Manuals / Avaya / Communications / IP Phone

Avaya 555-245-600 manual Security, Your security policy

Models: 555-245-600

1 378

Download 378 pages 58.63 Kb

Page 227

Security

This chapter discusses the security design and features for Avaya Communication Manager, and how to operate Avaya systems securely.

Note:

Because this information is valuable both to those who want to protect the system and to those who seek to “hack” into those systems, the information in this section is deliberately incomplete. For example, we discuss the use of one-time passwords for user authentication, but not the mechanism of how this feature works.

Earlier systems did not interface with the data network and were neither susceptible to the types of attacks that are prevalent on those networks, nor provided a gateway into such networks from which an attack might be launched. With the convergence of voice (IP Telephony) and data over corporate enterprise networks, this is no longer true.

The main topics included in this chapter are:

●Your security policy

●Avaya Communication Manager and Servers

●IP Telephony circuit pack security

●Toll fraud

For additional information about IP Telephony security, see Security Design and Implementation for Avaya Voice over IP, 03-601973.

Your security policy

System security does not begin with the system itself, but with the people and the organizations that operate or use the system. One of the most important tools for securing a system is to have a written, published, and enforceable security policy. Your security policy should clearly address these questions:

●What are you trying to protect?

●What are you protecting it from?

●How likely is a threat against these assets?

