As AAPT’s range of products is varied, so are the security tools and features available within each service. Unless specified, there is no additional charge to use these tools and features. Notwithstanding the availability of these features, you are ultimately responsible for safeguading your service from unauthorised access. For, more information about the security features of our network and products, please click on the links below:
If you require assistance to use any of AAPT’s security tools, please contact us.
Responsibility for usage
Any use of your services, even if it’s unauthorised, is your responsibility as the account holder. So, if anyone hacks into your internet service or uses your telephone or mobile service without your permission, for example, you will still need to pay for the usage or calls.
To help prevent or mitigate unauthorised usage, AAPT may monitor your service and take actions to cancel or suspend your service if we consider there is anything excessive or unusual going on. However, we don’t promise to do this, so you should still take steps to protect your services from unauthorised access. AAPT has provided some useful hints to help you reduce the risk of your account being exploited by fraudsters at: http://aapt.com.au/security.
If you think your service has been used without your authority, contact us immediately by calling our Customer Service Desk on 1800 801 036 or by calling your dedicated Account Manager (for managed customers).
General network security
AAPT has a very large network of switches, routers, server infrastructure and firewalls. AAPT tightly controls access to all devices, with access control only allowed from specific hosts in the network. Centrally managed authentication control is enabled on every node in the network, with enforcement of strong passwords with regular change intervals. Multiple logins are required to access any network device in the network.
SSH access is the primary access method to firewalls, layer 3 and layer 2 networks. Some legacy devices allow only telnet, however access control on these nodes is tightly controlled. TACACs authorisation is enabled on every node in the network, controlling what commands are allowed at a per user level. Logs are created for every command attempted and executed. Multiple layers of firewalls have been deployed to create a number of demarcation zones (DMZ), controlling access between outside networks and internal networks, with logs tracked on all firewalls. All configurations are backed up daily and stored on secured servers in DMZs.
AAPT's private management network is not open at any point to the Internet. Any remote access requires end users to login using a two factor RSA key SSL VPN client which is tightly controlled by the AAPT IT department.
AAPT voice services are delivered via AAPT’s own SS7 switching infrastructure. This technology delivers an inherent separation between channels, eliminating the possibility of logical intrusion. Last mile infrastructure is delivered via AAPT owned fibre, which resists undetected interception, or via third party access links, which are delivered with similarly high levels of security to AAPT's owned infrastructure.
AAPT can instigate call barring functions at your request, or you can manage barring by using your own PABX or IP PBX system.
AAPT’s SIP service requires a username and password combination to establish a session, providing access control. Services are provisioned to allow connectivity from a single RFC 1918 assigned IP address, precluding connectivity from public locations and restricting network connectivity to AAPT’s private network link.
AAPT’s Conferencing service is protected via separate PINs for hosts and guests. Entry and Exit tones gives the host notice of conference traffic by audibly signalling the arrival of a new participant or the departure of a current participant.
AAPT’s recommended network is based on the GSM standard that includes in-built call encryption and SIM card authentication.
To help prevent or mitigate unauthorised usage, mobile devices can be terminated at a network level, preventing unauthorised calls from a compromised service. AAPT can also organise the blocking of a phone’s IMEI number via the network provider in the event of a phone being lost or stolen. There is no charge to you. If your IMEI number is not listed in the Lost and Stolen Register, AAPT will not be able to block that number. If you later recover your phone, the block is easy to remove and again, there is no charge to you. For further information on IMEI blocking, go to www.lost.amta.org.au
The AAPT IPVPN is built using RFC4364 standard (formerly RFC 4364). The RFC defines an architecture that is a widely accepted and deployed for building IPVPN. The architecture allows routes from different VPNs with overlapping addresses to remain completely private and in separate domains. The architecture leverages multi-protocol BGP to maintain separate tables and distribute routes between Provider Edge equipment.
AAPT maintains separation between all the IPVPNs at the PE and CE level, and it is the customer’s responsibility to maintain security within the LAN and at public demarcation zones. If the LAN or the public demarcation zone were compromised the service could be susceptible. In this situation, AAPT may be able to assist with disabling access to infected sites.
The Internet by its nature is not secure and AAPT does not provide security features in the form of firewalls as part of the IP Line service. Each customer is responsible for providing any security or privacy protection that it requires for its network and any data stored on those networks or accessed through the service.
In the event of a Denial of Service (DoS) attack, the following process is followed to minimise the impact to our customers. Based on AAPT’s assessment, if there is:
- a minor DoS attack where no AAPT network impact is apparent, but the customer is impacted - and if investigations confirm that the customer is under attack - the AAPT NOC will block the IP addresses as per customer requests. This is initiated through AAPT’s helpdesk fault process.
- a major DoS attack where AAPT Network is impacted - the AAPT NOC will likely receive network alarms and will endeavour to block the source traffic from multiple source addresses.
- a DoS attack causing severe impact to AAPT infrastructure - the NOC may consider blocking traffic to the destination address to stop the DoS instantly and protect AAPT infrastructure.
For the rarer situations where the DoS attack is only coming from one source IP Address, the NOC will endeavour to ‘blackhole’ the source. That is, AAPT will discard/drop incoming traffic without informing the source that the data did not reach its intended recipient.
The AAPT Rebill service is accessed via Telstra's Public Switched Telephone Network Service and Telstra's Public Switched Integrated Digital Network Services. Rebill PSTN & ISDN allows customers to redirect charges for Telstra services which would otherwise appear on a Telstra invoice.
There are various features of the PSTN and ISDN product which can facilitate customer driven security including implementing permanent or automatic call barring for premium services. The customer can also request pin access to control call barring options (service charge applies). In the case of the handling of unwelcome calls and malicious call tracing, AAPT has processes in place to ensure compliance with its regulatory obligations.