MA4000 Management System

Security Guidelines
15.0

NEC Corporation
March 2018
Revision 23
 i

Liability Disclaimer
NEC Corporation reserves the right to change the specifications, functions, or features, at any time,
without notice.

NEC Corporation has prepared this document for the exclusive use of its employees and customers. The
information contained herein is the property of NEC Corporation and shall not be reproduced without prior
written approval from NEC Corporation.

© 2018 NEC Corporation

Microsoft®, Windows® and SQL Server® are registered trademarks of Microsoft Corporation. GOOGLE®
is a trademark of Google Inc.

All other brand or product names are or may be trademarks or registered trademarks of, and are used to
identify products or services of, their respective owners.

MA4000 Management System Security Guidelines Revision 23

 ii

Table of Contents
Liability Disclaimer ....................................................................................................................i

Table of Contents .....................................................................................................................ii

Figures .....................................................................................................................................iii

Tables .......................................................................................................................................iii

Introduction .......................................................................................................................... 1-1

Using this Guide ............................................................................................................................................. 1-1
Service Conditions.......................................................................................................................................... 1-1
How This Guide is Organized ......................................................................................................................... 1-2

Securing the Network .......................................................................................................... 2-1

Firewall Overview ........................................................................................................................................... 2-1
Firewall Configuration ..................................................................................................................................... 2-2
Windows Services .......................................................................................................................................... 2-4

Securing the Operating System .......................................................................................... 3-1

Server Administration ..................................................................................................................................... 3-1
Internet Information Server (IIS) ..................................................................................................................... 3-1
Virus Detection ............................................................................................................................................... 3-2
Intrusion Detection.......................................................................................................................................... 3-2

Securing the Database ......................................................................................................... 4-1

Installation and Settings.................................................................................................................................. 4-1
SQL Database Scripts .................................................................................................................................... 4-1
Transparent Data Encryption (TDE)................................................................................................................ 4-2
Backup and Recovery .................................................................................................................................... 4-3

Securing the Application ..................................................................................................... 5-1

NEC Centralized Authentication Service (NEC CAS) ...................................................................................... 5-1
MA4000 Management System........................................................................................................................ 5-2
Call Audit ........................................................................................................................................................ 5-3
Internet Explorer ............................................................................................................................................. 5-4

Securing the IP-PBX............................................................................................................. 6-1

SSH Port Forwarding ...................................................................................................................................... 6-1

MA4000 Management System Security Guidelines Revision 23

 iii
IMAT Command Proxy ................................................................................................................................... 6-1
Authorization Codes ....................................................................................................................................... 6-3
IP-PBX Backup ............................................................................................................................................... 6-4

Reporting Issues .................................................................................................................. 7-1

Figures
Figure 2-1 Firewall Protection ......................................................................................................................... 2-1
Figure 6-1 SSH Encryption Between MA4000 and IP-PBX ............................................................................. 6-1
Figure 6-2 IP-PBX Configuration .................................................................................................................... 6-2
Figure 6-3 TCP/IP Settings - PBX ................................................................................................................... 6-2
Figure 6-4 MA4000 - External Application Configuration................................................................................. 6-3

Tables
Table 2-1 Configuring Firewall Port Restrictions ............................................................................................. 2-2

MA4000 Management System Security Guidelines Revision 23

 Introduction 1-1

1
Introduction
In this document, unless otherwise stated, “MA4000” refers to MA4000
Management System application.

MA4000 is a web-based product designed to configure and manage communications systems using a
unified methodology.
It uses additional supporting applications to provide additional features allowing an IT administrator to
integrate the NEC Enterprise Communications system into the corporate business environment.
Installing the MA4000 Management System requires detailed planning, collaboration, and oversight from
key technology stakeholders.
Security is a primary concern with all web-based applications. The lack of strong security policies, out-of-
date anti-virus protection, or obsolete software can place your data at risk. NEC is aware of this risk and
strives to ship its products with the latest Operating Systems, Service Packs, and Critical Updates.
NEC promotes a secure solution which involves a layered approach. This includes the use of a firewall, a
secure database, and other readily available security practices, in conjunction with your current security
framework.
Customers should follow best practices as they relate to their business objectives and specific business
environment.
This guide contains recommendations to secure the MA4000 Management System. These
recommendations are offered for your convenience and should be tested thoroughly prior to deployment
or integration with your IT systems.

