1 General 2 1.1 Conclusions 2 2 Glossary and acronyms 2 3 MD110 Connections to the outside world 2 4 User plane and control plane 3 4.1 User plane 4 4.2 Control plane 5 4.2.1 I/O ports 5 4.2.2 MML ports 5 4.2.3 Log-on Procedure 5 4.2.4 Authority levels for commands 6 4.2.5 Access ports 6 4.2.6 MML (non-network) ports on NIU or IPU 6 4.2.7 Network port on NIU 6 4.2.8 ICU and SIU boards 6 4.2.9 Access Agent AAU1 7
The purpose with this document is to provide answers to questions regarding security aspects on the Ericsson PBX MD110.
Security here means the ability of the system to prevent unauthorized external users from obtaining access to the system.
In this document the following conclusions are drawn:
+ It is not possible to access the command system other than via an authorised log-on procedure. + It is not possible for a user who has been admitted access to the command system to access a network port in MD110. + It is not possible to access the command system or a network port via an extension or trunk line interface. + It is not possible to access the Access agent network port from the MD110 command system.
2 GLOSSARY AND ACRONYMS
AAU Access Agent Unit D.N.A Dynamic Network Administration ICU Information Computer Unit I/O Input/Output IPU I/O Processor Unit ISDN Integrated Services Digital Network MML Man Machine Language NIU Network Interface Unit PPP Point to Point Protocol SIU Serial Interface Unit TCP/IP Transmission Control Protocol / Internet Protocol
3 MD110 CONNECTIONS TO THE OUTSIDE WORLD
Like most PBXs, MD110 has a number of connections to the outside world:
+ Analogue or digital trunk lines to the public network. + Analogue or digital tie lines to other PBXs. + Analogue or digital extension interfaces for the connection of telephones or other terminal equipment. + I/O ports for command handling or other interfaces with the communication interface to the system software.
4 USER PLANE AND CONTROL PLANE
MD110 is a PBX in which the user plane is separated from the control plane. All communication between the user plane and the control plane is made by defined messages.
+ The user plane consists of all trunk lines, extension lines and switching equipment.
+ The control plane consists of system software with command handling via MML-ports.
The figure below shows the existing interfaces and how they are interconnected.
4.1 USER PLANE
As mentioned above, MD110 is a PBX where the user plane is separated from the control plane.
The system software can by defined messages add delete or print data that is used by the user plane. Some limited data can be changed in the user plane by the users, e.g. follow me, diversion or individual abbreviated numbers.
+ A user in the user plane cannot change data in the control plane, apart from the exceptions mentioned above. + A user in the userplane cannot access the I/O ports in the control plane. + A user in the user plane cannot access TCP/IP functionality.
For ISDN-connections, the D-channel is terminated on the trunk board. No D-channel service (like ISDN X.25, or similar) is implemented to connect any service to the control plane. Consequently, it is not possible to access the command structure via an incoming trunk or other ISDN terminal.
4.2 CONTROL PLANE 4.2.1 I/O ports MD110 can have a number of terminals connected that can communicate with the system software. + MML ports for system configuration. + Other ports used for input or output of data such as call logging equipment. 4.2.2 MML ports MD110 can have multiple MML ports which are used to configure the system locally or remotely. MML ports can be either a V.24 port or an Ethernet port. Both types of ports can be used as networks ports using the TCP/IP protocol suite. 4.2.3 Log-on Procedure
From BC10, MML-ports based on the NIU-board require that the user have a valid user account. The account database can accommodate a maximum of 64 user accounts.
In order to log-on to the MD110 command system, the user must enter his user ID and personal password to access to the system.
Each user account can be associated with a maximum authority level, thus preventing users with lower authority levels from accessing sensitive commands.
Each MML-port can be programmed for a maximum authority level. This means, that a user logging on to a ôrestrictedö port will not be able to access commands that have an authority level that is higher than that assigned to the port, even if the user account has a higher authority level.
Please note that log-on functionality with user accounts is not valid for old IPU-boards. IPU-boards only require one of 8 system passwords. IPU-boards should therefore not be used as I/O ports for high security installations.
4.2.4 Authority levels for commands Each MML-command in MD110 can be assigned one of 8 (0-7) authority levels. This means that a user must have atleast this authority level to be able to use the MML-command. This enables different user groups to be defined with different user rights. Users assigned a specific authority level have access to all commands with this level or lower. This means that a user with the highest authority level (7) will have access to all system command and can be considered as a superuser. A level 7 user also has access to local commands on the NIU-board and the IPU-board. It is therefore important that the highest level (7) in high security installations is limited to a few users with administrative responsibility.
4.2.5 Access ports The MML ports can only be used for sending MML commands to the control plane. It is not possible to echo commands on one V.24 port to another V.24 port. 4.2.6 MML (non-network) ports on NIU or IPU A V.24 port defined as an MML-port is used to change and print telephone application data. An MML port can not access TCP/IP features.
4.2.7 Network port on NIU In BC10 it is possible to set up the NIU board as a network port. This allows the system to be accessed via Telnet on an Ethernet port or modem connected to a V.24 PPP (network) port. A network terminal can set up a Telnet connection to MD110 for MML commands. As there is no routing functionality on the NIU board it is not possible, for example, to access the Ethernet port from the PPP port. 4.2.8 ICU and SIU boards The ICU, ICU2 and SIU boards used in releases up to BC9 have V.24 ports which are used to interface special equipment such as intercept computers or call information-logging equipment. V.24 ports on these boards cannot access the command system and have no network interface. 4.2.9 Access Agent AAU1 The Access Agent Unit AAU1 has both non-network ports and network ports. The connection to MD110 is via a V.24 port. In MD110 this V.24 port can only be configured as an MML (non-network) port. In contrast to the NIU board the AAU1 has limited routing functionality. This is limited to routing between different TCP/IP interfaces, the Ethernet, Token ring and PPP (TCP/IP via modem). Thus the MML port has no access to the TCP/IP features. A remote user must first log-on to the AAU1 and then log-on to MD110. The AAU also has an account database with personal user IDs and passwords. A maximum of 255 users can be defined. Please note that if the Agent board is connected to a V.24 port on an IPU board in MD110, only a system password is required to obtain access from the agent board to MD110.