IP PBX Remote Access

Both the S8300 Media Server and G350 Media Gateway had telnet enabled by default. Telnet, which allows direct access to the Linux operating system, is a nonsecure protocol used for remote access. Use of telnet is not recommended, because it does not require strong authentication and its communications (including username/password transfer) are in the clear.

We verified that telnet was active by remotely logging in to both the S8300 Media Server and G350 Media Gateway. The username and password used for the S8300 Media Server were

• User ID   craft

• Password   crftpw

And the username and password for the G350 Media Gateway were

• User ID   root

• Password   root

Both the S8300 Media Server and the G350 Media Gateway allow web-based access. The S8300 allows access on both ports 80 and 443. We verified this by logging in with the following username and password (same as the previous username and password for telnet):

• User ID   craft

• Password   crftpw

When accessing the G350 Media Gateway embedded web application, you are prompted for an SNMPv1 authorization or SNMPv3 authorization. Select the SNMPv1 radio button. The community string is public .

Countermeasurs Remote Access Countermeasures

There are several countermeasures you can employ to better secure IP PBX remote access. These are covered next .

Disable Unnecessary Ports

As discussed in Chapters 2 and 3, it's a good idea to disable as many default services as possible on your VoIP devices to avoid giving away too much information about your infrastructure. You can't do this directly on Avaya Communication Manager IP PBXs or IP phones, but you can use their management system to control some ports.

The Avaya management system allows the administrator to control which ports are open and, in some cases, which ports are internally "firewalled." The screens where you can access these controls are shown earlier in the chapter in Figures 8-14 and 8-15. As discussed previously, nonsecure services such as telnet should be disabled, if possible.

Both the media server and media gateway allow telnet to be blocked and/or disabled. In Communication Manager 4,0, due out in Spring 2007, telnet is disabled by default. The Avaya documentation recommends using SSH as opposed to telnet.

Default Passwords

The default passwords discussed in reference to telnet should not exist in a properly configured production system. When a valid production license and password file are loaded, these passwords should be replaced . Avaya recommends installation instructions that allow a technician to change these passwords. Future versions of the software will prompt the technicians for a new password during installation.