Securing the Line Part 4 - COS Planning / Auditing

COS, or Class of Service, is not a new term or idea. Also known as the 'effective permissions' of the telecom world, COS is often overlooked in a security analysis.

In fact, the fundamental ideas and implementations of Class of Service have changed very little from the PBX "boom" of the 80's to today. Typically COS is assigned to groups of users (or terminals) to determine who can do what, when, and how. For instance, COS rules may exist to limit international dialing, feature usage such as off-net-call-forwarding, or even for messaging features such as mailbox features and message length, etc.

Even for non-IP switches, a lack of COS policies or proper allocation can open serious security holes. Simply put, these vulnerabilities usually exist because users or terminals simply have too much power. We've all heard about the instances of 'phone phreaking' which can utilize errors in COS implementation to gain access from outside sources.

So, how do you analyze and reorganize your Class of Service permissions? First, conduct a COS audit to determine what levels of COS are available on your switch. It's important to realize the COS "bounds" of your telecom environment to determine literally how much control is available.

Secondly, work with your users to determine what, how, and why the utilize the features or services your environment provides. Using the Principle of Least Privileges, restrict groups of users or departments to the features or permissions they absolutely require. For "power users", implement a method to notify them of their responsibilities of watching for, and reporting, potential security problems.

COS and permission reassignment takes time! Especially in large organizations, the auditing and analysis process make take months or years. However, COS is a critically important piece to the security puzzle that is often overlooked.