Using this Guide

The target audience for this guide is an IT Administrator. Please be advised before you apply a
recommendation from this guide, NEC recommends that you understand the high-level concepts and
methods required to apply these recommendations.
This guide does not include step-by-step instructions for any Windows application. Each step-by-step
instruction in this guide relates to the MA4000 Management System.
Refer to your Microsoft Users Guide to locate Windows Operating System procedures.

Service Conditions
 Do not implement recommendations in this guide before testing in a test environment.
 As it is the responsibility of the customer to secure their NEC (or third- party) applications, always
apply the latest Service Packs, Patches, and Critical Updates to your Operating System to maintain
system- wide security.

MA4000 Management System Security Guidelines Revision 23

 Introduction 1-2
 This document does not replace a well-structured security policy. Consult your System or Network
Administrator before adopting NEC’s security recommendations.
 This guide does not address site-specific configuration issues.

How This Guide is Organized

Chapter 1 This chapter outlines important information and includes detailed

Introduction information on how to use this guide.

Chapter 2 This chapter provides recommendations for increasing the security of a

Securing the network used for MA4000.
Network

Chapter 3
Securing the This chapter provides recommendations for increasing the security of an
Operating operating system running MA4000.
System

Chapter 4 This chapter provides recommendations for increasing the security of an

Securing the SQL Server hosting a MA4000 database.
Database

Chapter 5 This chapter provides recommendations for increasing the security of

Securing the NEC CAS and MA4000.
Application

Chapter 6 This chapter provides recommendations for increasing the security

Securing the IP- between MA4000 and the IP-PBXs it manages.
PBX

This chapter lists the information that should be gathered and provided
Chapter 7 when reporting all issues encountered to NEC or one of its authorized
Reporting issues dealers or partners.

MA4000 Management System Security Guidelines Revision 23

 Securing the Network 2-1

2
Securing the Network
A secure network environment is a critical security component. To protect a web server on the network
from unauthorized modification, destruction, or disclosure; develop network security policies to safeguard
data and equipment.
This chapter provides recommended security practices to create and enforce a secure network
environment.

Firewall Overview
A firewall is a combination of hardware and software that monitors and controls incoming and outgoing
network traffic. Potential intruders scan computers from the Internet or within the Local Area Network
(LAN), probing for an open port where they can break through and access a server.
To achieve the best results, place a firewall between the Internet and the MA4000 Web Server. See Figure
2-1.

Figure 2-1 Firewall Protection

Enable the Microsoft Windows firewall when a third-party firewall (hardware /

software) is not in place.

To increase security, configure the firewall to allow specific types of traffic into and out of the internal
network. An external firewall is recommended for your MA4000 Web Server.

MA4000 Management System Security Guidelines Revision 23

 Securing the Network 2-2
Firewall Configuration
Grant access to a specific set of subnets when the MA4000 Web Server and the NEC IP-PBX device(s) are
located on different subnets.
 Grant access to protocols used by MA4000.
 Enable MAC Address filtering.
 Limit access to the MA4000 Web Server to a specific set of authorized IP Addresses.
 Allow all "established" TCP packets so that responses reach their destination.
Please refer to Table 2-1 when configuring port restrictions on your firewall(s). It contains a list of default
TCP and UDP ports that are used by MA4000 and the devices it is designed to function with.

