Reporting incidents and weaknesses, management of incidents. Information security, business continuity and disaster recovery planning. Compliance with legal requirements, security policy, and applicable laws and regulations. A widely recognized source for IT best practices is the ISO standard, which you can find at www. Enforce physical security Physical security is essential, and it forms the basis for many other security efforts. It requires suitable emergency preparedness, reliable power supplies, adequate climate con- trol, and appropriate protection from intruders.
All Web access to Avaya S and S servers is through a secure connection. Unencrypted Web access is not supported. Media Servers also support the use of one-time passwords for logins through these mechanisms, thus providing another layer of secure access. Guest accounts should be turned off. All users should be required to use strong passwords and change their passwords periodically.
Consider a VPN that supports two- factor authentication such as smart-cards, hardware tokens, or biometrics. Unify network management Network management tools that are used on the data network should be used to monitor the entire converged infrastruc- ture.
Converged OT/IT Networks Introduce New Security Risks
This is one of the advantages of a converged network. Existing network management tools may need to be updated to reflect the enhanced requirements of a VoIP network. If pos- sible, segregate management traffic to an out-of-band, dedi- cated management network.
Confirm user identity Confirming user identity is a key part of implementing a secure environment. Avaya handsets support this feature.
Software mechanisms on hosts, gateways, and servers watch for anomalous behavior that could be indicative of a security issue. HIDS typically log these events to a central logging server. Special devices on networks monitor and analyze net- work traffic in real-time and report anomalies to a central logging server. HIDS, NIDS, firewalls, switches, routers, and practically every- thing else in a network create event and audit logs that should be piped in to a central log server to make it easier to detect and understand complex events.
This understanding is achieved through correlation, where intelligence in the log server software can detect the presence of significant events by considering what log entries are coming in from many devices. For example, the presence of relatively insignificant authentication attempts on large numbers of devices could signal an organized attack that may require attention.
- BoWeevil: Escape from Earth.
- How it works.
- Life, Liberty. . . and all the rest;
- Maximum Warp Book Two: Star Trek The Next Generation: Tng#63 (Star Trek: The Next Generation)!
- Will networks and security converge in ? | Network World;
- Gymnastic Flexibility?
- Telephony Convergence Poses Security Risks | SIGNAL Magazine.
The purpose of penetration testing is to detect any security vulnerabilities on network devices, so that they can be repaired. It is much better to find them first and fix vulnerabilities before hackers find them for you. Ensure logical segregation Logically segregating voice and data networks is recom- mended to prevent data network problems from affecting voice traffic, and vice versa.
Segregating customer traffic voice or data from administrative traffic network manage- ment, command and control, and so on , again is a good idea. Segregation keeps problems in one logical network from adversely affecting other networks. Logically separating voice and data traffic via VLANs is a good way to segregate networks without adding physical infrastructure.
When voice data is introduced into a network, it becomes most critical that priority is given to the voice packets to ensure the expected quality of voice calls. The mechanisms used to accomplish this are gener- ally called traffic shaping. Traffic shaping relies upon concepts such as classification, queue disciplines, sched- uling, congestion management, quality of service QoS , class of service CoS , and fairness. Firewalls are points of traffic control between networks.
Securing Converged IP Networks - CRC Press Book
Using a set of site-defined rules, firewalls either pass or block network traffic from entering and leaving a network based upon its traffic type, source, and desti- nation. NAT, or Network Address Translation, together with the use of private IP addressing, will provide another layer of control for your network. Use encryption All communication between network elements should be encrypted if possible. Complete handset-to-handset IP voice encryption is recommended to mitigate the threat of eaves- dropping.
All access to remote administrative func- tions should be restricted to connections to the switch itself or to a designated management PC. Encryption is the most effective means of mitigating the prob- lems of eavesdropping or call interception. Media or payload encryption is an important piece of the VoIP security puzzle; but in most cases, the ability of an attacker to access the signaling channel will yield information about a call that is almost as valuable as the data content.
Today, analyses of a signal channel, for example, could allow an attacker to gather information regard- ing the duration, endpoints, and other parameters of incom- ing and outgoing calls. The term phreaker coined from a combination of the words phone and freak refers to an individual who attempts to exploit telephone systems by committing telephone fraud. In multi-office deployments, using VPN-based encryption ensures that any traffic that goes over the public infrastruc- ture is secure. Issues to consider Note that implementing some security measures such as fire- walls can degrade VoIP quality.
