Manuals / Avaya / Communications / IP Phone

Avaya 555-245-600 manual What are you trying to protect?, What are you protecting it from?

Models: 555-245-600

1 378

Download 378 pages 58.63 Kb

Page 228

Security

What are you trying to protect?

The security policy usually attempts to protect information, whether the information is in the form of data (files) or conversations (digitized voice packets). Customers should assess the value of those assets that require protection, and compare the true costs of security to the value of those assets.

What are you protecting it from?

Most often, criminals, who are also called “hackers,” pose a significant threat to secure information. However, do not forget to look internally. A significant number of attacks come from within an enterprise. Your security policy should include rules about behavior, the consequences of bad behavior, a path of escalation, and a person to contact with regard to security issues.

How likely is a threat against these assets?

Security is always a trade-off. The more security, the more inconvenience and the more cost. To avoid the necessary inconvenience, some users are likely to subvert the security policy. For example, if you make passwords so complex so that the passwords are difficult to remember, people will write the passwords down. Users prefer easy access without security. Having to log on is inconvenient. However, everyone must endure some level of inconvenience if the system is going to be secure against attacks. The security policy must define this level of inconvenience to ensure that the security polity is not circumvented. In addition, management must support the policy, and establish clear rules for its enforcement, including the consequences for violating it. A security policy that does not establish consequences for violations quickly becomes irrelevant.

Recommendations for your security policy

Avaya recommends that you continuously review your security policy, and keep up with new threats and to make improvements each time a weakness is found. To effectively support your security policy, your company must allocate long-term resources to the development, implementation, and reassessment of the policy.

228 Avaya Application Solutions IP Telephony Deployment Guide

Image 228

Avaya 555-245-600 manual What are you trying to protect?, What are you protecting it from?