Table 2-1 Configuring Firewall Port Restrictions

Connection Default IP
Type Use
Endpoint Port Version

Telnet Client to Command Line

23 TCP IPv4
Interface (TELNET) (Note 1)
Client PCs
To
80 TCP Web Browser to MA4000 (HTTP) IPv4/IPv6
MA4000

443 TCP Web Browser to MA4000 (HTTPS) IPv4/IPv6

MA4000
To 49300 TCP License Management IPv4
LMC

3rd Party Integration Registration

Registered 80 TCP IPv4/IPv6
Web Services to MA4000 (HTTP)
Applications
To
MA4000 3rd Party Integration Registration
443 TCP IPv4/IPv6
Web Services to MA4000 (HTTPS)

19116 TCP Business Integration Web Service IPv4

External
Applications
19117 TCP Business Integration Web Service IPv4
To
MA4000
19119 TCP Business Integration Web Service IPv4

60030 TCP Authorization Codes (OAI) IPv4

IP-PBX Alarm Notifications and System

To 162 UDP IPv4
Messages (SNMP)
MA4000

20 TCP IP-PBX Backup (FTP Data) (Note 5) IPv4

MA4000 Management System Security Guidelines Revision 23

 Securing the Network 2-3

Connection Default IP
Type Use
Endpoint Port Version

20 TCP IP-PBX Restore (FTP Data) (Note 5) IPv4

IP-PBX Backup & Restore (FTP

21 TCP IPv4
Control) (Note 5)

IP-PBX Backup & Restore (SFTP)

22 TCP IPv4/IPv6
(Note 5)

IP-PBX Management (O&M Interface)

23 TCP IPv4
*EU-Only*

MA4000
IPv4/IPv6
To 60000 TCP IP-PBX Management (IMAT Interface)
(Note 4)
IP-PBX

IP-PBX Management (3C Interface)

443 TCP IPv4
*EU-Only*

Authorization Codes (PBX Internal

60030 TCP IPv4
OAI)

1024 ~ Authorization Codes (PBX External

TCP IPv4
1039 OAI)

60010 TCP Call Audit SMDR Collector IPv4

MA4000
To IP-PBX Management (SV8100
8020 TCP IPv4
SV8100 Connector Interface)
Connector

SV8100
Connector NEC SV8100 Connector Service to
8000 TCP IPv4
To SV8100
IP-PBX

MA4000
To 22 TCP IP-PBX SSH Proxy Interface IPv4
SSH Proxy

PCPro
IP-PBX Management (IMAT Proxy
To (Note 2) TCP IPv4
Interface)
MA4000

Voice Mail System Management

2005 TCP IPv4
(UM8000/ UM4730)

MA4000 Management System Security Guidelines Revision 23

 Securing the Network 2-4

Connection Default IP
Type Use
Endpoint Port Version

Voice Mail System Management (AVST

18276 TCP IPv4
MA4000 CallXpress)
To
Voice Mail Voice Mail System Management (AVST
5321 TCP IPv4
CallXpress)

MA4000
To
(Note 3) TCP Database Access IPv4
Database
Server

MA4000 389 TCP Directory Source Server Management IPv4

To
Directory
Server 636 TCP Directory Source Server Management IPv4

MA4000
To Alarm Notifications & Reports to Email
25 TCP IPv4
Email (SMTP )
Server

Note 1 Telnet is insecure by nature. Only allow this port if MA4000 Command Line Interface access is
required from outside the firewall.
Note 2 The IMAT Interface listens on a unique TCP port for each IP-PBX which can be defined in the IP-PBX
Configuration page of each IP-PBX within MA4000. See IMAT Command Proxy for details.
Note 3 For information about configuring a firewall to allow SQL Server access, please refer to
http://msdn.microsoft.com/en-us/library/cc646023.aspx.
Note 4 IPv6 is available for IP-PBX Management (IMAT Interface) only for SV8500 S05 or higher and
SV9500.
Note 5 FTP is only used for IP-PBX Backup and Restore tasks on SV8500 S1 through S5. SFTP is used for
IP-PBX Backup and Restore tasks on SV8500 S06 or higher and SV9500 IP-PBXs. Both FTP and
SFTP communication is all directed at the LAN1 IP address of the IP-PBX.

Windows Services

Isolation of Services
Disable any unnecessary Windows Services on the MA4000 server such as WINS and DHCP.

