Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Design
January 7, 2020
Avaya Aura Session Manager Security Design
Notices
© 2020 copy rights
You may, at your own risk, assemble a MyDocs collection solely for your own internal business purposes,
which constitutes a modification to the original published version of the publications. Avaya shall not be
responsible for any modifications, additions, or deletions to the original published version of publications. You
agree to defend, indemnify and hold harmless Avaya, Avaya's agents, servants and employees against all
claims, lawsuits, demands and judgments arising out of, or in connection with, your modifications, additions or
deletions to the publications.
A single topic or a collection of topics may come from multiple Avaya publications. All of the content in your
collection is subject to the legal notices and disclaimers in the publications from which you assembled the
collection. For information on licenses and license types, trademarks, and regulatory statements, see the
original publications from which you copied the topics in your collection.
Except where expressly stated by Avaya otherwise, no use should be made of materials provided by Avaya on
this site. All content on this site and the publications provided by Avaya including the selection, arrangement
and design of the content is owned by Avaya and/or its licensors and is protected by copyright and other
intellectual property laws including the sui generis rights relating to the protection of databases. Avaya owns all
right, title and interest to any modifications, additions or deletions to the content in the Avaya publications.
Contents
Legal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Purpose. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Disclaimer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Information classifications and non-discloser agreement requirements. . . . . . . . . . . 11
Product Description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Platform security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Network Layer Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
SIP Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Session Manager Port Matrix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Platform accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Directory Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
System Integrity and Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Application account and session management. . . . . . . . . . . . . . . . . . . . . . . . 22
Audit Trails and Security Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Auditable events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Use of Cryptography. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Trust, Certificate, and Key Management /PKI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Removal of Default Certificates in Session Manager. . . . . . . . . . . . . . . . . . . . . . . . . 25
Viewing Session Manager Identity Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Updating Session Manager Trusted Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Issuing a unique identity or server certificate to Session Manager. . . . . . . . . . . . . . 27
Defining server trust relationships with Digital Certificates. . . . . . . . . . . . . . . . . . . . . 27
Certificate Revocation Lists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
CRL revocation checking options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
NIST Compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Transport Layer Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Viewing the TLS version. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
IP/Transport layer validation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
TLS Layer validation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Ability to disable TLS versions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Legal
© 1234
Notice
While reasonable efforts have been made to ensure that the information in this document is complete and
accurate at the time of printing, Avaya assumes no liability for any errors. Avaya reserves the right to
make changes and corrections to the information in this document without the obligation to notify any
person or organization of such changes.
Documentation disclaimer
“Documentation” means information published in varying mediums which may include product
information, operating instructions and performance specifications that are generally made available to
users of products. Documentation does not include marketing materials. Avaya shall not be responsible
for any modifications, additions, or deletions to the original published version of Documentation unless
such modifications, additions, or deletions were performed by or on the express behalf of Avaya. End
User agrees to indemnify and hold harmless Avaya, Avaya's agents, servants and employees against all
claims, lawsuits, demands and judgments arising out of, or in connection with, subsequent modifications,
additions or deletions to this documentation, to the extent made by End User.
Link disclaimer
Avaya is not responsible for the contents or reliability of any linked websites referenced within this site or
Documentation provided by Avaya. Avaya is not responsible for the accuracy of any information,
statement or content provided on these sites and does not necessarily endorse the products, services, or
information described or offered within them. Avaya does not guarantee that these links will work all the
time and has no control over the availability of the linked pages.
Warranty
Avaya provides a limited warranty on Avaya hardware and software. Refer to your sales agreement to
establish the terms of the limited warranty. In addition, Avaya’s standard warranty language, as well as
information regarding support for this product while under warranty is available to Avaya customers and
other parties through the Avaya Support website: https://support.avaya.com/helpcenter/
getGenericDetails?detailId=C20091120112456651010 under the link “Warranty & Product Lifecycle” or
such successor site as designated by Avaya. Please note that if You acquired the product(s) from an
authorized Avaya Channel Partner outside of the United States and Canada, the warranty is provided to
You by said Avaya Channel Partner and not by Avaya.
“Hosted Service” means an Avaya hosted service subscription that You acquire from either Avaya or an
authorized Avaya Channel Partner (as applicable) and which is described further in Hosted SAS or other
service description documentation regarding the applicable hosted service. If You purchase a Hosted
Service subscription, the foregoing limited warranty may not apply but You may be entitled to support
services in connection with the Hosted Service as described further in your service description documents
for the applicable Hosted Service. Contact Avaya or Avaya Channel Partner (as applicable) for more
information.
Hosted Service
THE FOLLOWING APPLIES ONLY IF YOU PURCHASE AN AVAYA HOSTED SERVICE
SUBSCRIPTION FROM AVAYA OR AN AVAYA CHANNEL PARTNER (AS APPLICABLE), THE TERMS
OF USE FOR HOSTED SERVICES ARE AVAILABLE ON THE AVAYA WEBSITE, HTTPS://
SUPPORT.AVAYA.COM/LICENSEINFO UNDER THE LINK “Avaya Terms of Use for Hosted Services” OR
SUCH SUCCESSOR SITE AS DESIGNATED BY AVAYA, AND ARE APPLICABLE TO ANYONE WHO
ACCESSES OR USES THE HOSTED SERVICE. BY ACCESSING OR USING THE HOSTED SERVICE,
OR AUTHORIZING OTHERS TO DO SO, YOU, ON BEHALF OF YOURSELF AND THE ENTITY FOR
WHOM YOU ARE DOING SO (HEREINAFTER REFERRED TO INTERCHANGEABLY AS “YOU” AND
“END USER”), AGREE TO THE TERMS OF USE. IF YOU ARE ACCEPTING THE TERMS OF USE ON
BEHALF A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE
AUTHORITY TO BIND SUCH ENTITY TO THESE TERMS OF USE. IF YOU DO NOT HAVE SUCH
AUTHORITY, OR IF YOU DO NOT WISH TO ACCEPT THESE TERMS OF USE, YOU MUST NOT
ACCESS OR USE THE HOSTED SERVICE OR AUTHORIZE ANYONE TO ACCESS OR USE THE
HOSTED SERVICE.