Contents

Avaya Application Solutions For full legal page information, please see the documents Contents About This Book Greenfield deployment 109 LAN switching products 163 Deploying IP Telephony 175 Voice quality network requirements 245 Getting the IP network ready for telephony 281 Quality of Service guidelines 315 Index 373 Using this book OverviewAudience Downloading this book and updates from the Web Related resources Technical assistanceWithin the US International Trademarks Sending us comments Avaya Application Solutions product guide Avaya Application Solutions IP Telephony Deployment Guide Avaya Application Solutions Communication Manager traffic flow Avaya Communication Manager Avaya serversLinux-based servers Avaya Definity Servers Avaya Media Gateways Avaya Integrated Management Avaya communication devices Avaya Communication Manager applications Avaya SIP solutions Avaya SIP application enablement Avaya Distributed Office Distributed Office Configurations Main business location Networked remote sites Distributed Office benefits Distributed Office implementationSelecting a construct I40 constructs I40 constructs AnalogT1/E1 Trunk Interface Construct Ports I120 constructs = BRI Distributed Office application module and media modules Avaya AM110 Application ModuleI120 constructs Analog 10/100 T1/E1 Streamlined Deployment Telephony media modulesLAN module Fully configured systems Provisioning status Partially configured systems From-scratch configuration Avaya Application Solutions platforms Avaya Application Solutions platforms Overview Terminology Small to mid-size enterprise Avaya G700 Media Gateway with the S8300 Server G700 hardware architecture Stand alone Office Pstn with IP Trunk link To Avaya PBXs Avaya G700 Media Gateway front view VoIP Engine complex G700 Media Gateway Processor Avaya IA770 Intuity Audix Messaging Option for S8300/G700 Voice Announcement over the LAN S8300 primary controller architecture G450 Media Gateway S8300 as an LSP G450 Features Vrrp RTP-MIB G450 physical description Supported media modules in the G450Supported media modules Media module Description Telephony media modules Additional features Voice over IP VoIPCall center capabilities WAN media modules LAN services WAN services Rapid Spanning Tree Protocol RstpPort mirroring Port redundancy Management access security features Network security featuresMedia modules necessary for each WAN line Alarms and troubleshooting features G250 and G350 Media GatewaysConverged Network Analyzer CNA test plug Link Layer Discovery Protocol Lldp G250 and G350 Features Modes of Deployment OspfPPP RIP G350 Configurations G350 Specifications Fixed ports on the G350 front panel Port Description Buttons on the G350 front panel Button DescriptionRST ASB Additional G350 functions and capacities Function Capacity TTR G250 Configurations Avaya G250 analog Media Gateway Chassis Trunk LineIsdn BRI Console G150 Media Gateway G250 DCP and G250 DS1 Media GatewaysETR IG550 Integrated Gateway Personal computers IG550 features J4350/J6350 Services Router features CLI IG550 and J4350 Services Router physical description Slot numbers on the Juniper J4350 Services Router IG550 and J6350 Services Router physical description Slot locations on J6350 Services Router TGM550 physical description TGM550 Gateway Module Supported interface modules Modules Description Series Router Physical Interface Modules Summary of services Interface module capacities Description Capacity Comments Configuring media gateway options Backup and restore Converged Network Analyzer CNA test plug IG550 maximum media gateway capacities Avaya S8400 Server TN8400AP circuit pack S8400 Server Definity CSI Small to mid-size enterprise Avaya Application Solutions platforms Avaya S8700-series Server, fiber-PNC configuration Mid-market to large enterpriseS8500 Server S8500 capacities S8720 and S8730 Servers S8700-series Servers S8700-series external features Avaya S8700-series external features Internal hardware elements Other components Control network through an Avaya Ethernet switch Avaya S8700/MCC1 fiber-PNC major components Circuit packs that support IP signaling and media traffic S8700-series / MCC1 signaling path Mid-market to large enterprise Avaya Application Solutions platforms TN2302AP Media Processor operation Media Gateways MCC1 Media Gateway SCC1 Media Gateway Center Stage Switch ATM network S8700-series fiber-PNC configuration for higher availability Standard reliability configuration Figure notes High reliability configuration S8700-series fiber-PNC in a high reliability configuration Avaya S8700-series Server IP-PNC configuration Critical reliability configurationS8700-series fiber-PNC survivability Location with another Avaya IP PBX Main components S8700-series Server IP-PNC a basic phone call S8700-series Server IP-PNC major components S8700-series IP-PNC reliability configurations S8700 IP-PNC configuration S8700 IP-PNC standard configuration Combined IP and fiber Port Network Connectivity Media Gateway Capacity Server Supported DirectReliabilities Supported Central Connect Gateways Configuration rules Capacity limit for media gateways Ipsi Mixed reliability options ESS support for combined IP-PNC and fiber-PNC configurations Processor Ethernet Avaya IP Office LSP Greenfield deployment Components needed for Greenfield deployment Servers H.323 Gatekeeper Greenfield IP Telephony deployment Avaya Communication Manager Media Gateways and Port Networks Greenfield configurations S8300 standalone solution small-to-midsize enterprise Medium-to-large enterprise solutions S8700-series / G650 IP-PNC S8700-series IP-PNC with remote G700s or G350s S8700-series IP-PNC system S8700-series with G150/G250 large number of remote branches S8700-series IP-PNC with remote G700 or G350s Required circuit packs for S8700-series configuration