Disable NetBIOS
Network Basic Input/Output System (NetBIOS) provides a set of uniform commands from the low-level
services. Applications installed on a server use these low-level services to manage the services between
nodes on a network.
Windows Operating Systems have a known security issue which allows a hacker to find the server’s IP
address or computer name over a network. By disabling NetBIOS, a hacker is prevented from obtaining
network information.
MA4000 Management System Security Guidelines Revision 23
 Securing the Network 2-5
Be sure to disable NetBIOS after the MA4000 installation is complete. Only a Network or System
Administrator should disable NetBIOS.

MA4000 Management System Security Guidelines Revision 23

 Securing the Operating System 3-1

3
Securing the Operating System
This chapter provides recommendations to secure Windows operating systems.

For more information on Securing the Operating System, go to

http://www.microsoft.com.
Keywords: Patch, Patch Management, Security, Securing the Web
Server.

Server Administration
Follow the recommendations below to ensure your operating system is secure. NEC recommends the
following basic server administration policies.

General
 Enable the Automatic Updates service to receive Critical Update and Security Patch notices
 Download and apply all Critical Updates for your server's operating system before you install
MA4000
 Disable/Restrict remote access through Terminal Services and/or Remote Desktop
 Do not install MA4000 on a server used as a Domain Controller.
 Do not install Microsoft SQL Server on a Domain Controller.

User Accounts & Policies

 Disable the Windows guest user account
 Rename and/or remove privileges from the default administrator account
 Remove all unnecessary permissions from the ISUSR_machinename account
 Remove/modify user descriptions which refer to their account privileges
 Enforce policies to limit administrative access to two accounts
 Disable/remove unused Windows user accounts
 Create all Windows accounts with the lowest possible privileges

Internet Information Server (IIS)

IIS is a web site server application which is a potential target for hackers monitoring your server.
 Purchase a Certificate of Trust for your NEC CAS and MA4000 server(s)
 Enable Directory Security

MA4000 Management System Security Guidelines Revision 23

 Securing the Operating System 3-2
For more information on IIS, go to http://www.microsoft.com.
Keywords: How to setup HTTPS on a Web Server, Securing your Web
Server.

Virus Detection
Maintaining a secure environment means scanning for viruses regularly. Most anti-virus software allows
you to automatically download anti-virus software updates and schedule scans at preset intervals.
It is recommended to scan your systems nightly to reduce the chance of infection.

For more information on virus detection, go to http://www.microsoft.com.

Keywords: Anti-virus Defense.

Intrusion Detection
Intrusion detection software actively analyzes packets looking for vulnerabilities on your network.
To increase network security, closely monitor your network and use intrusion detection software.

For more information on intrusion detection, go to http://www.microsoft.com.

Keywords: Intrusion Detection Logging.

MA4000 Management System Security Guidelines Revision 23

 Securing the Database 4-1

4
Securing the Database
The database is a vital component of the MA4000 Management System and to your organization. Sensitive
data related to users, phones, and hardware is stored in a database. A hacker can use this data to launch
a malicious attack against your organization.
Any database server that is not kept up-to-date with the latest security patches and critical updates can
become infected with a worm.
A worm attacks vulnerabilities in database applications, which can cripple your network and render your
hardware useless. To avoid this type of attack, check nightly for software updates and enforce strong
passwords for all system administrator accounts.

For more information on database security, go to http://www.microsoft.com.

Keywords: SQL Server Security, Database Security.

Installation and Settings

System Administrator (sa) Passwords

System Administrator (sa) passwords are the first line of defense against hackers and malicious software.
Hackers can access free programs designed to guess a sa password. The program generates test
passwords using a combination of common words and numbers to gain access to the server.
Complex passwords are much more secure. Never under any circumstance, use a blank sa password.
A strong password is defined as a password containing six or more characters, including at least one
number or one special character.

Post Installation
The following post installation procedures are recommended:
 Immediately after the database instance is installed, download and install the latest security
patches and critical updates.
 Test security patches internally to understand the impact to your IT Systems.