Licenses
THE SOFTWARE LICENSE TERMS AVAILABLE ON THE AVAYA WEBSITE, HTTPS://
SUPPORT.AVAYA.COM/LICENSEINFO, UNDER THE LINK “AVAYA SOFTWARE LICENSE TERMS
(Avaya Products)” OR SUCH SUCCESSOR SITE AS DESIGNATED BY AVAYA, ARE APPLICABLE TO
ANYONE WHO DOWNLOADS, USES AND/OR INSTALLS AVAYA SOFTWARE, PURCHASED FROM
AVAYA INC., ANY AVAYA AFFILIATE, OR AN AVAYA CHANNEL PARTNER (AS APPLICABLE) UNDER
A COMMERCIAL AGREEMENT WITH AVAYA OR AN AVAYA CHANNEL PARTNER. UNLESS
OTHERWISE AGREED TO BY AVAYA IN WRITING, AVAYA DOES NOT EXTEND THIS LICENSE IF
THE SOFTWARE WAS OBTAINED FROM ANYONE OTHER THAN AVAYA, AN AVAYA AFFILIATE OR
AN AVAYA CHANNEL PARTNER; AVAYA RESERVES THE RIGHT TO TAKE LEGAL ACTION AGAINST
YOU AND ANYONE ELSE USING OR SELLING THE SOFTWARE WITHOUT A LICENSE. BY
INSTALLING, DOWNLOADING OR USING THE SOFTWARE, OR AUTHORIZING OTHERS TO DO SO,
YOU, ON BEHALF OF YOURSELF AND THE ENTITY FOR WHOM YOU ARE INSTALLING,
DOWNLOADING OR USING THE SOFTWARE (HEREINAFTER REFERRED TO INTERCHANGEABLY
AS “YOU” AND “END USER”), AGREE TO THESE TERMS AND CONDITIONS AND CREATE A
BINDING CONTRACT BETWEEN YOU AND AVAYA INC. OR THE APPLICABLE AVAYA AFFILIATE
(“AVAYA”).
Avaya grants You a license within the scope of the license types described below, with the exception of
Heritage Nortel Software, for which the scope of the license is detailed below. Where the order
documentation does not expressly identify a license type, the applicable license will be a Designated
System License. The applicable number of licenses and units of capacity for which the license is granted
will be one (1), unless a different number of licenses or units of capacity is specified in the documentation
or other materials available to You. “Software” means computer programs in object code, provided by
Avaya or an Avaya Channel Partner, whether as stand-alone products, pre-installed on hardware
products, and any upgrades, updates, patches, bug fixes, or modified versions thereto. “Designated
Processor” means a single stand-alone computing device. “Server” means a Designated Processor that
hosts a software application to be accessed by multiple users. “Instance” means a single copy of the
Software executing at a particular time: (i) on one physical machine; or (ii) on one deployed software
virtual machine (“VM”) or similar deployment.
License types
Designated System(s) License (DS). End User may install and use each copy or an Instance of the
Software only on a number of Designated Processors up to the number indicated in the order. Avaya may
require the Designated Processor(s) to be identified in the order by type, serial number, feature key,
Instance, location or other specific designation, or to be provided by End User to Avaya through electronic
means established by Avaya specifically for this purpose.
Named User License (NU). You may: (i) install and use each copy or Instance of the Software on a single
Designated Processor or Server per authorized Named User (defined below); or (ii) install and use each
copy or Instance of the Software on a Server so long as only authorized Named Users access and use
the Software. “Named User”, means a user or device that has been expressly authorized by Avaya to
access and use the Software. At Avaya’s sole discretion, a “Named User” may be, without limitation,
designated by name, corporate function (e.g., webmaster or helpdesk), an e-mail or voice mail account in
the name of a person or corporate function, or a directory entry in the administrative database utilized by
the Software that permits one user to interface with the Software.
Shrinkwrap License (SR). You may install and use the Software in accordance with the terms and
conditions of the applicable license agreements, such as “shrinkwrap” or “clickthrough” license
accompanying or applicable to the Software (“Shrinkwrap License”).
Copyright
Except where expressly stated otherwise, no use should be made of materials on this site, the
Documentation, Software, Hosted Service, or hardware provided by Avaya. All content on this site, the
documentation, Hosted Service, and the product provided by Avaya including the selection, arrangement
and design of the content is owned either by Avaya or its licensors and is protected by copyright and other
intellectual property laws including the sui generis rights relating to the protection of databases. You may
not modify, copy, reproduce, republish, upload, post, transmit or distribute in any way any content, in
whole or in part, including any code and software unless expressly authorized by Avaya. Unauthorized
reproduction, transmission, dissemination, storage, and or use without the express written consent of
Avaya can be a criminal, as well as a civil offense under the applicable law.
Virtualization
The following applies if the product is deployed on a virtual machine. Each product has its own ordering
code and license types. Note that each Instance of a product must be separately licensed and ordered.
For example, if the end user customer or Avaya Channel Partner would like to install two Instances of the
same type of products, then two products of that type must be ordered.
The following applies only if the H.264 (AVC) codec is distributed with the product. THIS PRODUCT IS
LICENSED UNDER THE AVC PATENT PORTFOLIO LICENSE FOR THE PERSONAL USE OF A
CONSUMER OR OTHER USES IN WHICH IT DOES NOT RECEIVE REMUNERATION TO (i) ENCODE
VIDEO IN COMPLIANCE WITH THE AVC STANDARD (“AVC VIDEO”) AND/OR (ii) DECODE AVC
VIDEO THAT WAS ENCODED BY A CONSUMER ENGAGED IN A PERSONAL ACTIVITY AND/OR
WAS OBTAINED FROM A VIDEO PROVIDER LICENSED TO PROVIDE AVC VIDEO. NO LICENSE IS
GRANTED OR SHALL BE IMPLIED FOR ANY OTHER USE. ADDITIONAL INFORMATION MAY BE
OBTAINED FROM MPEG LA, L.L.C. SEE HTTP://WWW.MPEGLA.COM.
Service Provider
THE FOLLOWING APPLIES TO AVAYA CHANNEL PARTNER’S HOSTING OF AVAYA PRODUCTS OR
SERVICES. THE PRODUCT OR HOSTED SERVICE MAY USE THIRD PARTY COMPONENTS
SUBJECT TO THIRD PARTY TERMS AND REQUIRE A SERVICE PROVIDER TO BE
INDEPENDENTLY LICENSED DIRECTLY FROM THE THIRD PARTY SUPPLIER. AN AVAYA CHANNEL
PARTNER’S HOSTING OF AVAYA PRODUCTS MUST BE AUTHORIZED IN WRITING BY AVAYA AND
IF THOSE HOSTED PRODUCTS USE OR EMBED CERTAIN THIRD PARTY SOFTWARE, INCLUDING
BUT NOT LIMITED TO MICROSOFT SOFTWARE OR CODECS, THE AVAYA CHANNEL PARTNER IS
REQUIRED TO INDEPENDENTLY OBTAIN ANY APPLICABLE LICENSE AGREEMENTS, AT THE
AVAYA CHANNEL PARTNER’S EXPENSE, DIRECTLY FROM THE APPLICABLE THIRD PARTY
SUPPLIER.
WITH RESPECT TO CODECS, IF THE AVAYA CHANNEL PARTNER IS HOSTING ANY PRODUCTS
THAT USE OR EMBED THE G.729 CODEC, H.264 CODEC, OR H.265 CODEC, THE AVAYA CHANNEL
PARTNER ACKNOWLEDGES AND AGREES THE AVAYA CHANNEL PARTNER IS RESPONSIBLE
FOR ANY AND ALL RELATED FEES AND/OR ROYALTIES. THE G.729 CODEC IS LICENSED BY
SIPRO LAB TELECOM INC. SEE WWW.SIPRO.COM/CONTACT.HTML. THE H.264 (AVC) CODEC IS
LICENSED UNDER THE AVC PATENT PORTFOLIO LICENSE FOR THE PERSONAL USE OF A
CONSUMER OR OTHER USES IN WHICH IT DOES NOT RECEIVE REMUNERATION TO: (I) ENCODE
VIDEO IN COMPLIANCE WITH THE AVC STANDARD (“AVC VIDEO”) AND/OR (II) DECODE AVC
VIDEO THAT WAS ENCODED BY A CONSUMER ENGAGED IN A PERSONAL ACTIVITY AND/OR
WAS OBTAINED FROM A VIDEO PROVIDER LICENSED TO PROVIDE AVC VIDEO. NO LICENSE IS
GRANTED OR SHALL BE IMPLIED FOR ANY OTHER USE. ADDITIONAL INFORMATION FOR H.264
(AVC) AND H.265 (HEVC) CODECS MAY BE OBTAINED FROM MPEG LA, L.L.C. SEE HTTP://
WWW.MPEGLA.COM.