- You are here.
- A DECADE OF FINE CHRISTMAS ORNAMENTS 2000-2010 Volume II!
- What’s Hot on Infosecurity Magazine?;
- The Truth about Living Life with a Severe Aortic Stenosis and Open Heart Surgery.
These complications range from interruption or prevention of call setup by firewalls to encryption-produced latency and delay variation jitter. But, not implementing security measures can degrade VoIP quality by making it vulnerable to attack or failure. They wanted to make sure that no one could get in and compromise the operation of the voice network, access proprietary system informa- tion, or commit toll fraud.
The security assessment was very methodical. Avaya looked at every possible point of entry into the voice network and assessed whether appropriate controls were in place. They truly left no stone unturned. The System Security Report was extremely thorough and highly spe- cific. Avaya definitely had the right skills and experience for the job. Avaya product solutions cover the full range of voice, data, and converged network offerings from one-person branch offices to enterprises with tens of thousands of sta- tions.
To complement this array of products, Avaya offers pro- fessional services, maintenance, and managed services for any size business or project. Security is at the forefront of Avaya solutions. Not merely pro- viding functionality, every product delivers its services securely, and every service engagement considers security non-negotiable.
You demand it, and Avaya delivers it. The methods that Avaya uses to secure its products are described in the sections that follow. Linux has an advantage over other operating systems because its source code can be and is reviewed by thousands of security experts and researchers throughout the world.
Avaya made the move to Linux because of a security para- dox: To make an operating system secure, you must reveal its innermost secrets. When the operating system software is publicly available and used in varying environments and for a wide range of applications, there are many more eyes, both friend and foe, looking for security holes. The expert- ise of the entire technical community is brought to bear on the problem. The surety that flaws can and will be fixed quickly outweighs the weakness created by exposing them.
Media and signaling encryption The modern communications system employs many physi- cal and logical links to exchange data between system com- ponents as well as from user to user. Attacks are recognized at the lower levels of the soft- ware and their effect blunted. The Linux kernel is compiled with a set of options to precisely tailor its operation to maximize security consistent with required operation of the system. These include a number of built-in firewall and filtering options. All file and directory permissions are set to minimize access as much as possible, consistent with proper system opera- tion.
Multiple partitions exist on an Avaya Media Server disk drive.
- Thomas Matthew Bible with Strongs Concordance (Historic English Bibles Book 8).
- Hiding In Plain Sight?
- Health Care Facts.
Each partition is restricted according to the type of data that it may contain. Some partitions contain only soft- ware executables; these partitions are mounted to allow pro- gram execution. Other partitions contain only data; execution of software from these partitions is disabled. Avaya Media Servers use a hardened Linux operating system customized for real-time applications and based on the Red Hat Linux distribution.
The entire Red Hat Linux distribution is not loaded.
The operating system is specifically configured for these servers. This means that only those components that are needed are loaded, and modules that are not used are not loaded. All IP ports that are not used are closed. By closing unused ports, worms that attempt to exploit weaknesses associated with those ports are blocked. Each of these mech- anisms can support login authentication, but suffer a common weakness.
During the login sequence, the password being sup- plied by the user is sent in clear text. In addition, these mechanisms transmit all the session information in clear text.
Understand Security Issues Related to Networks
Some of this information might contain data such as account codes, authorization codes, or other data useful to an attacker. In addition, the Avaya Media Servers support one-time pass- words for logins through these mechanisms, even though the exchange is already encrypted. Each time a file is to be transferred to the server, an administrator must log in and enable the FTP server. Using anonymous FTP like this avoids the problem of sending passwords in clear text. However, SCP is the preferred method of transferring files. One-time passwords Avaya Media Server software provides an option to use one- time passwords for all logins.
A regular password account uses a fixed user name ID and a password, which can be used multiple times to log into the system. A person who can monitor network sniffer the login messages can capture this password and use it to gain access. A one-time password uses a fixed user name, but not a fixed password. Instead, every time a user attempts to log in, they must supply a password that is unique to that session and which will be incorrect if used again. Even if the password is compromised, it cannot be re-used immediately or at a later time, even by the same person from the same terminal.
One-time passwords can be enabled for each login on an Avaya Media Server. Shell access Access to a shell from which arbitrary commands may be exe- cuted is not granted by default to a login on an Avaya Media Server. When a login is created, the system administrator can specify whether the account is permitted to have shell access.