IP Telephony circuit pack security

FTP

An FTP service exists, but is disabled by default. Communication Manager must enable the FTP service, and only does so for firmware downloads. Once the FTP service is started, Communication Manager initiates the client-side of the FTP protocol, and then transfers a new firmware file to the IPSI. Once the transfer is complete, the FTP service is automatically disabled. A 5-minute time-out is enforced to guard against cases where the firmware download is started but terminated prematurely. When time-out occurs, the FTP service is disabled until a new command from Communication Manager enables it again.

DHCP

In S8700 fiber-PNC systems only, the IPSI has the ability to receive its IP address information from the S8700-series Server through DHCP. This DHCP service only runs on the control network, and does not connect to a customer's LAN. Avaya has also implemented mechanisms for restricting this DHCP service, so that non-IPSIs do not receive an IP address and IPSIs do not receive an address from a non-S8700-series Server.

Control link

In order to communicate with the S8700-series Server, the IPSI establishes a control link. This link is encrypted through Triple-DES (3DES) by default, although AES is also available. The control link is not open for communication to or from any other entity than the S8700-series Server.

TN2302AP and TN2602AP Media Processors

The TN2302AP IP Media Processor and the TN2602AP IP Media Resource 320 circuit packs are the interfaces to the audio gateway portion of IP Telephony. These circuit packs:

Use isolated/proprietary operating systems, so they are not susceptible to known viruses.

Run independently of administrator traffic in order to maintain an isolated security domain, protecting against attacks that exploit trusted relationships.

Establish audio connections and only respond to a connection when a corresponding signaling connection is established.

Successfully survive some Denial of Service (DoS) attacks, including SynFlood, and are very resilient to flood-based attacks.

Because of the proprietary operating systems, limited number of open ports, and reliance on UDP sessions, the TN2302AP and TN2602AP are very secure, and are difficult to take out of service. Regardless, the TN2302AP and TN2602AP are completely independent of the administration, maintenance, or reliability of the Avaya Media Gateways, so they cannot be used as “jumping points” to the Media Gateways.

Issue 6 January 2008 239

Page 238 Page 240
Page 239
Image 239
Avaya 555-245-600 manual TN2302AP and TN2602AP Media Processors, Control link
Page 238 Page 240
Top Page Image Contents