Security Vulnerabilities
Information about Avaya’s security support policies can be found in the Security Policies and Support
section of https://support.avaya.com/security.
Suspected Avaya product security vulnerabilities are handled per the Avaya Product Security Support
Flow (https://support.avaya.com/css/P8/documents/100161515).
Downloading Documentation
For the most current versions of Documentation, see the Avaya Support website: https://
support.avaya.com, or such successor site as designated by Avaya.
Trademarks
The trademarks, logos and service marks (“Marks”) displayed in this site, the Documentation, Hosted
Service(s), and product(s) provided by Avaya are the registered or unregistered Marks of Avaya, its
affiliates, its licensors, its suppliers, or other third parties. Users are not permitted to use such Marks
without prior written consent from Avaya or such third party which may own the Mark. Nothing contained
in this site, the Documentation, Hosted Service(s) and product(s) should be construed as granting, by
implication, estoppel, or otherwise, any license or right in and to the Marks without the express written
permission of Avaya or the applicable third party.
Avaya is a registered trademark of Avaya Inc.
All non-Avaya trademarks are the property of their respective owners. Linux® is the registered trademark
of Linus Torvalds in the U.S. and other countries.
Introduction
Purpose
This document provides an overview of the security considerations, features, and solutions for Avaya
Aura® Session Manager.
This Security Guide addresses security issues from two perspectives:
This document:
For more security-related information, see Administering Avaya Aura® Session Manager or the context-
sensitive help in the OAM interface.
This document provides Avaya partners, customers, Sales Personnel, and System Engineers with the
information required to answer questions regarding data network and system security.
Disclaimer
Avaya uses reasonable commercial efforts to ensure the information provided here is accurate as of this
date. Avaya may change any underlying processes, architecture, product, description or any other
information described or contained in this document. Avaya disclaims any intention or obligation to update
or revise the document, whether as a result of new information, future events, or otherwise. The
document is provided “as is”, and Avaya does not provide any warranty of any kind, express or implied.
Classification Description
This classification is for sensitive business information, intended strictly for use
Avaya Restricted within Avaya. Unauthorized disclosure can have a severe adverse impact to Avaya
or its customers, Business Partners, and/or suppliers.
This classification applies to less sensitive business information intended for use
within Avaya. Unauthorized disclosure can have significant adverse impact to
Avaya Confidential
Avaya or its customers, Business Partners, and/or suppliers. Information that can
be considered private is in this classification.
This classification applies to all other information that does not clearly fit into the
two classifications above and is considered sensitive only outside of Avaya. While
Avaya Proprietary disclosure might not have serious adverse impact on Avaya or its customers,
Business Partners, and/or suppliers, the information belongs to Avaya and
unauthorized disclosure is against policy.
The information contained in this document is public and includes references to other information sources.
Some of these sources disclose both confidential and proprietary information and require a non-disclosure
agreement (NDA) with Avaya.
Product Description
As the SIP routing element for all SIP communications, Session Manager must be resilient to attacks that
can cause service disruption, malfunction, or theft of service. Avaya products inherit a number of
mechanisms from legacy communications systems to protect against toll fraud or the unauthorized use of
communications resources. Unified Communications capabilities that merge telephony services with the
data services on the enterprise data network must provide adequate protection, not only against the
threats inherited from legacy communications systems, but also against threats from the data networking.
Telephony services are protected from security threats such as:
In Session Manager, there are three new network conditions based on whether:
• Port 7001 for Cassandra clustering. This port is communication channel between Cassandra nodes.
• Port 8085 for AADS as the JMX port to Cassandra.
• Port 9042 for AADS as the port to which Cassandra DB queries are sent.
Platform security
Avaya uses the open-source Red Hat Enterprise Linux operating system as a secure foundation for
communications. This hardened operating system provides only those functions that are necessary for
securing critical call processing applications. The operating system also protects the customers from toll
fraud and other malicious attacks.
The Linux operating system limits the number of access ports, services, and applications, and protects
the system from typical modes of attack.
Figure 1. Secure by Default
Avaya has modified or hardened the Linux operating system in several ways to minimize vulnerabilities
and to improve security.
VLAN segregation
Session Manager supports Virtual LAN (VLAN) segregation of SIP and Management networks. Session
Manager has a separate management access interface for all management communication between
Session Manager and Avaya Aura® System Manager.
Avaya recommends the following:
1. Place the Session Manager SIP interface and Session Manager Management interface in different
VLAN segments.
2. Place the Session Manager Management interface in a management VLAN that is not accessible
from the SIP Network.
3. System Manager must be accessible through the management VLAN to manage Session Manager.
Network/Transport firewall
Session Manager uses the IPTables network firewall to protect Session Manager against various network-
based Denial of Service (DoS) attacks and to open all the TCP or UDP ports that Session Manager uses.
All TCP or UDP ports that are not used by services running inside Session Manager are closed by default.
Session Manager has the IPTables Network Firewall running in the Session Manager Management Server
for filtering Management traffic.
Figure 1. Session Manager Network Firewall/DoS Protection
The Network Firewall default rules are configured automatically during installation. As defined in the
Session Manager ports and protocols document, the default rules ensure that all ports used by the
Session Manager Management Interface are opened and all unused TCP or UDP ports are closed. SIP
Listen ports are opened or closed dynamically as per the customer Network Routing Policy (NRP) defined
in the SIP Entity configuration in System Manager. HTTP port 80 is dynamically opened or closed based
on the Session Manager Administration Global Settings. The Network Firewall also provides Network
Layer DoS Protection. The following is a list of the default protections provided by the Network Firewall:
For information on the ports and protocol that Session Manager uses, see Software and firmware
updates.
SIP Security
SIP firewall
Session Manager uses a SIP Application layer firewall to provide protection against SIP DoS attacks.
Additionally, all encrypted SIP TLS are decrypted before applying the SIP firewall policy.
Rules (Enabled)
The following are the rules enabled in the default rule set:
1. Log high new calls rateThis rule logs High new-calls rate messages when the calls rate exceeds the
threshold and SIP messages are being dropped.
2. Log high traffic from UA ConnectionSIP Firewall rule to log High traffic level from same UA
Connection messages when the call rate exceeds the threshold and the associated SIP messages are
being dropped.
3. Log high rate of INVITE Flood from UA Connection This rule logs INVITE flood from same UA
Connection messages when the INVITE count threshold is exceeded with no dropping of incoming
messages.