Signaling path S8700 / G650 configuration Media flow path S8700 IP-PNC configuration Evolution from circuit-switched to IP Phase 1 Processor replacement Migration from Definity Server R to S8700 fiber-PNC S8700-series Servers fiber-PNC configuration Phase 2 IP-enable the Port Networks to support IP endpoints IP-enabled Definity configuration Phase 3 Server consolidation IP-enabling the S8700 fiber-PNC configuration S8700 / G700 / G350 system with Local Survivable Processors Voice and multimedia networking Intelligent networking and call routing IP Port Network / Media Gateway connectivity Media Gateway control Call Processing Communication Manager gatekeepersRegistration and alternate gatekeeper list Call signaling Discovery and registration process to the gatekeeper Media stream handling Media processor circuit packs VoIP resourcesDtmf tone handling Media stream for audio conferencing Separation of Bearer and Signaling SBS Multi-location Modem/Fax/TTY over IP Fax, Modem, and TTYoIP options Relay Pass-thruOff Modem Off IP-based trunks Fax, Modem, and TTYoIP options Trunk signaling IP tie trunks Avaya SIP Enablement Services SES Overview SES ServerSamp Communication Manager as the SIP Feature Server SES NetworkSES Edge Server SES Core Router SIP Endpoints Features SIP AdjunctsSIP Endpoints Home-edge single box solution SIP deployment scenariosSIP and DNS Typical home/edge configuration Multi-home multi-Communication Manager system Multi-home multi-Communication Manager configuration Multi-home single Communication Manager system Multi-home single Communication Manager configuration Call processing Avaya-Toshiba Solution Avaya-Toshiba Solution Avaya G860 Media Gateway G860 Front view G860 Components System Controller Board Configuration with Avaya Communication Manager G860 Trunk Media Processing Module TP-6310 Example configuration for call center Mobility Communication applicationsIP Telephones or IP Softphones Extension to Cellular Call Center Call Center applications Messaging Compact Call Center Unified Communication Center Avaya Call Management System CMSConferencing systems Meet-me conferencing Avaya Meeting Exchange Solutions Meeting Exchange Enterprise Edition TDM Meeting Exchange Web Conferencing Networks Video Telephony Solutions Meeting Exchange Express Edition Computer Telephony Integration CTI Application Programming Interfaces APIs Best Services Routing BSR polling Page Avaya C360 converged stackable switches C363T Converged Stackable switch Features of the C360 converged stackable switches C363T-PWR Converged Stackable switch Layer 2 features Stacking Layer 3 features Management Switches from Extreme Networks Power over Ethernet PoE Avaya Power over Ethernet PoE switches Available PoE Switch Options Midspan Power Units 1152A1 Power Distribution UnitPower priority mechanism Designed usage Power modes Avaya IP Telephones Barrel connector through brick transformerPower using adapters Interoperability with Wireless Access Point products 1152B Power Distribution Units 1152B Midspan Power Distribution Units Avaya Model NumberSummary Number Ports Converged infrastructure security gateways VPN ClientSG200 SG203 and SG208 VPN Client Page Deploying IP Telephony Avaya Application Solutions IP Telephony Deployment Guide Traffic engineering Introduction Design inputs Topology Design inputs Endpoint specifications Endpoint traffic usage Example 1 configuration data Endpoints Atlanta Boston Example 1 Station usageDCP Additional design criteria Preliminary calculations Call usage rates Communities of interest Traffic engineering Call usage rates Example 2 Uniform Distribution model Erlangs Traffic engineering Call usage rates ⎛ number of stations in Site i ⎞ ⋅ total outbound CUR Expanded COI matrices Example 3 Empirical approach for existing systems Example 4 Expanded COI matrices From endpoints in Site To endpoints in Site Endpoints in a three-site system Atlanta Boston Cleveland 12.7 Number of type t stations in Site Site From COIs for multiple-site networks Network of Avaya systems and system sites Resource sizing Overview Signaling resources Media processing and TDM resources Examples of media streams between Avaya endpoints IP-TDM-IP connectivity HairpinningShuffling Connectivity modes between two IP endpoints Intra-site TDM and Media Processing resource requirements Inter-site TDM and Media Processing resource requirements COI Example 5 TDM and media processing usage Re-categorization of CURs from Table Endpoints Totals Traffic engineering Erlangs G700 MGs 320 Processing occupancy Relationship Between Processing Occupancy and Bhcc Rate SIP traffic engineering Direct media connect shuffling LAN allocation and SIP trunks SIP specific features RegistrationSubscription and notification Instant messaging IP bandwidth and Call Admission Control Communication Manager and SES server processor occupancy COI Matrix Example 6 IP bandwidth considerations Resource sizing Payload size per packet Packet 711 729 Bits Example 7 LAN bandwidth Example 8 WAN bandwidth Resource sizing Physical resource placement Final checks and adjustments Avaya Distributed Office Traffic engineering Security Your security policy What are you trying to protect? What are you protecting it from?How likely is a threat against these assets? Recommendations for your security policy Built-in Linux security features Avaya Communication Manager and ServersProprietary vs. open operating systems One-time passwords Shell accessAvaya capitalizes on Linux’ security advantage Root access Remote access Secure access Monitoring and alarming LAN isolation configurations Data encryptionS8700 with Avaya MCC1 or SCC1 Media Gateways Security S8700-series Server with Avaya G650 Media Gateways Virus and worm protection Testing EnvironmentRecommendations for network security IP Telephony circuit pack security