SQL Database Scripts

During the NEC CAS and MA4000 Manager installations, SQL scripts execute to configure their databases.
Some scripts contain login information, which could be used for a malicious internal attack.
The SQL scripts are stored in folders which remain on the server. It is recommended that you delete these
folders after you create a backup copy.
To delete SQL scripts, complete the following steps:

MA4000 Management System Security Guidelines Revision 23

 Securing the Database 4-2
Click My Computer > C: > Program Files (x86) > NEC > Agile > Setup > Src > Data.
Back up the numeric folders (for example, 1.0, 1.1, and 2.0) to a secure location for disaster recovery,
and delete the originals
Click My Computer > C: > Program Files (x86) > NEC > NECCAS > Setup > src > Data.
Back up the numeric folders (for example, 1.0, 1.1, and 2.0) to a secure location for disaster recovery,
and delete the originals.

As you install updates, you must delete the folders created as a result of any
database updates.

Transparent Data Encryption (TDE)

To maintain the security of the MA4000 database backup files and the data files stored on the database
server, NEC recommends the use of the Transparent Data Encryption (TDE) feature if it is supported by
your edition of Microsoft SQL Server. TDE is not available in the Express or Standard editions.
With TDE enabled, MA4000 information is encrypted before it is written to disk and decrypted when read
into memory for retrieval. Enabling TDE does not significantly affect the size or read/write performance of
the MA4000 database.
The following T-SQL is an example of how to enable TDE for an MA4000 database. Be sure to replace the
passwords shown below with a unique and strong value. For further guidance, please refer to Microsoft's
documentation and support resources for your version of SQL Server.

For database recovery purposes, store the certificate and private key backup
files along with the associated password in a secure location separate from the
database server. An encrypted database cannot be restored from a backup file
without these three items.

-- Generate a master key

USE [Master];GO;
CREATE MASTER KEY ENCRYPTION BY PASSWORD='@$tr0nGp@s$w0rD';GO;
-- Create a certificate to sign encryption key
CREATE CERTIFICATE MyCertificate
WITH SUBJECT='Database Encryption Key Certificate';GO;
-- Create an encrypted backup of certificate
BACKUP CERTIFICATE MyCertificate
TO FILE = 'c:\windows\temp\My-MA4000-TDE.cer'
WITH PRIVATE KEY (
FILE = 'c:\windows\temp\My-MA4000-TDE.pvk',
ENCRYPTION BY PASSWORD = '@$tr0nGp@s$w0rD');GO;
-- Copy certificate, private key, and password to secure location
-- Associate certificate to MA4000 database
USE MA4000;GO;
-- Generate AES 128 bit encryption key using certificate
CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_128
ENCRYPTION BY SERVER CERTIFICATE MyCertificate;GO;
-- Enable encryption for the MA4000 database
ALTER DATABASE MA4000 SET ENCRYPTION ON;GO;

MA4000 Management System Security Guidelines Revision 23

 Securing the Database 4-3
Backup and Recovery
Backup and Recovery plans are important. A well-developed plan will aid with recovering from a virus or
an attack. Schedule regular backups for important files, and if possible, keep a copy in a separate location
in case of fire, flood, or disaster.
Microsoft SQL Server standard edition or higher is packaged with management tools that can perform
scheduled database backups. SQL Server Express Edition does not have built-in support for scheduled
backups, but manual backups can be performed using Microsoft SQL Server Management Studio Express
Edition, which is a free download from Microsoft's website.
It is recommended to:
 Develop a solid plan to recover from a virus or attack.
 Back up the MA4000 Management System before an upgrade, service pack, or patch.
 Back up valuable data nightly
 Test your backup and recovery plan.

MA4000 Management System Security Guidelines Revision 23

 Securing the Application 5-1

5
Securing the Application
The following configurations and settings are recommended to secure the MA4000 Management System.