4. Log slow INVITE Flood from UA ConnectionThis rule logs slow INVITE flood from same UA
Connection messages when the INVITE message count threshold is exceeded and incoming INVITE
messages are being dropped.
5. Log REGISTER Flood from UA ConnectionThis rule rate logs REGISTER flood from same UA
Connection messages when the REGISTER message count threshold is exceeded and incoming
REGISTER messages are being dropped.
6. Log OPTION Flood from UA ConnectionThis rule rate logs OPTION flood from same UA
Connection messages when the OPTION message count threshold is exceeded and incoming
OPTION messages are being dropped.
7. Log high traffic from SIP EntitySIP Firewall rule to log High traffic level from same remote ip
messages when the calls rate exceeds the threshold and the associated SIP messages are being
dropped.
8. Log on INVITE flood from SIP Entity Rule to log INVITE flood from same remote ip messages when
the INVITE message count threshold is exceeded. The default action is that no alarm is generated and
no incoming messages are dropped.
9. Log on high traffic from a user within SIP Entity Connection This rule logs High traffic level from
same user messages when the threshold is exceeded. The default action is that no alarm is generated
and no incoming messages are dropped.
10. Log on INVITE flood from a user within SIP Entity Connection This rule logs High traffic level
(INVITE) from same user messages when the threshold is exceeded. The default action is that no
alarm is generated and no incoming messages are dropped.
11. Log on REGISTER flood from a user within SIP Entity Connection This rule logs High traffic level
(REGISTER) from same user messages when the threshold is exceeded. The default action is that no
alarm is generated and no incoming messages are dropped.
12. Log on OPTION flood from a user within SIP Entity Connection for TCPThis rule logs High traffic
level (OPTIONS) from same user messages when the threshold is exceeded. The default action is that
no alarm is generated and no incoming messages are dropped.
13. Log on OPTION flood from a user within SIP Entity Connection for TLSThis rule logs High traffic
level (OPTIONS) from same user messages when the threshold is exceeded. The default action is that
no alarm is generated and no incoming messages are dropped.
14. Log OPTION flood from a user within untrusted SIP Entity Connection for TCPRule to log High
traffic level (OPTIONS) from same user messages when the threshold is exceeded and incoming
INVITE messages are being dropped.
15. Log OPTION flood from a user within untrusted SIP Entity Connection for TLSRule to log High
traffic level (OPTIONS) from same user messages when the threshold is exceeded and incoming
INVITE messages are being dropped.
Blacklist (Disabled)
No Blacklist rules are present in the default rule set.
Whitelist (Disabled)
No Whitelist rules are present in the default rule set.
• Connection LimitsConnection Limits provide DoS protection from an attacker attempting to open a
large number of HTTP or HTTPS connections with Session Manager and consuming all resources. By
default, a remote entity is limited to a maximum of 3 HTTP or HTTPS connections to Session Manager.
In addition, Session Manager limits the maximum number of total HTTP or HTTPS connections to 4096
to maintain resources for SIP connections.
• PPM connection timeoutThe timeout provides resource optimization in Session Manager by closing
connections that are no longer in use or when there is no activity on a connection.
• Packet Rate limitingPacket Rate limiting provides DoS protection from a hacker sending a flood of
packets over HTTP or HTTPS connections with Session Manager. By default, a remote entity is limited
to a maximum of 200 packets per second on an HTTP or HTTPS connection to Session Manager. The
range is 1-500.
Note:
If all PPM (HTTP or HTTPS) traffic is redirected to an HTTP proxy and the Session Manager is
receiving all HTTP or HTTPS requests from an HTTP proxy, adjust or disable connection limit and
Packet Rate limit thresholds accordingly.
Avaya Aura® Session Manager Port Matrix documents contain information about the ports and protocols
that Session Manager uses. See the Port Matrix documents at https://support.avaya.com/security.
Platform accounts
The following is the list of logins created when Session Manager is installed:
• asset: A login created during the installation of the Security Module software. By default, access to the
system using this login is disabled.
• CDR_User: A restricted shell login for the Call Detail Recording (CDR) feature that collects call data
from the Session Manager server. This login is restricted to sftp access only.
• craft: An Avaya services login that accesses the system remotely for troubleshooting. The craft login
authenticates using Enhanced Access Security Gateway (EASG). For more information on EASG, see
Avaya services accounts.
• csadmin: Login used by the Solution Deployment Manager.
• customer: The customer must ensure the security of this login account. The system permits the
customer login to run tools on the Session Manager server that do not require root access.
• init: An Avaya services login that accesses the system remotely for troubleshooting. The init login
authenticates using Enhanced Access Security Gateway (EASG). For more information on EASG, see
Avaya services accounts.
• jboss: A login created for running the management jboss and is not a login account.
• postgres: A login created by the installation of the Session Manager software PostgresSQL database
system. Access to the system using this login is disabled.
• spirit: A login created by the Secure Access Link remote alarming and remote access module for Avaya
services. Access to the system using this login is disabled.
• sroot: An Avaya services login that accesses the system remotely for troubleshooting. The sroot login
authenticates using Enhanced Access Security Gateway (EASG). For more information on EASG, see
Avaya services accounts.. This login is only accessible on the server console.
• wsuser: A login created for running WebSphere and is not a login account.
Note:
The Enhanced Access Security Gateway secures the following logins and prevents unauthorized access
to the Session Manager servers by the non-Avaya services personnel:
• sroot
• init
• craft
Using the customer login account, you can run most of the maintenance and troubleshooting commands.
You do not need root access for standard maintenance and support purposes. For more information, see
the Product Support Notice PSN003925u at https://downloads.avaya.com/css/P8/documents/100169866
Directory Security
Session Manager secures the file system partitions for the directories /tmp, /home, /data, partitions /var/
log, /var/log/audit and /var with the noexec and nosuid commands.
The auditd daemon logs the use of privileged commands. The auditd daemon also logs actions such as
unauthorized attempts to delete or change files, system time changes, scheduling jobs, permission
changes, and adding accounts.
For system status and performance monitoring, see the appropriate sections in Administering Avaya
Aura® Session Manager.
For information related to system events and alarms, see Troubleshooting Avaya Aura® Session
Manager.
The following sections describe the specific application security measures that Session Manager
provides.
• Network Administrator
• System Administrator
• Avaya Services Administrator
The administrator can define custom roles using the Session Manager and Routing web pages. With the
Session Manager RBAC feature, a system administrator can add different administrative privileges to a
set of users to access and modify Session Manager and Routing web pages.
• By default, the system suspends a user session after 30 minutes of inactivity. When the session
becomes inactive, the user must log in to the System Manager again.
• Session Manager times out after a user has been inactive for 10 minutes.
An audit trail/log is a chronological sequence of records showing who has accessed a computer system
and what operations a user performed during a specified time. Audit trails are recorded in reference to two
basic areas: Linux-based shell commands, and any application management-based changes. Session
Manager configures the bash rpm to log all shell command activity to the Linux system logs in /var/log/
cmd_history.log. Activity includes login attempts (success and failure) and any command that is entered
by a user or invoked by any software within the server. The log provides an audit trail for all shell activity.
