Posts Taged ld-usage

How to Configure Class of Service Objects

The Class of Service Manager is used to create objects used to assign permissions or restrictions to Outgoing Lines, Incoming Lines, Extensions, Feature Codes, or Applications.

Great care should be taken when configuring Class of Service objects to prevent unauthorized LD Usage.

Please refer to https://blog.scopserv.com/2012/06/important-security-settings-when-using-class-of-service-cos/ before configuring Class of Service objects.

 

Module 8 - ScopTEL - Class of Service Configuration
Read More

How to Configure Outgoing Lines and Interface Groups

This document explains dialing plan configuration for Outgoing Lines.

 

Module 6 - ScopTEL - Interface Groups and Outgoing Lines
Read More

Important Security settings when using Class of Service (CoS)

Class of Service (CoS) is where you configure permissions for extensions, incoming lines, applications, features codes, outgoing lines, etc. It very important to properly configure each Class of Service, because this is where all validation for routing is done (examples: if an incoming line,  extension, or if an outgoing line route exists)

To add, modify or delete a Class of Service, login to the ScopServ GUI, and click on Telephony -> Manager- > Class of Services

In each Class of Service, you have different sections where you can set different permissions.

On the Services tab, you can specify which feature code(s)  (Voicemail, Agent Login, Call Forward, DND, etc.) are available. It is not recommended to use the ‘All Features’ option when the Class of Service is used by an “untrusted” source. So if the users that will use this Class of Service do not need full access then do not check the ‘All Features’ option and instead select individual features codes that will be available.

On the Applications tab, you can specify which applications (created on Applications -> Application) are available. It is not recommended to use the ‘All Applications’ option when the Class of Service is used by an “untrusted” source. If you check ‘All Applications ‘ and have a custom application that executes a “sensitive” task (example: turn off the alarm system) then this is a major security risk, this is why you must select individual permissions.

On the Local Extensions tab, you can specify which extensions are reachable. If you want all extensions to be available for users that use this Class of Service, then simply check the ‘ All Extension ‘ option. If you want to restrict the ability to reach some local extensions then select a list of allowed local extensions.

On the Outgoing Lines tab, you specify which outgoing lines you want to be reachable. You can set the line priority (examples: 011X must be defined before X. else 011X will never be reachable). If some users need access only to local/national calls but must not be able to make international calls, or be restricted to use specific trunks, then the Outgoing Lines tab is used to select individual outgoing lines.

On the Miscellaneous tab, you can set miscellaneous options like Agent or Hotdesk restrictions. It is also possible to include others permissions (Class of Services) by selecting one or more contexts.  The option ‘Include other permissions’ allows to include others permissions in order to create group like Class of Service objects. This is useful to create a Class of Service that will include a hierarchy of other Class of Service objects.

Class of Services can be used in different places like Interfaces (VoIP Account, Digital, Analog) to lookup destinations. They can also be used on Extensions to specify which permissions the extension will have (examples: can the extension reach Voicemail or disable DND). They can also be used on an Auto Attendant (IVR) menu to lookup a key pressed by a user so it is very important to ensure that everything is properly configured.

For example: if you configure an Auto Attendant (IVR) to use a Class of Service that has access to all services, then any person that reaches the IVR will be able to execute any inherited service such as *888 to spy on extensions, or dial *78 to set a CallForward, or reach DISA, or dial any included feature, and etc. So ensure that an IVR does not have access to Class of Services with excessive permissions else major security holes can exist in the configuration.

In summary it is very important to properly configure Class of Services to restrict access permissions to a user.

Read More