NEC Centralized Authentication Service (NEC CAS)

The NEC CAS application is an authentication source used to authenticate users for an NEC CAS-enabled
application.
To obtain installation procedures, refer to the NEC CAS Installation Guide located on the MA4000 disc.

General Recommendations
The following list is a set of basic recommendations that can be used to increase the security of NEC CAS.
 Use a secure HTTPS connection between the NEC CAS server and its clients
 Use a secure LDAPS connection between the NEC CAS server and an LDAP server

Login Account Management

By default NEC CAS is configured for internal database authentication, which authenticates user-provided
credentials against a database containing login information. If you are using this authentication type, the
following is recommended:
 Change the password of, or remove, the default administrator account
 Limit the number of administrator accounts to two or less.
 Use complex passwords for all accounts
 Back up the NEC CAS database regularly
NEC CAS can also be configured to authenticate using a user account on a directory server via LDAP, or
using a Windows user account. If you are using one of these authentication types you must use their
native interfaces to manage login accounts.

Login Account Lockout Policy

If you are using internal database authentication, you may want to adjust the account lockout settings
within the Private.config configuration file. These settings allow NEC CAS to disable an account after a
user exceeds the predefined number of invalid login attempts. After a specified lockout period has
elapsed, the user account will become enabled again and can be accessed using the proper login
credentials.
Complete the following steps to configure the account lockout feature:

Browse to the NECCAS folder (Default: C:\Program Files (x86)\NEC\NECCAS\).

Open the private.config file using a text editor.
Locate the MaxAllowedLoginFailureCount XML key and replace the value with the number of failed
attempts allowed before temporarily disabling an account.

MA4000 Management System Security Guidelines Revision 23

 Securing the Application 5-2

<add key="MaxAllowedLoginFailureCount" value="3"/>

Locate the UserLockoutTimeout XML key and replace the value with the number of seconds the
account should remain locked.

<add key="UserLockoutTimeout" value="900"/>

Save, then close the private.config file.

MA4000 Management System

To obtain installation procedures, refer to the MA400 Management System Installation Guide located on the
MA4000 disc.

General Recommendations
The following list is a set of basic recommendations that can be used to increase the security of MA4000.
 Lock or delete all inactive manager logins
 Limit manager access rights via customized manager roles
 Setup alarm notifications for all major alarms
 Use a secure HTTPS connection between the MA4000 server and its clients
 Use an SSH proxy to secure communications between the MA4000 server and compatible NEC IP-
PBX devices
 Use a secure LDAPS connection between the MA4000 server and any LDAP servers
 Back up all critical information regularly.

Encryption
MA4000 uses the following encryption algorithms for increased security.
 RC2 The RC2 algorithm is used with a 128-bit key to encode passwords stored in the MA4000
database.
 SSH The SSH protocol can be used with third-party libraries to encode IP-PBX communications
sent between MA4000 and an external SSH proxy server. All keys are handled by the SSH proxy
server.
 MD5 An MD5 hash is used to encode passwords stored in the NEC CAS database. There are no
keys used for this process.

MA4000 Services
Configure Windows to automatically start only the services needed to meet the site's requirements. Not all
services will be needed at all sites. If a NEC MA4000 Windows Service is disabled, such as Authorizer
service, be sure to disable the internal notifications for it and avoid problems with database change
notifications. For detailed instructions, refer to Manage Database Change Notifications topic in the MA4000
Online Help.
 NEC MA4000 Alarm Engine - Used to process all alarms and distribute any related notifications.
(Required)
 NEC MA4000 Arena - Used by MA4000 services to coordinate with each other. (Required)
 NEC MA4000 Authorizer - Used to process authorization codes via OAI connection to Voice
Systems.