All log files are configured to roll over at a specific interval to prevent the log files from using the entire
disk space. Some Linux system logs on Session Manager are readable only from the root account.
Administrators can view or download contents of some of the Session Manager Linux system logs and
application logs on the Log Harvester page on the System Manager web console (under Events, Logs >
Log Harvester). Viewing the logs on the Log Harvester page eliminates the need for root access to the
Session Manager. For more information regarding the log harvester feature, see Administering Avaya
Aura® System Manager.
Security information is logged in or notified through:
Auditable events
• Any access to the security control configuration of the server: logging configuration, the PAM
configuration, and the SIP firewall configuration.
• Trust management activities, as in certificate administration.
• Result of request by application to open or close a pinhole in network firewall.
• A change in SIP firewall mitigation policy.
• SIP firewall detects that SIP message has matched one of its rules.
Note:
Use of Cryptography
This section describes the use of cryptography, including certificates and keys, by Session Manager.
Note:
Read all certificate-related sections of this guide before making a decision on certificate-related changes
to your setup.
Determine if the Session Manager is using the default demo Identity Certificate. The Issuer Name field for
a demo certificate displays the following information: O=Avaya INC.,OU=SIP Product Certificate
Authority,CN=SIP Product Certificate Authority.
Procedure
1. On the home page of the System Manager Web Console, in Services, click Inventory > Manage
Elements.
2. Select the appropriate Session Manager instance.
3. Click More Actions > Configure Identity Certificates.
4. Select the Security Module SIP entry.
5. Verify the Issuer Name field.
Establishing TLS sessions with customer or third-party devices requires exchanging issuer certificates
between Session Manager and the third-party device.
Procedure
Use the System Manager interface to provision additional trusted certificates to Session Manager.
4. Trust State of the entity link. This defines whether the entity link is trusted or not.
Digital Certificates identify communication entities in a Public Key Infrastructure (PKI). Certificate
Authorities (CAs) issue certificates with a validity period. During validation, communicating entities ensure
the certificate has not expired and also check the revocation status of the certificate. At times, the issuing
CA might want to revoke the certificate before it expires. For example, when an employee leaves the
company, the CA must revoke the certificates issued to that employee to avoid misuse. Session Manager
7.1 uses the Certification Revocation List (CRL) method for checking certificate revocation.
CRLs contain a list of serial numbers for certificates that are revoked. Entities with a revoked certificate
must no longer be trusted. To revoke a certificate:
• The Certificate Authority (CA) administrator can log on to a CA and revoke the certificate.
• The CA publishes the CRL to an HTTP or LDAP repository referenced in the CRL Distribution Point
(CDP) extension of a certificate.
Session Manager performs the required certificate revocation checks based on the global Certificate
Revocation Check policy that is configured on System Manager.
If Certificate Revocation Checking is enabled, every certificate exchanged while establishing a TLS
connection is verified against a CRL. Before using a CRL, Session Manager verifies the validity of CA’s
digital signature in a CRL.
System Manager provides the ability to periodically download CRLs in advance to make them available
before a TLS connection is attempted. If a CRL is not previously downloaded, the system might attempt to
download the CRL when trying to establish a TLS connection. In that case, the system attempts to
download the CRLs from the URI specified in the certificate’s CRL Distribution Point (CDP) extension.
Multiple CDP locations may be included in the CDP extension. If multiple CDP locations are specified, an
attempt is made to download a CRL from the first location, followed by the next location, and so on, until
the system either downloads a CRL or times out.
• Mandatory: The certificate is considered valid if all CRLs in a certificate chain can be fetched and no
certificate is present on any CRL.
• Best effort: The certificate is considered valid if none of the CRLs in a certificate chain that have been
fetched indicate that the certificate has been revoked, or if CRL cannot be fetched.
• Off: No CRL revocation checking is performed.
NIST Compliance
The National Institute of Standards and Technology (NIST) develops cryptographic standards for the
United States government. NIST recommends that starting in 2014, the digital signatures of Identity
Certificates use SHA2 hashing and 2048–bit RSA keys. NIST required at least 2048-bit RSA keys. Using
the GUI, customers have the option to create larger keys, such as 4096.
• Session Manager uses SHA–256 and 2048-bit RSA keys for signing new Identity Certificates by
default.
• Session Manager uses SHA–512 for passwords.
• Session Manager is compliant with NIST SP800-131a.
SIP providers now require client applications, such as Session Manager, to use certificates with a digital
signature that is formed with SHA-256 and 2048-bit RSA keys.
To operate with the web browser application, Avaya customers must replace the demo certificates with
certificates issued by the System Manager Certificate Authority.
• Provide a higher level of security than earlier TLS versions to protect users from known attacks.
• Provide flexibility for defining cryptography algorithms.
The TLS protocol provides three essential services to all applications: encryption, authentication, and data
integrity.
Procedure
1. On the home page of the System Manager Web Console, under Elements, select Session Manager
> System Status > Security Module Status.
2. Select the appropriate Session Manager.
3. Click Connection Status.
4. Select a filter.
5. Click Apply Filter.
1. The IP address matches one of the SIP entities configured in NRP which have trusted entity links
with the Session Manager. If SIP entities are configured as FQDN, DNS resolution is made before this
verification is made.
2. Transport for the incoming SIP connection matches with one of the entity link associated with this
SIP entity and Session Manager. Also, the Trust State of the entity link must be configured as trusted.
Session Manager does not accept connections matching untrusted entity links.
For SIP packets over UDP, Session Manager performs the same validations for each packet. For SIP TLS
connections further validation is performed as described in next section.
1. Mutual TLS authentication: During the TLS handshake, the SIP entity and Session Manager
validate the certificate of each other and perform mutual TLS authentication.
Note:
Session Manager can enforce certificate validation for SIP endpoints. Session Manager rejects
communication if the certificate is not trusted or invalid.
2. Additional validation of the SIP entity identity certificate: If the mutual TLS authentication is
successful, further validation is performed using the credential name or the far end IP address of the
SIP entity identity certificate.
8. On the Session Manager Administration page, an administrator can enable or disable the TLS
endpoint certificate validation feature.
Session Manager supports TLS versions 1.0, 1.1, and 1.2. TLS version 1.0 is the least secure, while
version 1.2 is the most secure. Based on the capability of the SIP entity, the system negotiates and
establishes the highest common TLS version. For example, if the SIP entity supports TLS version 1.0,
then after capability negotiation Session Manager establishes a connection with TLS version 1.0.
Negotiating a lower TLS version might not be acceptable to customer configurations that have known
vulnerabilities.
With Session Manager Release 7.1.2, a system administrator can define the minimum allowed TLS
version for the global SIP entity and for each SIP entity. In some scenarios, the SIP entity does not
support a TLS version equal to or above the minimum allowed TLS version. In this case, the SIP entity
cannot establish a connection with Session Manager.
Session Manager Release 7.1.2 adds two global policies that govern the minimum allowed TLS versions
for the SIP Entities and SIP endpoints respectively. For more information, see Administering Avaya Aura®
Session Manager.
