Security
190 Avaya Application Solutions IP Telephony Deployment Guide
Avaya capitalizes on Linux’ security advantage
The Avaya S8700 and S8300 Media Servers run under the Linux operating system that has two
important security features:
●
Built-in protection against certain types of Denial of Service (DOS) attack, such as SYN
floods, ping floods, malformed packets, oversized packets, sequence number spoofing,
ping/finger of death, etc. Attacks are recognized at the lower levels of the software and
their effect is blunted. (It is not possible for a target system to always provide service
during a DOS attack. Rather, the protection is to automatically resume service as soon as
the attack is removed.)
●
The Linux kernel is compiled with a set of options to precisely tailor its operation to
maximize security consistent with required operation of the system. These include a
number of built-in firewall and filtering options. All file and directory permissions are set to
minimize access as much as possible consistent with proper system operation. The disk
drives of the S8700 and the S8300 servers contain multiple partitions, each of which is
restricted according to the type of data that it contains. All unneeded services are disabled
either permanently or through administration for those services. Disabled services and
capabilities include NFS, SMB, X-windows, rcp, rlogin, and rexec. The system
administrator has additional control of which services are visible from the multiple Ethernet
interfaces that are connected to the enterprise LAN. Other Ethernet interfaces are
permanently configured to restrict services.
One-time passwords
Standard login accounts use static passwords that can be used multiple times to log in to a
system. Anyone who can monitor the login messages can also capture passwords, and use the
passwords to gain access. You can administer the S8700 and the S8300 servers for one-time
passwords that have a fixed-user name but not a fixed password. In this case, users must
supply a unique, one-time password for each session, and even if the password is
compromised, it cannot be reused. When a system is covered by an Avaya service contract, all
logins that are accessed by Avaya Services technicians are protected by one-time passwords.
Shell access
Access to a “shell” from which arbitrary commands can be executed is not granted by default to
a login on an S8700 or an S8300 server. When a login is created, the system administrator can
specify whether or not the account is permitted to have shell access. Accounts that are denied
shell access can either log in to an Avaya Communication Manager administration screen or a
Web page upon successful login. In both cases, the operations that these logins can perform
are restricted. Generally, only people who perform hardware maintenance or software
maintenance on the server need shell access permissions administered in their login accounts.
Summary of Contents for Application Solutions
Page 1: ...Avaya Application Solutions IP Telephony Deployment Guide 555 245 600 Issue 3 4 1 June 2005 ...
Page 20: ...About This Book 20 Avaya Application Solutions IP Telephony Deployment Guide ...
Page 21: ...Issue 3 4 1 June 2005 21 Section 1 Avaya Application Solutions product guide ...
Page 22: ...22 Avaya Application Solutions IP Telephony Deployment Guide ...
Page 106: ...Call processing 106 Avaya Application Solutions IP Telephony Deployment Guide ...
Page 124: ...Avaya LAN switching products 124 Avaya Application Solutions IP Telephony Deployment Guide ...
Page 139: ...Issue 3 4 1 June 2005 139 Section 2 Deploying IP Telephony ...
Page 140: ...140 Avaya Application Solutions IP Telephony Deployment Guide ...
Page 186: ...Traffic engineering 186 Avaya Application Solutions IP Telephony Deployment Guide ...
Page 204: ...Security 204 Avaya Application Solutions IP Telephony Deployment Guide ...
Page 228: ...Avaya Integrated Management 228 Avaya Application Solutions IP Telephony Deployment Guide ...
Page 274: ...Reliability and Recovery 274 Avaya Application Solutions IP Telephony Deployment Guide ...
Page 275: ...Issue 3 4 1 June 2005 275 Section 3 Getting the IP network ready for telephony ...
Page 276: ...276 Avaya Application Solutions IP Telephony Deployment Guide ...
Page 356: ...Network recovery 356 Avaya Application Solutions IP Telephony Deployment Guide ...
Page 366: ...Network assessment offer 366 Avaya Application Solutions IP Telephony Deployment Guide ...
Page 367: ...Issue 3 4 1 June 2005 367 Appendixes ...
Page 368: ...Appendixes 368 Avaya Application Solutions IP Telephony Deployment Guide ...
Page 394: ...Access list 394 Avaya Application Solutions IP Telephony Deployment Guide ...
Page 414: ...DHCP TFTP 414 Avaya Application Solutions IP Telephony Deployment Guide ...