MA4000 Management System Security Guidelines Revision 23

 Securing the Application 5-3
 NEC MA4000 Business Integration - This service sends traffic, alarms, and other data to the
MA4000 integrated applications. If this service is disabled, MA4000 integrated applications won’t be
able to retrieve traffic data, alarms, and other data from MA4000.
 NEC MA4000 Database Change Notification - Notifies other services and integrated
applications of changes to the MA4000 database. (Required)
 NEC MA4000 Directory Engine - Directory Automatic Provisioning Service. Communicates with
Directory services (via LDAP or the appropriate protocol) to consume the directory information.
 NEC MA4000 License Service - Used to retrieve and process license information and
enable/disable MA4000 functionality (Required).
 NEC MA4000 Lock Manager Engine - Used by Exclusive Control feature to manage resource
locks within MA4000.
 NEC MA4000 Telnet Engine - Provides access to Command Line Interface feature via Telnet.
 NEC MA4000 Traffic Engine - Used to collect and process IP-PBX traffic information.
 NEC MA4000 Voice Mail Engine - Facilitates communication with voice mail systems.
 NEC MA4000 Voice Server Engine - Facilitates communication with IP-PBX devices. (Required)
 NEC MA4000 Voice Server Maintenance Engine - Facilitates maintenance of IP-PBX devices
such as FTP/SFTP backups. (Required)
 NEC MA4000 WMI Event - Engine Processes IP-PBX SNMP notifications for system messages and
VoIP statistic records.

Alarm Notifications
The MA4000 Management System can notify MA4000 managers when an alarm is triggered. These
notifications can be sent to managers as a Windows event and/or e-mail.
For more information on setting up Alarm Notifications, please refer to the MA4000 Setup and Alarm
Setup information found under the Administration section of the MA4000 Online Help system.

To configure the E-Mail notification feature, your MA4000 server must have
access to a SMTP e-mail server.

Call Audit
The MA4000 Call Audit feature collects and reports call records from IP- PBXs. It is separately installed as
a plugin to MA4000.
To obtain installation procedures, refer to the Call Audit Installation Guide.

General Recommendations
The following list is a set of basic recommendations that can be used to increase the security of the
MA4000 Call Audit feature.
 The Call Audit feature plugin should only be installed if it is licensed and being used
 Limit access via customized MA4000 manager roles
 Use a secure HTTPS connection between the MA4000 server and its clients
 Back up the Call Audit database regularly. For details please refer to the Call Audit Installation
Guide.

MA4000 Management System Security Guidelines Revision 23

 Securing the Application 5-4
Encryption
The MA4000 Call Audit feature uses the RC2 algorithm with a 128-bit key to encode the passwords that it
uses.

Internet Explorer
The server and client PC access the MA4000 Manager via Internet Explorer. To view the applications
correctly, it is recommended to:
 Add the MA4000 server(s) URLs to the list of Trusted Sites on all client browsers to avoid problems
with unwanted security prompts and blocked file downloads.
 Allow pop-up windows from the MA4000 server(s) on all client browsers.
 At minimum, use the default Internet Explorer security settings on the MA4000 server(s).
 Limit Internet browsing activities from the MA4000 server to limit the server's exposure to
spyware, viruses, and other Internet-based threats.

MA4000 Management System Security Guidelines Revision 23

 Securing the IP-PBX 6-1

6
Securing the IP-PBX
The following configurations and settings are recommended to increase the security of IP-PBX devices
managed by the MA4000 Management System. Detailed information regarding these topics can also be
found within the MA4000 Manager Online Help.

SSH Port Forwarding

For increased security, it is possible to use Secure Shell (SSH) to encrypt communications between
MA4000 Manager and a SSH proxy server located near the IP-PBX devices that it manages.
Without SSH Port Forwarding, all MAT commands are sent across the data network in clear-text TCP
packets. These packets can be sniffed by hackers and used to obtain sensitive information regarding the
various settings such as the user name and password used to login to the IP- PBX.
SSH encryption alters these MAT command data packets so that they cannot be read without a special key
to decode them. To achieve this, an SSH tunnel is established between the MA4000 server and an SSH
proxy server using an SSH client. NEC recommends using MA4000’s built- in SSH client, however, a third-
party SSH client can be used if desired. Figure 6-1 represents this encryption process.