When negotiating TLS versions, Session Manager starts with the latest TLS version. However, the system
allows the version downgrade only up to the global policy defining the minimum allowed TLS version. For
example, a customer does not want to allow TLS connections with the SIP Entities earlier than version
1.1. The administrator can accordingly set the global policy of minimum allowed TLS version for SIP
Entities to 1.1. This ensures that Session Manager allows TLS connections with the SIP Entities at a
minimum of TLS version 1.1 or later.
To ensure that upgrades are non-interruptive, the value of this setting after upgrade is set to 1.0. You must
manually change the minimum allowed TLS version when required. For new installations, the version is
set to version 1.2 by default.
1. If you do not want to perform additional validation on a SIP Entity identity certificate or you are not
using SIP TLS for connecting to the SIP entity, leave this field empty.
2. If you want to verify that a specific string or SIP Entity FQDN is present within the SIP Entity identity
certificate, enter that string or SIP Entity FQDN using regular expression syntax.
3. If you want to verify the SIP Entity IP address is present within the SIP Entity identity certificate,
enter the SIP Entity IP address using regular expression syntax. The IP address is searched by default
when any string is configured in the Credential name.
Transport
Link Description Initial Key Determination
protocol
Personal Profile
SIP telephone to
Manager (PPM) HTTPS TLS
Session Manager
download
Transport
Link Description Initial Key Determination
protocol
Pre-shared secrets.
Jgroups:
Data transmission to and from Avaya services in support of customer equipment is protected through non-
secure data networks such as the Internet, over modems, and through SNMP notifications. Contact Avaya
services for more information.
craft susers craft cannot perform login administration or change customer services.
Credentials management
Credentials such as usernames and passwords for standard Linux accounts in Session Manager are
stored in the following directories:
• /etc/passwd
• /etc/shadow
• /etc/group
The backup files are stored in directories such as /etc/passwd- and /etc/group-.
Session Manager does not use a database to store credentials information. However, UPM and PPM data
are stored in the Session Manager database.
• Passwords for local accounts are stored in/etc/shadow. Passwords in /etc/shadow are stored as a one-
way hash. You can access the file/etc/shadow using the root login.
• Any user logged into Linux can view user names and group membership for local accounts.
• craft
• sroot
• init
The Session Manager EASG challenge/response functionality will utilize the EASG certificate and is
compatible with the EASG capability of other Avaya products.
The list of key parameters includes but is not necessarily limited to the following:
• Authentication File ID (AFID) is the parameter that the ASG login in screen displays as the Product
ID.
• Product Name
• Product Release
• Common Name (for example, host.domain.com)
• Authentication file generation date and time
• Authentication file request type
• ASG key type
• Password type
• Authentication File System (AFS) Request ID (Note: Authentication files from AFS are encrypted using
AES)
Privilege escalation
Session Manager supports privilege escalation with the su and sudo commands. Technicians who need
higher privileges must log in using the normal service accounts and then escalate privileges using su or
sudo to perform more restrictive tasks. sudo -l displays a list of restricted commands that are accessible
to the user.
Authentication
You can configure System Manager to authenticate administrative users using external authentication
services such as an enterprise directory, a database, or a RADIUS server. An administrative account is
provisioned within System Manager during installation for initial access.
Note:
Access to the Session Manager host (OS) is not recommended in this release and all management
functionality of Session Manager is performed through System Manager.
System Manager supports external authentication services that provide:
Authentication
Description and Interoperability information
Mechanism
This is the default mechanism and is configured to be done against the embedded
database such as Postgres.
DB
Interoperability: This release of System Manager is tested to interoperate with
Postgres
System Manager can be configured to authenticate against the enterprise LDAP for
administrator authentication. These users still need to be provisioned in the System
Manager database because System Manager requires the authorization information
LDAP to provide privilege based access to the users.
Interoperability: This release of System Manager has been tested to interoperate with
openLDAP
Administrative users can also be authenticated against a RADIUS server. This setup
supports token based authentication mechanisms similar to the SecurID. But LDAP
authentication, the users authenticating using this mechanism need to be provisioned
RADIUS in the System Manager database for authorized access.
Interoperability: This release of System Manager is tested to interoperate with
FreeRADIUS
Resources
Documentation
For the latest information, see the Session Manager Release Notes.
Overview
IT management
Avaya Aura® Session Manager Overview Describes the key features of Session
and Specification Manager.
System administrators
Sales engineers
Describes the Avaya Virtualized Environment,
Avaya Aura® Virtualized Environment Implementation
design considerations, topology, and
Solution Description engineers
resources requirements.
Support personnel
Network administrators,
Avaya Aura® Session Manager Security Describes the security considerations,
services, and support
Design features, and solutions for Session Manager.
personnel
System administrators
Contains enhancements, fixes, and
Avaya Aura® Session Manager 7.1
workarounds for the Session Manager 7.1
Release Notes Services and support
release.
personnel
Implementation
Deploying Avaya Aura® Branch Session Describes how to install and configure Branch Services and support
Manager Session Manager in a virtualized environment. personnel
Using
Using the Solution Deployment Manager Deploy and install patches for Avaya Aura
System administrators
client applications.
Administration
Installing the Dell™ PowerEdge™ R610 Describes the installation procedures for the Services and support
Server Dell™ PowerEdge™ R610 server. personnel
Installing the Dell™ PowerEdge™ R620 Describes the installation procedures for the Services and support
Server Dell™ PowerEdge™ R620 server. personnel
Installing the Dell™ PowerEdge™ R630 Describes the installation procedures for the Services and support
Server Dell™ PowerEdge™ R630 server. personnel
Installing the HP ProLiant DL360 G7 Describes the installation procedures for the Services and support
Server HP ProLiant DL360 G7 server. personnel
Installing the HP ProLiant DL380p G8 Describes the installation procedures for the Services and support
Server HP ProLiant DL380p G8 server. personnel
Installing the HP ProLiant DL360 G9 Describes the installation procedures for the Services and support
Server HP ProLiant DL360 G9 server. personnel
Procedure
1. Navigate to http://support.avaya.com/.
2. At the top of the screen, type your username and password and click Login.
3. Click Support by Product > Documents.
4. In Enter your Product Here, type the product name and then select the product from the list.
5. In Choose Release, select an appropriate release number.
6. In the Content Type filter, click a document type, or click Select All to see a list of all available
documents.
For example, for user guides, click User Guides in the Content Type filter. The list displays the
documents only from the selected category.
7. Click Enter.
Training
The following table contains courses that are available on https://www.avaya-learning.com. To search for
the course, in the Search field, enter the course code and click Go.
New training courses are added periodically. Enter Session Manager in the Search field to display the
inclusive list of courses related to Session Manager.
1A00236E Knowledge Access: Avaya Aura® Session and System Manager Fundamentals
What is new in Avaya Aura® System Manager 7.0 and Avaya Aura® Session
2011V
Manager 7.0
Avaya Mentor videos provide technical content on how to install, configure, and troubleshoot Avaya
products.
Procedure
• To find videos on the Avaya Support website, go to http://support.avaya.com and perform one of the
following actions:
• In Search, type Avaya Mentor Videos to see a list of the available videos.
• In Search, type the product name. On the Search Results page, select Video in the Content Type
column on the left.