TN2312BP IP Server Interface IpsiTelnet TN2302AP and TN2602AP Media Processors Control link Toll fraud TN799DP Control LAN C-LAN Avaya’s security design Hacking methods Your toll fraud responsibilities Toll fraud indemnificationAdditional toll fraud resources Security Audit Service Security Tune-up ServiceToll Fraud Intervention Hotline Avaya Security HandbookPage Network delay Voice quality network requirements Codec delay Jitter Packet loss Network packet loss Echo Packet loss concealment PLC Signal levels Echo and Signal Levels CodecsTone Levels PCM CS-ACELPACELPMP-MLQ Silence suppression/VAD Codec and H.248 Media Gateways Transcoding/tandeming CNA Application Performance Rating Issue 6 January 2008 Available application models VoiceVideo conferencing Enterprise model Integrated Management overview documents Avaya Integrated Management offers Administration Tools Offer VoIP Monitoring Management Offer Enterprise Network Management Offer System Management Offer Third-party network management products Multi Router Traffic Grapher Network management models HP OpenView Network Node Manager Distributed component Centralized hybrid Centralized management model Page Reliability and Recovery Reliability IPTDG43 Survivability solutions S8700-series Server Separation Release 3.0 system example Enterprise survivable servers ESS ESS System Capacities ESS and H.248 Media GatewaysESS and Adjunct Survivability Connection preserving upgrades for duplex servers Inter Gateway Alternate Routing IgarR2MFC Media Gateway recovery via LSP Survivability for branch office media gateways Modem dial-up backup S8300/G700/G350 configuration Auto fallback process IP endpoint recovery IP endpoint recovery Recovery algorithm IP Endpoint Time to Service Converged Network Analyzer for network optimization Changes in IP end pointsOperation with NAT/Firewall Environment IP endpoint recovery Page Getting the IP network ready for telephony Avaya Application Solutions IP Telephony Deployment Guide IP Telephony network engineering overview Access Layers in a hierarchical network Description CoreDistribution Voice quality Jitter Packet loss maximum packet/ frame loss between endpoints Best practices Common issues LAN issues General guidelines Ethernet switches Speed and duplex VLANs Vlan definedPort or native Vlan Trunk configuration Vlan binding feature C360Configured option Mod/port vid WAN QoS Codec selection and compressionRecommendations for QoS Serialization delay Network designRouting protocols and convergence Frame Relay Overview of frame relayMultipath routing Frame relay issue and alternatives Committed information rate burst range Mpls Additional frame relay information VPN Convergence advantages Managing IP Telephony VPN issues Communication security Firewall technologies Network management and outsourcing models NAT Conclusion IP Telephony without NAT Converged network design Design and ManagementDesign for Simplicity Design for Manageability Design for Scalability Topologies Server Cluster Layers Layered Server Cluster Topology Integrated high density switch topology Redundancy Redundant connections Layer Sample spanning tree Vrrp configured for Core Access References for Converged network design on Page Quality of Service guidelines CoS Comparison of Dscp with original TOS IP precedence bits ToS bits Layer 2 QoS Layer 3 QoS Serialization delay matrix QoS guidelinesPacket size Line 128 256 512 1024 1500 Speed Bytes Layer 3 QoS Ieee 802.1 p/Q 802.1Q tag DiffServ Recommendations for end-to-end QoS Differentiated Services DiffServ TOS byte Original TOS specification Bit Value Use Description CRITIC/ECP Queuing methods Round-robin CB-WFQ / LLQ / CBQ Traffic shaping and policing Frame Relay traffic shaping Fragmentation MTU FRF.12 Application perspective Network perspective Recommendations for RTP header compression Equipment configuration for RTP header compression test RTP header compression test Configuration Examples of QoS implementation High-quality service across a congested WAN link Assumptions for Example Administration commands for Example Command Meaning CommandMeaning Example 2 C-LANS cannot tag their traffic Example 3 More restrictions on the traffic Converged infrastructure LAN switches X330 WAN Module Trust packet tagging Network recovery Change control Layer 2 mechanisms to increase reliability Spanning treeLink Aggregation Groups Layer 3 availability mechanisms Routing protocolsVrrp and Hsrp Dial backup Multipath routing Convergence times Ospf RIP Converged Network Analyzer Converged Network Analyzer CNA components Simultaneous monitoring of all paths Headquarters CNA deployment Measurement plane Configuration and deployment details Controlling edge routers Problems with data networks Avaya network readiness assessment services Basic network readiness assessment service What if my network functions well today? Site Configuration Survey Survey Detailed network readiness assessment service Vital Agent analysis Detailed network readiness assessment process Customer can Data for individual Professional Customer responsibilities DiscoveryElement monitoring Synthetic IP Telephony measurements Remote analysisReport generation Customer deliverables Page Appendix a CNA configuration and deployment Configuring CNA Basic configurationConfiguring Virtual Module Interfaces Default Gateway Service Provider Access Links BGP on the Engine Module Measurements Assigning USTATs to ProvidersUstat GRE Tunnels Decision making Configuring the Routers Edge Router GRE Tunnel Interfaces Route Maps Interface Tunnel1 Description GRE to provider1 Routing Configuration VIP Routing Route Reflection Bgp cluster-id Command summary CNA commands Route-assert-filter force link provider1 Router Ra commands Router Rb commands Interface Tunnel2 description GRE to provider2Page Index CSS NAT LFI LAN WAN