TECHNICAL WHITE PAPER

TN799 (C-LAN) Circuit Pack Security
Version: / 2.0 / Date: / January 17, 2002
CID: / 78576 / Author: / Charlie Smith

Scope of Discussion

This white paper addresses concerns regarding unauthorized access of a customer’s data network via the Initialization and Administration System (INADS) line of the DEFINITY® system and the TN799 circuit pack. The TN799 circuit pack is connected to the customer’s data network and the DEFINITY INADS line is connected to the PSTN. This paper shows that no bridge or access into the customer’s data network results from this configuration.

This white paper is intended as a supplement to the DEFINITY ECS Administration for Network Connectivity, Appendix C, Security Issues (#555-233-501, COMCODE 108596297, issue 2, 12/99).

Discussion

In the DEFINITY system architecture, the software as shown in Figure 1 controls the INADS line. Once a connection is established to the DEFINITY system via the INADS line, all communication to the TN799 circuit pack is transmitted across an internal proprietary bus via a limited message set. Additionally, communications across the internal bus does not support Internet Protocol (IP).

As a result of this architecture, a user logging into the software via the INADS line cannot get direct access to the TN799 firmware. A user logged in via the INADS line is limited to entering SAT commands that request port board information or configure the port board characteristics (e.g., IP address, clock, etc.) only. Commands can be sent by DEFINITY software across the internal bus allowing Ping and Traceroute to be executed on the TN799 circuit pack. However, the software does not allow files to be transferred or executed on the network under the command of the TN799 circuit pack. It should also be noted that the TN799 does operate two network services, SNMP and FTP, but they are only accessible from the customer’s LAN.

Other applications such as TFTP and TELNET are also available, but are currently disabled on the TN799, and cannot be enabled by DEFINITY software. In order to circumvent this restriction, the TN799 firmware must be re-compiled to enable these applications.

Summary

Although certain applications and network services reside on the TN799, there is no direct access to the circuit pack from the INADS line. In addition, the capabilities of the TN799 circuit pack provided to DEFINITY are limited to those provided in a simple, unalterable command set. As a result, no files may be transferred or executed over the customer’s network by accessing the DEFINITY system through the INADS line and using the TN799.

©2002 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks are property of their respective owners.