• To find the Avaya Mentor videos on YouTube, go to www.youtube.com/AvayaMentor and perform one
of the following actions:
• Enter a key word or key words in the Search Channel to search for a specific product or topic.
• Scroll down Playlists, and click the name of a topic to see the available list of videos posted on the
website.
Note:
Support
Go to the Avaya Support website at http://support.avaya.com for the most up-to-date documentation,
product notices, and knowledge articles. You can also search for release notes, downloads, and
resolutions to issues. Use the online service request system to create a service request. Chat with live
agents to get answers to questions, or request an agent to connect you to a support team if an issue
requires additional expertise.
The Avaya InSite Knowledge Base is a web-based search engine that provides:
If you are an authorized Avaya Partner or a current Avaya customer with a support contract, you can
access the Knowledge Base without extra cost. You must have a login account and a valid Sold-To
number.
Use the Avaya InSite Knowledge Base for any potential solutions to problems.
1. Go to http://www.avaya.com/support.
2. Log on to the Avaya website with a valid Avaya user ID and password.The system displays the
Avaya Support page.
3. Click Support by Product > Product Specific Support.
4. In Enter Product Name, enter the product, and press Enter.
5. Select the product from the list, and select a release.
6. Click the Technical Solutions tab to see articles.
7. Select relevant articles.
The Avaya Product Security Support Team (PSST) is responsible for the following:
• Avaya products.
• Products that are incorporated into Avaya products.
• General data networking and telecommunications, as identified by government agencies.
When a security vulnerability is identified, the PSST determines the susceptibility of Avaya products and
assigns one of four risk levels: High, Medium, Low, and None. Depending on the category of risk, the
PSST creates an Avaya Security Advisory to notify customers of the vulnerability.
Depending on the vulnerability and its risk level, the advisory might include a recommended mitigation
action. A recommendation could be the use of a third-party-provided patch, a planned Avaya software
patch or upgrade, or additional guidance regarding the vulnerability.
Avaya’s vulnerability
Target intervals between assessment and notification
classification
Customers can sign up to receive advisories by email on the Avaya Security Support Web site by
following these steps:
1. Browse to http://support.avaya.com.
2. If you do not have an account, go to http://sso.avaya.com and click Register Now and follow the
instructions. To register, you need an Avaya SSO login and a Sold To number.
3. Once you have set up an SSO user ID and password you can enroll for the E-Notifications you wish
to receive.
4. To do that, click the My E-Notifications link, which can be accessed from the home page for the
Web site (http://support.avaya.com) or by selecting the My E-Notifications link under Online Service
Manager.
5. To enroll for the E-Notifications you wish to receive, click Add New E-Notifications.
6. If you select one of the five radio buttons on the top portion of the page, you will receive e-mail
notifications when new content is added or revised for all Avaya products under the following content
areas:
◦ Product Correction Notices
◦ Security Advisories
◦ Product Support Notices – High Priority
◦ End of Sale Notices
◦ Services Support Notices
7. To receive an e-mail notification for a particular product, select the radio button next to Choose from
the Product list and then select the product for which you are interested in receiving notifications. You
will then be asked to select the release and content types from available release/content type
combinations for the selected product.
If you have questions about enrolling for My E-Notifications on the Avaya Customer Self Service website,
send an email message to support@avaya.com.
Related references
The Avaya Product Security Support Team (PSST) classifies vulnerabilities relative to their potential threat
to Avaya products. Avaya’s Security Vulnerability Classification document (https://
support.avaya.com/css/P8/documents/100066674)
The following table summarizes the three main categories.
• Attacks from a remote unauthenticated user who can easily access high-
level administrative control of a system or critical application without
interaction with a user of the product beyond standard operating
High
procedures.
• Attacks from remote unauthenticated user who can easily cause the
system or a critical application to shutdown, reboot, or become unusable
without requiring interaction with a product user.
The product does not meet criteria for high vulnerability, but is vulnerable to:
• Attack from a user who can access a user account, and access does not
directly require the privileges of a high-level administrative account.
The product does not meet criteria for medium or high vulnerability, but is
vulnerable to:
Advisory organization
Overview
The overview describes the vulnerability. For operating system or third-party software, the overview
provides a link for quick access to a Web site for more information. The linked information provides:
For Avaya software-only products, the advisory provides a listing of the specific Avaya products that use,
but are not bundled with, operating system software that might be vulnerable. Information includes:
For Avaya system or turnkey products, the advisory provides a listing of the specific Avaya products that
are vulnerable or are bundled with operating system software that might be vulnerable. Information
includes:
The advisory provides steps to remove the vulnerability. The steps might include installing a security
update, administering a security feature, or performing a software upgrade. For operating system and
third-party software, the recommended action is normally identified through the Web site links in the
security advisory.
If Avaya needs to develop a software update, Avaya includes the update in the
next major release that can reasonably incorporate the update. If no new major
releases are scheduled for a product, and Avaya is providing maintenance
Medium support, Avaya incorporates the fix into a separate service pack or update (1
year maximum delivery time).
If a software patch is available for installation or another action is recommended,
the Avaya Security Advisory describes the actions.
If Avaya needs to develop a software update, Avaya includes the update in the
next major release that can reasonably incorporate the update. If no new major
releases are scheduled for a product, and Avaya is providing maintenance
Low support, Avaya incorporates the fix into a separate service pack or update (1
year maximum delivery time).
If a software patch is available for installation or another action is recommended,
the Avaya Security Advisory describes the actions.
Avaya product development staff incorporates a third-party update into the software in one of three ways:
• Avaya bundles the specific update or the new release of the affected software with the Avaya Session
Manager software such that the security-related updates are automatically incorporated into the Avaya
product operation.
• Avaya modifies the Session Manager software so that the specific update or the new release of the
affected software is appropriately incorporated into the Session Manager operation.
• Avaya modifies the specific update or the new release of the affected software so that the security-
related updates are automatically incorporated into the Session Manager operation.
When Avaya incorporates one or more security fixes into its software, the fixes might be delivered in one
of three forms:
• A security update: includes operating system and/or third-party software security fixes.
• An Avaya software update: includes software security fixes to the Avaya application software.
• An Avaya full release of software: includes all software for the Avaya product, including software
security fixes to the Avaya application software and/or security fixes for the operating system and third-
party fixes.
• Denial of Service
• Encryption standards
• Certificate management
• Audits and logging
• Access control
Regulatory compliance
The following sections describe how Session Manager supports regulatory compliance for PCI, HIPAA,
and FISMA.
Note:
The PCI standard applies to global merchants and card processing service providers. It is recommended
that customers rely on appropriate legal counsel and requirements of their card issuers for interpretation
of the standard’s requirements. Suggestions in this document are not to be construed as a substitute for
legal advice or a definitive list of all possible legal considerations.
The PCI Data Security Standard (DSS) is a set of comprehensive requirements for enhancing payment
account data security. The PCI DSS was developed by the founding payment card brands of the PCI
Security Standards Council, including American Express, Discover Financial Services, JCB International,
MasterCard Worldwide and Visa International, to facilitate the broad adoption of consistent data security
measures on a global basis. This comprehensive standard helps organizations proactively protect
customer account data.