Issue 6 January 2008 227

Image 227

Avaya 555-245-600 manual Security, Your security policy

Contents

Avaya Application Solutions For full legal page information, please see the documents About This Book ContentsGreenfield deployment 109 LAN switching products 163 Deploying IP Telephony 175 Voice quality network requirements 245 Getting the IP network ready for telephony 281 Quality of Service guidelines 315 Index 373 Audience Using this bookOverview Downloading this book and updates from the Web International Related resourcesTechnical assistance Within the USSending us comments TrademarksAvaya Application Solutions product guide Avaya Application Solutions IP Telephony Deployment Guide Avaya Application Solutions Communication Manager traffic flow Avaya Definity Servers Avaya Communication ManagerAvaya servers Linux-based serversAvaya Integrated Management Avaya Media GatewaysAvaya Communication Manager applications Avaya communication devicesAvaya SIP application enablement Avaya SIP solutionsAvaya Distributed Office Distributed Office Configurations Networked remote sites Main business locationSelecting a construct Distributed Office benefitsDistributed Office implementation Trunk Interface Construct Ports I40 constructsI40 constructs Analog T1/E1= BRI I120 constructsI120 constructs Analog 10/100 T1/E1 Distributed Office application module and media modulesAvaya AM110 Application Module LAN module Streamlined DeploymentTelephony media modules Provisioning status Fully configured systemsFrom-scratch configuration Partially configured systemsAvaya Application Solutions platforms Avaya Application Solutions platforms Overview Terminology Avaya G700 Media Gateway with the S8300 Server Small to mid-size enterpriseStand alone Office Pstn with IP Trunk link To Avaya PBXs G700 hardware architectureAvaya G700 Media Gateway front view G700 Media Gateway Processor VoIP Engine complexVoice Announcement over the LAN Avaya IA770 Intuity Audix Messaging Option for S8300/G700S8300 primary controller architecture S8300 as an LSP G450 Media GatewayG450 Features Vrrp RTP-MIB Telephony media modules G450 physical descriptionSupported media modules in the G450 Supported media modules Media module DescriptionWAN media modules Additional featuresVoice over IP VoIP Call center capabilitiesLAN services Port redundancy WAN servicesRapid Spanning Tree Protocol Rstp Port mirroringMedia modules necessary for each WAN line Management access security featuresNetwork security features Link Layer Discovery Protocol Lldp Alarms and troubleshooting featuresG250 and G350 Media Gateways Converged Network Analyzer CNA test plugG250 and G350 Features RIP Modes of DeploymentOspf PPPG350 Configurations Fixed ports on the G350 front panel Port Description G350 SpecificationsASB Buttons on the G350 front panelButton Description RSTTTR Additional G350 functions and capacities Function CapacityAvaya G250 analog Media Gateway Chassis G250 ConfigurationsConsole TrunkLine Isdn BRIETR G150 Media GatewayG250 DCP and G250 DS1 Media Gateways IG550 Integrated Gateway Personal computers IG550 features J4350/J6350 Services Router features CLI Slot numbers on the Juniper J4350 Services Router IG550 and J4350 Services Router physical descriptionSlot locations on J6350 Services Router IG550 and J6350 Services Router physical descriptionTGM550 Gateway Module TGM550 physical descriptionSeries Router Physical Interface Modules Supported interface modules Modules DescriptionInterface module capacities Description Capacity Comments Summary of servicesConfiguring media gateway options Converged Network Analyzer CNA test plug Backup and restoreIG550 maximum media gateway capacities Avaya S8400 Server Definity CSI TN8400AP circuit pack S8400 ServerSmall to mid-size enterprise Avaya Application Solutions platforms S8500 capacities Avaya S8700-series Server, fiber-PNC configurationMid-market to large enterprise S8500 ServerS8700-series Servers S8720 and S8730 ServersAvaya S8700-series external features S8700-series external featuresOther components Internal hardware elementsAvaya S8700/MCC1 fiber-PNC major components Control network through an Avaya Ethernet switchS8700-series / MCC1 signaling path Circuit packs that support IP signaling and media trafficMid-market to large enterprise Avaya Application Solutions platforms TN2302AP Media Processor operation Media Gateways MCC1 Media Gateway SCC1 Media Gateway ATM network Center Stage SwitchStandard reliability configuration S8700-series fiber-PNC configuration for higher availabilityFigure notes High reliability configuration S8700-series fiber-PNC in a high reliability configuration S8700-series fiber-PNC survivability Avaya S8700-series Server IP-PNC configurationCritical reliability configuration Location with another Avaya IP PBX S8700-series Server IP-PNC a basic phone call Main componentsS8700-series Server IP-PNC major components S8700-series IP-PNC reliability configurations S8700 IP-PNC standard configuration S8700 IP-PNC configurationCombined IP and fiber Port Network Connectivity Central Connect Gateways Media Gateway CapacityServer Supported Direct Reliabilities SupportedCapacity limit for media gateways Configuration rulesIpsi Mixed reliability options Processor Ethernet ESS support for combined IP-PNC and fiber-PNC configurationsLSP Avaya IP OfficeComponents needed for Greenfield deployment Greenfield deploymentGreenfield IP Telephony deployment Servers H.323 GatekeeperMedia Gateways and Port Networks Avaya Communication ManagerS8300 standalone solution small-to-midsize enterprise Greenfield configurationsS8700-series / G650 IP-PNC Medium-to-large enterprise solutionsS8700-series IP-PNC system S8700-series IP-PNC with remote G700s or G350sS8700-series IP-PNC with remote G700 or G350s S8700-series with G150/G250 large number of