Figure 6-1 SSH Encryption Between MA4000 and IP-PBX

MAT commands are sent to the proxy server through this tunnel, where they are unencrypted and
forwarded to the appropriate IP-PBX. The link between the SSH server and the IP-PBX is not encrypted,
therefore this segment of the network should be as direct and secure as possible. A single SSH proxy
server can be used to encrypt communications between MA4000 and multiple IP-PBX devices.

Enabling this feature can affect MA4000 performance significantly due to the
processing overhead required to encrypt and decrypt data.

IMAT Command Proxy

The MA4000 Voice Server Engine service can provide proxy functionality for external applications to connect
to and communicate with an IP-PBX which allows them to take advantage of the logging functionality
provided within MA4000. This feature is only available for the UNIVERGE™ SV9500 and UNIVERGE™
SV8500.
MA4000 Management System Security Guidelines Revision 23
 Securing the IP-PBX 6-2
The IMAT Command Proxy has the ability to de-compile and log, at minimum, the header information in
the binary packets of the MAT commands. Additionally, if the pre-compiled commands are well-known, it
will de-compile the entire byte array, including its request parameters, and provide more detailed logging.
This feature can also be used in conjunction with SSH Port Forwarding to provide a secure encrypted
connection between the SSH Proxy and the MA4000 Voice Server Engine. To further increase security,
network devices that route data to IP-PBX devices can be configured to only allow MAT communications to
pass through from the MA4000 Voice Server Engine service.
To use this feature, you must first enable the Act as a IP-PBX proxy server check box on the IP-PBX
Configuration page within MA4000 and specify a unique TCP Port to use. Figure 6-2 displays the IP-PBX
Configuration page.

Do not use TCP ports that are used by other applications or conflicts may
occur that could affect communications for both the MA4000 and the other
applications.

Figure 6-2 IP-PBX Configuration

Once this has been done you can modify the external application to point to the IP address of the MA4000
server using the port defined in MA4000 for the IP-PBX as shown in Figure 6-3.

Figure 6-3 TCP/IP Settings - PBX

MA4000 Management System Security Guidelines Revision 23

 Securing the IP-PBX 6-3

After MA4000 and the external application have been configured the final result should look similar to
Figure 6-4.

Figure 6-4 MA4000 - External Application Configuration

Authorization Codes
Authorization Code Management tracks and monitors authorization codes as well as grants permissions at
the time of a call. Use authorization codes to define limits and access for specific users.
This feature works with NEC IP-PBX devices over an Open Application Interface (OAI).
You can create and maintain the authorization codes by accessing the Authorization Code Management or
you can create and assign authorization codes from the Edit User screen.
Authorization Code Management provides:
 Integration with the call accounting database
 Easy enable/disable of authorization codes
 Configurable security lockout on any extension for failed authorization code entries
 Toll fraud prevention

For detailed steps on configuring Authorization Codes in MA4000 Manager, please

refer to Administration > Create/Assign Authorization Codes in the MA4000
Manager Online Help.

MA4000 Management System Security Guidelines Revision 23

 Securing the IP-PBX 6-4
IP-PBX Backup
The IP-PBX Backup feature within MA4000 Manger allows you to back up NEC IP-PBX devices. After any
changes in data settings, performing a system backup ensures the data can be restored after an
emergency, such as a power failure or if the operating data is lost or damaged.
Backup files are stored locally on the MA4000 server.

For detailed steps on configuring IP-PBX Backups in MA4000 Manager, please

refer to the MA4000 Manager Online Help.

MA4000 Management System Security Guidelines Revision 23

 Reporting Issues 7-1

7
Reporting Issues
Promptly report all issues encountered to NEC or one of its authorized dealers or partners. Please include
the following information:
 NEC application name and version
 Windows Operating System and version
 Database software and version
 MA4000 application log files
 Call Audit feature log files
 Hardware specifications
 Specific details of how to reproduce the problem whenever possible

MA4000 Management System Security Guidelines Revision 23

For additional information or support on this product, contact your NEC Corporation
representative.

MA4000 Management System Security Guidelines Revision 23