Session Manager data to which PCI might apply includes customer cardholder data such as account
numbers, CCV codes, and card holder names. To the extent that a company uses data collected or
transmitted by Session Manager as part of its overall card payment processing, the company can use
security-related features of Session Manager to secure the data and support PCI compliance. When
Session Manager is deployed in a customer network environment that touches card processing or
cardholder data, all components of Session Manager may be considered in scope for PCI assessment
purposes. The following table shows the key features of Session Manager that can protect cardholder
information and demonstrate the merchant and service provider compliance with PCI:
Note:
This law applies to U.S. customers only. Avaya recommends that customers rely on appropriate legal
counsel and outside auditors for interpretation of the act’s requirements. Suggestions in this document are
not to be construed as a substitute for legal advice or a definitive list of all possible legal considerations.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires health care providers to
disclose to health care recipients the ways in which the institution may use and disclose private
information. HIPAA also requires health care providers to protect the privacy of certain individually
identifiable health data for health care recipients.
Session Manager data to which HIPAA might apply includes customer names and telephone numbers,
and called and calling number data.
Use of the following key features can protect patient privacy and demonstrate the health care provider’s
compliance with HIPAA.
Note:
This law applies to U.S. customers only. It is recommended that customers rely on appropriate legal
counsel and outside auditors for interpretation of the act’s requirements. Suggestions in this document are
not to be construed as a substitute for legal advice or a definitive list of all possible legal considerations.
The Federal Information Security Management Act of 2002 provides for development and maintenance of
minimum controls required to protect Federal information and information systems.
Telecommunications systems and commercially developed information security systems are in the
systems referenced under this act.
As a result, usually, government agencies can use Avaya’s security-related features to secure
telecommunications data. Session Manager security features can also help prevent unauthorized access
to the customer’s network, in general.
Features related to system security and documented in more detail in other sections of this document.
This document will assist customers with meeting FISMA requirements as shown in the following table:
Basel II
Basel II: International Convergence of Capital Measurement and Capital Standards. It is a Revised
Framework and is a comprehensive set of banking standards compiled by the Basel Committee on
Banking Supervision. The national banking overseers in many European countries seek to implement
country specific laws and procedures to meet the Basel II standards. To measure risk levels for a banking
standards, Basel II mandates tracking loss of event data. Which includes financial systems hacking, theft
of data, and impersonation. To this end, Avaya systems offer a number of security features, such as those
described in the previous paragraph. Thus, minimizing loss event data, and therefore, risk level
measurements.
For any country in which Session Manager is sold, there might be a need to inform customers about
Session Manager support for governmental regulations. In this case, the sales engineer or account
executive recommend to engage an Avaya legal officer, security specialist, or a compliance specialist.
Who will determine the specific ways in which Session Manager might help the customer comply with
regulations.
Common Criteria
The Common Criteria for Information Technology Security Evaluation (CC) and the companion Common
Methodology for Information Technology Security Evaluation (CEM) are the technical basis for an
international agreement. The Common Criteria Recognition Agreement (CCRA) ensures that:
• Products’ security properties are evaluated by competent and independent licensed laboratories to
determine their assurance.
• Supporting documents that are used within the Common Criteria certification process define how the
criteria and evaluation methods are applied when certifying specific technologies.
• The certification of the security properties of an evaluated product are issued by a number of Certificate
Authorizing Schemes. This certification being based on the result of their evaluation.
• These certificates are recognized by all signatories of the CCRA.
The CC web portal (http://www.commoncriteriaportal.org/index.html) reports the status of the CCRA, the
CC, and the certification schemes, licensed laboratories, certified products and related information, news,
and events.
Denial-of-Service attacks
A Denial-of-Service attack occurs when the attacker attempts to make a particular resource too busy to
answer legitimate requests or to deny legitimate users access to the system. The net effect of DoS
attacks is to shut down a server or an application.
Session Manager is resilient to the DoS attacks listed in the following table without needing to reboot,
restart, or reload. Session Manager can automatically recover to full service after the Dos attack.
Phony TCP SYN packets from random IP addresses at a rapid rate fill up the
SYN flood (TCP SYN)
connection queue and deny TCP services to legitimate users.
Large numbers of ICMP echo (PING) messages are sent with the forged
Smurf / Pong address of the intended victim and Layer 3 devices issue an ICMP reply or
pong. The traffic multiplies based on the number of responding hosts.
Like Smurf, Fraggle is a UDP flood that uses an IP broadcast address of the
Fraggle victim (IP spoofing) that results in an infinite loop of echo and reply
messages.
The Jolt2 attack raises the CPU utilization to 100% causing instability in the
system until the Jolt2 attack stops. Most instances of this attack are from
illegally fragmented packets:
These settings cause the IP checksum of the last fragment to equal zero,
which is illegal. Jolt2 then sends 9 bytes of IP data including the IP header 20
bytes (total of 29 bytes) but sets the total length to 68 bytes. The offset and
the packet length (65520 + 68) exceeds the maximum size of an IP datagram
imposed by the 16-bit total packet length field in the IP header (maximum
allowed packet size is 65563 bytes). This packet fails the integrity check and
discarded right away. However, some systems do not do the integrity check
and continue buffering these fragments. This can utilize 100% of the CPU
and in some cases crash the system.
Most systems send out an Address Resolution Protocol (ARP) request for
their IP address to check for a duplicate IP address on the network. Some
systems update the ARP cache when they receive a gratuitous ARP packet.
The attacker can use the gratuitous ARP request to change the ARP table of
Gratuitous ARPs the host router’s MAC address and cause all packets to flow:
The teardrop and associated attacks exploit the packet reassembly code that
breaks packets into smaller pieces (fragments) based on the network’s
Teardrop, overlap, or fragmented maximum transmission unit (MTU). When reassembled, packets are often
packets misaligned — the next fragment does not begin where the last fragment
ended but, inside the previous fragment memory allocation. This causes
memory allocation failures and the system to fail.
Because many ping utilities support ICMP echo requests, an attacker can
PING flood
send a large number of PING requests to overload network links.
The attacker sends finger requests to a specific computer every minute but,
Finger of death never disconnects. Failure to end the connection can quickly overload the
server’s process tables. The finger listen port number is 79 (see RFC 742).
The attacker can spoof the chargen service port (19) from one service on one
computer to another service on another computer. This type of attack can
Chargen packet storm
cause an infinite loop, loss of performance, or the total shutdown of the
affected network segments.
The target responds to TCP packets sent from a multicast address causing a
SPANK
DoS flood on the target’s network.
Utilizing the Protos SNMP tool to test SNMP code, an attacker can generate
SNMP PROTOS thousands of valid SNMP packets with strange and anomalous values that
cause error conditions. For more information, see www.ee.oulu.fi.
This attack utilizes the Protos SIP testing tool from OULU University to test
SIP code for faulty implementations. The tool generates thousands of valid
SDP and SIP PROTOS SIP packets with strange and anomalous values that cause error conditions in
the implementation of the protocol. For more information, see www.ee.oulu.fi/
research/ouspg/protos/testing/c07/sip/index.html.