remote branchesRequired circuit packs for S8700-series configuration Signaling path S8700 / G650 configuration Media flow path S8700 IP-PNC configuration Evolution from circuit-switched to IP Migration from Definity Server R to S8700 fiber-PNC Phase 1 Processor replacementS8700-series Servers fiber-PNC configuration IP-enabled Definity configuration Phase 2 IP-enable the Port Networks to support IP endpointsIP-enabling the S8700 fiber-PNC configuration Phase 3 Server consolidationS8700 / G700 / G350 system with Local Survivable Processors Intelligent networking and call routing Voice and multimedia networkingMedia Gateway control IP Port Network / Media Gateway connectivityRegistration and alternate gatekeeper list Call ProcessingCommunication Manager gatekeepers Discovery and registration process to the gatekeeper Call signalingMedia stream for audio conferencing Media stream handlingMedia processor circuit packs VoIP resources Dtmf tone handlingSeparation of Bearer and Signaling SBS Modem/Fax/TTY over IP Multi-locationModem Off Fax, Modem, and TTYoIP options RelayPass-thru OffFax, Modem, and TTYoIP options IP-based trunksIP tie trunks Trunk signalingAvaya SIP Enablement Services SES Samp OverviewSES Server SES Core Router Communication Manager as the SIP Feature ServerSES Network SES Edge ServerSIP Endpoints SIP Endpoints FeaturesSIP Adjuncts SIP and DNS Home-edge single box solutionSIP deployment scenarios Multi-home multi-Communication Manager system Typical home/edge configurationMulti-home multi-Communication Manager configuration Multi-home single Communication Manager system Multi-home single Communication Manager configuration Call processing Avaya-Toshiba Solution Avaya-Toshiba Solution Avaya G860 Media Gateway G860 Front view System Controller Board G860 ComponentsG860 Trunk Media Processing Module TP-6310 Configuration with Avaya Communication ManagerExample configuration for call center Extension to Cellular MobilityCommunication applications IP Telephones or IP SoftphonesCall Center applications Call CenterCompact Call Center MessagingMeet-me conferencing Unified Communication CenterAvaya Call Management System CMS Conferencing systemsMeeting Exchange Enterprise Edition Avaya Meeting Exchange SolutionsTDM Networks Meeting Exchange Web ConferencingMeeting Exchange Express Edition Video Telephony SolutionsApplication Programming Interfaces APIs Computer Telephony Integration CTIBest Services Routing BSR polling Page C363T Converged Stackable switch Avaya C360 converged stackable switchesC363T-PWR Converged Stackable switch Features of the C360 converged stackable switchesStacking Layer 2 featuresManagement Layer 3 featuresPower over Ethernet PoE Switches from Extreme NetworksAvailable PoE Switch Options Avaya Power over Ethernet PoE switchesDesigned usage Midspan Power Units1152A1 Power Distribution Unit Power priority mechanismInteroperability with Wireless Access Point products Power modes Avaya IP TelephonesBarrel connector through brick transformer Power using adaptersNumber Ports 1152B Power Distribution Units1152B Midspan Power Distribution Units Avaya Model Number SummarySG203 and SG208 Converged infrastructure security gatewaysVPN Client SG200VPN Client Page Deploying IP Telephony Avaya Application Solutions IP Telephony Deployment Guide Introduction Traffic engineeringTopology Design inputsDesign inputs Endpoint traffic usage Endpoint specificationsDCP Example 1 configuration data Endpoints Atlanta BostonExample 1 Station usage Preliminary calculations Additional design criteriaCommunities of interest Call usage ratesTraffic engineering Call usage rates Example 2 Uniform Distribution model Erlangs Traffic engineering Call usage rates ⎛ number of stations in Site i ⎞ ⋅ total outbound CUR Example 3 Empirical approach for existing systems Expanded COI matricesFrom endpoints in Site To endpoints in Site Example 4 Expanded COI matricesEndpoints in a three-site system Atlanta Boston Cleveland 12.7 Number of type t stations in Site From SiteNetwork of Avaya systems and system sites COIs for multiple-site networksOverview Resource sizingSignaling resources Examples of media streams between Avaya endpoints Media processing and TDM resourcesShuffling IP-TDM-IP connectivityHairpinning Connectivity modes between two IP endpoints Intra-site TDM and Media Processing resource requirements COI Inter-site TDM and Media Processing resource requirementsExample 5 TDM and media processing usage Re-categorization of CURs from Table Endpoints Totals Traffic engineering Erlangs G700 MGs 320 Processing occupancy Relationship Between Processing Occupancy and Bhcc Rate Direct media connect shuffling SIP traffic engineeringLAN allocation and SIP trunks Instant messaging SIP specific featuresRegistration Subscription and notificationCommunication Manager and SES server processor occupancy IP bandwidth and Call Admission ControlCOI Matrix Example 6 IP bandwidth considerations Resource sizing Bits Payload size per packet Packet 711 729Example 7 LAN bandwidth Example 8 WAN bandwidth Resource sizing Final checks and adjustments Physical resource placementAvaya Distributed Office Traffic engineering Your security policy SecurityRecommendations for your security policy What are you trying to protect?What are you protecting it from? How likely is a threat against these assets?Proprietary vs. open operating systems Built-in Linux security featuresAvaya Communication Manager and Servers Avaya capitalizes on Linux’ security advantage One-time passwordsShell access Remote access Root accessMonitoring and alarming Secure accessS8700 with Avaya MCC1 or SCC1 Media Gateways LAN isolation configurationsData encryption Security S8700-series Server with Avaya G650 Media Gateways Virus and worm protection Recommendations for network security TestingEnvironment