manager (MBM). You must administer
the passwords that the trusted server application requests to access
the MSS. Avaya recommends that you change the trusted server passwords
on a regular basis. To understand how to set up a trusted server,
see "Setting up the trusted servers" in the Modular
Messaging installation guide (pdf), which is supplied to you
along with this CD.
MAS and MSS private network security
Each MAS acts as a trusted server for the configuration of MSS
in a given MM system. All communication between the MSS and the
MAS is carried over a private LAN. The system is shipped with a
Layer 2 switch, which creates the Private LAN. One network interface
on each server is connected to the switch. To assure the highest
level of security, ensure that no other traffic is connected to
the switch. In cases where customers need to use their own switches,
Avaya recommends that the MAS and MSS be connected to a separate
Layer 3 switch over a VLAN. This segments traffic by routing only
between these two systems on the Private LAN’s dedicated network
interfaces. The messages in the user mailboxes are neither stored
nor backed up in encrypted form and are also not encrypted in transit
by the message retrieval protocols used between the MSS and MAS.
All the user logins between the MAS and the MSS on the private LAN
are encrypted using a challenge/response mechanism. User passwords,
encrypted using the 3DES algorithm are transmitted between the MAS
and the MSS on the private LAN using LDAP. The MSS verifies that
the LDAP connection originates from the administered IP address
only. If you choose to connect another switch, it is recommended
that the MAS and the MSS are connected to a separate Layer 3 switch
over a VLAN. The private LAN between the MSS and the MAS should
be maintained as private only with the MAS and the MSS located within
close physical proximity.
Modular Messaging uses the second network interface for standard
e-mail client access, typically from user desktops using industry
standard protocols such as POP3, IMAP4, and SMTP over the corporate
LAN. Modular Messaging supports the Secure Socket Layer (SSL) versions
of these protocols. You can set the SSL options in the standard
e-mail account options window. See Avaya
Modular Messaging Client Access to a Subscriber Mailbox,
585-310-790 for more information.
DCOM usage by Modular Messaging
Several components of Modular Messaging that run on the Windows
platform make use of the Microsoft Distributed Component Object
Model (DCOM) for communication among processes. In the Modular Messaging/Message
Storage Server configuration Subscriber Options and Outlook with
the Avaya plug-ins (for play/record on the phone) and Modular Messaging
Web Client (from the web server for play/record on the phone) all
use DCOM to an MAS for subscriber initiated activities. There are
instances when Modular Messaging uses DCOM to call from administrative
clients to MAS services or from one MAS service to another. If a
firewall that filters IP traffic exists between the DCOM client
and the server, the firewall will block all the traffic between
the client and the server. For more information on this issue refer
to Using
Distributed COM with Firewalls.
Message Storage Server (MSS) access via standard Internet messaging
protocols
Using Email (Internet Messaging) and desktop e-mail clients with
the Avaya S3400 Message Server presents certain security issues.
You can administer client access on your server to minimize some
of these risks.
To administer Internet messaging on the MSS:
Start at the Messaging Administration main
menu and select:
Feature Administration
Internet Messaging
General Options and Settings
You can use the fields on this page to enable or disable access
to the MSS via IMAP/POP/SMTP/LDAP. Select Yes to enable or No
to disable access. For example, if you want to enable MSS access
for the Client Add-in for Microsoft Outlook, you need to select
Yes for the IMAP4, SMTP, and LDAP fields.
The following table lists the various clients (Column 1 on the
left) and the corresponding protocol settings you need to make to
enable access to the respective client. In the table, Yes
means Enable this field to grant access, and No means Disable this
field to block access.
| When the Client is |
Access to the
MSS using* |
| POP3 |
POP3 SSL on alt
port** |
IMAP4 |
IMAP4 SSL on
alt port** |
SMTP |
SMTP SSL on alt
port** |
LDAP |
- Client Add-in for Microsoft Outlook
- Web Client
- Advanced Speech Access
|
No |
No |
Yes |
No |
Yes |
No |
Yes |
| Standard IMAP4 client |
No |
No |
Yes |
No |
Yes |
No |
Yes*** |
| Standard IMAP4 client using SSL IMAP
and SSL SMTP |
No |
No |
No |
Yes |
No |
Yes |
Yes |
| Standard POP3 client |
Yes |
No |
No |
No |
Yes |
No |
Yes*** |
| Standard POP3 client using SSL POP3
and SSL SMTP |
No |
Yes |
No |
No |
No |
Yes |
Yes |
| Networked Modular Messaging or Message
Networking system |
No |
No |
No |
No |
Yes |
No |
No |
| |
* You can use the System Administration page
on the MSS to specify the port numbers for all the ports that
will be used by Modular Messaging system. For example, you
can deploy a custom POP3 application and configure it to use
a non-standard POP3 port to access the system.
** You can also run an SSL operation over the �regular� standard
ports using the STARTTLS command. For example, you can enable
POP3 and SMTP ports and run the STARTTLS command to get an
SSL operation over the standard POP3 port. Administrators
will have to instruct subscribers to configure their e-mail
clients to use STARTTLS.
*** LDAP is not necessary for mailbox access. LDAP access
is required only if the client is configured to use the MSS
LDAP directory as an address book. |
Privacy settings
Even if you enable the respective ports, clients will not be able
to access the MSS unless you administer privacy settings on the
Modular Messaging servers. You can administer POP3 or IMAP4 access
to the MSS using the Restrict Client Access setting in the Class-of-Service
(COS) assigned to subscribers. To edit this setting:
To change remote machine information:
- Start at the Messaging Administration main
menu and select:
Global Administration
Subscriber Management
Manage Classes-of-Service.
The Manage Classes-of-Service page displays a list COS on the
system.
- Select a COS and click Edit the Selected COS.
On the Restrict Client Access field, select yes or no to indicate
whether subscribers with this class-of-service are prevented
from accessing their mailboxes using standards-based clients.
If the value is yes, subscribers will only be able to access
their mailboxes using Avaya proprietary clients, such as the
Telephone User Interface, Modular Messaging Web Client, and
Avaya Advanced Speech Access, but not the Client Add-in for
Microsoft Outlook. If the value is no, then subscribers will
be able to access their mailbox from Avaya proprietary clients
as well as other IMAP4 and POP3 clients, including the Client
Add-in for Microsoft Outlook.
The Restrict Client Access control is overridden and client access
is restricted if the Privacy Enforcement Level (PEL) value is set
to Full. The PEL setting is controlled using the Voice Mail System
Configuration (VMSC) program on the Messaging Application Server
(MAS). To view the PEL settings, open the VMSC program on the MAS
and double-click the Messaging item on the VMSC tree. For more information,
refer to the MAS online Help.
See Message privacy for more
information on privacy settings on Modular Messaging.
Top of page
|
