Securing a 3300

[notserpmh]

We have a 3300 on 8.0.10.7_1.  Last night we were notified by our PRI provider of a 6+ hour call to our 800 number.  I looked in our SMDR logs and found another call right after that one ended that was 2+ hours.  In both cases, it looks like they went into the voicemail system and were "poking" around.

I'm the IT guy, so I talked to our "phone vendor", but they really haven't been that trustworthy from the start.  For example, my first question was, "Is the 3300 capable of limiting the length of calls?"  The answer I got (from the owner mind you) was "I don't really know, I'll have to wait until I have a tech in Monday".  I found the option after reading through the help some and have set limits on call lengths.

In talking to our vendor, he claimed that people "get into the voicemail, then get into a voicemail box with a weak password, then somehow re-program the system to auto call out to a 900 number or other toll number to rack up charges".  I'm having our Jr. IT guy go through all our voicemails and change any with a 1111 passcode and/or a passcode that is the same as the extension.  I'm also having our PRI provider block all calls to the NANP Member countries (places like the Dominican Republic and Jamaica where you only have to dial 1 + area code to call, no country code required, but aren't other US states).

Our OpsManager and the Mitel web interface are inaccessable from the outside network, and I feel pretty confident about their security.   

I've seen suggestions to turn off trunk to trunk calling, but we actually use that feature a lot, so that is kind of a non-starter. 

I've also gone through the article here: http://www.mitelforums.com/articles/mitel-toll-fraud.php 

but I'm unsure as to how to block 9-00 calls and to block specific extensions from making international calls.   

Can anyone give me any pointers on how to setup those blocks?  Is there anything else I should look for or set (assume my vendor didn't do even the most basic security features)?
Should I really just search for a new vendor and let them handle it?

Thanks in advance for your help. 

[ralph]

I wrote the article you referenced.

I'll assume that your ARS is not set up anywhere near like I suggest so we'll go from there.

1st of all you need to block your VM from being able to transfer outside.   If you're using the embedded VM you want to be sure that the admin passwords ARE NOT at default.  What I've seen happen is someone will log in as Admin, change the '0' target to an external number, call that mailbox and press 0.  But I've also seen it where people have logged into mailboxes with weak passwords and changed the cell number.  Does the same thing.   So set the COR of your VM ports so that they are not able to dial out.  If you need the ports to dial out then use system speed dials.

To block 9+00 calls set your the COR in your ARS to something unique.  Example: '15'.  Then in the COR form on line 15 put an "R" on everything except 15.   Then on the phones that need to dial international calls give them the COR of 15.    (I'm assuming a lot of things here. Everyone sets up ARS differently so if this doesn't work we'll have to look at your actual set up)

That should get you started.

Ralph

[notserpmh]

Thanks for the quick reply and the good article.

Here is what I have so far:

I've had our PRI provider block all international calls that don't require a country code, plus most of our lines require long distance codes to call out of our metro area.  The few that don't are fax lines and might be difficult to add that requirement (since putting in a long distance code on our faxes is unreliable at best).

I didn't know the 0 passcode, so I just reset it so something known and non-default. 

For the VM being able to transfer to the outside, we have completed making sure no one is using 1111 or their extension for their passcode.  I don't think I can turn off VM transferring to the outside (please correct me if I'm wrong) as we use the "press 2 to be transferred to the cell phone" feature in the voicemail very heavily. 

For this next part, please forgive my ignorance if I am getting this wrong.  I have fairly limited phone knowledge. 

I looked in "System Administration" -> "Automatic Route Selection (ARS)"  and under there I only find one "Class of Restriction" section which is "Class of Restriction Group Assignment".  In it I have 4 pages of numbers, 1-64, but everyone is completely blank.  In selecting one and clicking "Change", the only thing I can fill in is "Class Of Restriction For Group".  It will only allow numbers.

Is there maybe somewhere else I should look?

Thanks again for all of your help

[ralph]

securing the 0 mailbox is good but there are three (3) passwords for the admin mailbox.
These need to be changed.

If in the COR Group form it is completely blank, that would pretty much mean you have no restrictions at all.

What you may want to do is have your vendor read the security document you mentioned and have them build up restrictions.
You'll also what to have them change your admin mailbox passwords (not mailbox 0).
Then have them restrict your VM ports via COR to only those area codes you need for dialing to cell.  To restrict this tighter you can block the VM ports dialing out via COR but allow the system to dial system speed calls to go to your users cells.

Ralph

[notserpmh]

Okay thanks.  I'll start looking around for another vendor and send them this info so hopefully they can help out.

Thanks again for your help.

[ralph]

What state are you in?

Ralph

[notserpmh]

Texas, D/FW area.

[PokerMunkee]

This is a great thread.  I've been in IT for over 12 years and now is the first time I've had to manage a phone system (3300).   Going to look at the suggestions in Ralph's article.  Never considered PBX security and thsi was never brought up by our vendor.

Embarrassing question... How do I block extension 900 in our 3300 MXe-III?

[PokerMunkee]

Going to take a stab after reading a bit...

1. ARS Digits Dialed = Add Digits Dialed "900" with 7 digitsl to follow.  Route 15.
2. ARS Routes = Route 15 points to nothing.