Telnet IP Telephony circuit pack securityTN2312BP IP Server Interface Ipsi Control link TN2302AP and TN2602AP Media ProcessorsTN799DP Control LAN C-LAN Toll fraudHacking methods Avaya’s security designAdditional toll fraud resources Your toll fraud responsibilitiesToll fraud indemnification Avaya Security Handbook Security Audit ServiceSecurity Tune-up Service Toll Fraud Intervention HotlinePage Voice quality network requirements Network delayCodec delay Packet loss JitterNetwork packet loss Packet loss concealment PLC EchoSignal levels Tone Levels Echo and Signal LevelsCodecs ACELPMP-MLQ PCMCS-ACELP Codec and H.248 Media Gateways Silence suppression/VADCNA Application Performance Rating Transcoding/tandemingIssue 6 January 2008 Enterprise model Available application modelsVoice Video conferencingAvaya Integrated Management offers Integrated Management overview documentsVoIP Monitoring Management Offer Administration Tools OfferSystem Management Offer Enterprise Network Management OfferMulti Router Traffic Grapher Third-party network management productsHP OpenView Network Node Manager Network management modelsCentralized hybrid Distributed componentCentralized management model Page Reliability and Recovery IPTDG43 ReliabilitySurvivability solutions Release 3.0 system example S8700-series Server SeparationEnterprise survivable servers ESS ESS and Adjunct Survivability ESS System CapacitiesESS and H.248 Media Gateways R2MFC Connection preserving upgrades for duplex serversInter Gateway Alternate Routing Igar Survivability for branch office media gateways Media Gateway recovery via LSPS8300/G700/G350 configuration Modem dial-up backupAuto fallback process IP endpoint recovery IP endpoint recoveryRecovery algorithm IP Endpoint Time to Service Operation with NAT/Firewall Environment Converged Network Analyzer for network optimizationChanges in IP end points IP endpoint recovery Page Getting the IP network ready for telephony Avaya Application Solutions IP Telephony Deployment Guide IP Telephony network engineering overview Distribution AccessLayers in a hierarchical network Description Core Voice quality Packet loss maximum packet/ frame loss between endpoints JitterBest practices Common issues General guidelines LAN issuesSpeed and duplex Ethernet switchesPort or native Vlan VLANsVlan defined Mod/port vid Trunk configurationVlan binding feature C360 Configured optionWAN Recommendations for QoS QoSCodec selection and compression Routing protocols and convergence Serialization delayNetwork design Multipath routing Frame RelayOverview of frame relay Committed information rate burst range Frame relay issue and alternativesAdditional frame relay information MplsConvergence advantages VPNCommunication security Managing IP Telephony VPN issuesNetwork management and outsourcing models Firewall technologiesConclusion NATIP Telephony without NAT Design for Simplicity Converged network designDesign and Management Design for Scalability Design for ManageabilityServer Cluster TopologiesLayered Server Cluster Topology LayersRedundancy Integrated high density switch topologyRedundant connections Layer Sample spanning tree Vrrp configured for Core Access References for Converged network design on Page CoS Quality of Service guidelinesIP precedence bits ToS bits Comparison of Dscp with original TOSLayer 3 QoS Layer 2 QoSPacket size Line 128 256 512 1024 1500 Speed Bytes Serialization delay matrixQoS guidelines Layer 3 QoS 802.1Q tag Ieee 802.1 p/QRecommendations for end-to-end QoS DiffServDifferentiated Services DiffServ TOS byte CRITIC/ECP Original TOS specification Bit Value Use DescriptionRound-robin Queuing methodsCB-WFQ / LLQ / CBQ Frame Relay traffic shaping Traffic shaping and policingMTU FragmentationApplication perspective FRF.12Recommendations for RTP header compression Network perspectiveRTP header compression test Equipment configuration for RTP header compression testConfiguration Examples of QoS implementation Assumptions for Example High-quality service across a congested WAN linkCommand Meaning Administration commands for ExampleExample 2 C-LANS cannot tag their traffic CommandMeaningExample 3 More restrictions on the traffic X330 WAN Module Converged infrastructure LAN switchesTrust packet tagging Change control Network recoveryLink Aggregation Groups Layer 2 mechanisms to increase reliabilitySpanning tree Vrrp and Hsrp Layer 3 availability mechanismsRouting protocols Multipath routing Dial backupOspf RIP Convergence timesConverged Network Analyzer Converged Network Analyzer CNA components Headquarters CNA deployment Measurement plane Simultaneous monitoring of all pathsControlling edge routers Configuration and deployment detailsAvaya network readiness assessment services Problems with data networksWhat if my network functions well today? Basic network readiness assessment serviceSurvey Site Configuration SurveyVital Agent analysis Detailed network readiness assessment serviceDetailed network readiness assessment process Customer can Data for individual Professional Element monitoring Customer responsibilitiesDiscovery Report generation Synthetic IP Telephony measurementsRemote analysis Customer deliverables Page Appendix a CNA configuration and deployment Default Gateway Configuring CNABasic configuration Configuring Virtual Module InterfacesBGP on the Engine Module Service Provider Access LinksUstat GRE Tunnels MeasurementsAssigning USTATs to Providers Decision making Edge Router GRE Tunnel Interfaces Configuring the RoutersInterface Tunnel1 Description GRE to provider1 Route MapsVIP Routing Routing ConfigurationBgp cluster-id Route ReflectionCNA commands Command summaryRoute-assert-filter force link provider1 Router Ra commands Interface Tunnel2 description GRE to provider2 Router Rb commandsPage Index CSS NAT LFI LAN WAN