Avaya Aura Session Manager Security Design 1-7-2020

Avaya Aura Session Manager Security
Design
January 7, 2020
Avaya Aura Session Manager Security Design
Notices
© 2020 copy rights
You may, at your own risk, assemble a MyDocs collection solely for your own internal business purposes,
which constitutes a modification to the original published version of the publications. Avaya shall not be
responsible for any modifications, additions, or deletions to the original published version of publications. You
agree to defend, indemnify and hold harmless Avaya, Avaya's agents, servants and employees against all
claims, lawsuits, demands and judgments arising out of, or in connection with, your modifications, additions or
deletions to the publications.
A single topic or a collection of topics may come from multiple Avaya publications. All of the content in your
collection is subject to the legal notices and disclaimers in the publications from which you assembled the
collection. For information on licenses and license types, trademarks, and regulatory statements, see the
original publications from which you copied the topics in your collection.
Except where expressly stated by Avaya otherwise, no use should be made of materials provided by Avaya on
this site. All content on this site and the publications provided by Avaya including the selection, arrangement
and design of the content is owned by Avaya and/or its licensors and is protected by copyright and other
intellectual property laws including the sui generis rights relating to the protection of databases. Avaya owns all
right, title and interest to any modifications, additions or deletions to the content in the Avaya publications.
January 7, 2020 Avaya Aura Session Manager Security Design

Contents
Legal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Purpose. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Disclaimer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Information classifications and non-discloser agreement requirements. . . . . . . . . . . 11
Product Description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Platform security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Network Layer Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
SIP Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Session Manager Port Matrix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Platform accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Directory Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
System Integrity and Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Application account and session management. . . . . . . . . . . . . . . . . . . . . . . . 22
Audit Trails and Security Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Auditable events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Use of Cryptography. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Trust, Certificate, and Key Management /PKI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Removal of Default Certificates in Session Manager. . . . . . . . . . . . . . . . . . . . . . . . . 25
Viewing Session Manager Identity Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Updating Session Manager Trusted Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Issuing a unique identity or server certificate to Session Manager. . . . . . . . . . . . . . 27
Defining server trust relationships with Digital Certificates. . . . . . . . . . . . . . . . . . . . . 27
Certificate Revocation Lists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
CRL revocation checking options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
NIST Compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Transport Layer Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Viewing the TLS version. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
IP/Transport layer validation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
TLS Layer validation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Ability to disable TLS versions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Credential Name configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Avaya Services access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Avaya Services Accounts and Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Finding documents on the Avaya Support website. . . . . . . . . . . . . . . . . . . . . . . . 40
Training. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Viewing Avaya Mentor videos. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Using the Avaya InSite Knowledge Base. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Avaya Security Advisories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
How do I get Avaya Security Advisories?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Avaya Security Vulnerability Classification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Advisory organization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Software and firmware updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Avaya Security update delivery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Validating a security update. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Regulatory compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Considerations for customers who must comply with the Payment Card Industry DSS.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Considerations for customers who must comply with HIPAA. . . . . . . . . . . . . . . . . . . 51
Considerations for customers who must comply with FISMA. . . . . . . . . . . . . . . . . . 52
Considerations for non-US customers who must comply with regulations. . . . . . . . . 53
Denial-of-Service attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Legal
© 1234
Notice
While reasonable efforts have been made to ensure that the information in this document is complete and
accurate at the time of printing, Avaya assumes no liability for any errors. Avaya reserves the right to
make changes and corrections to the information in this document without the obligation to notify any
person or organization of such changes.
Documentation disclaimer
“Documentation” means information published in varying mediums which may include product
information, operating instructions and performance specifications that are generally made available to
users of products. Documentation does not include marketing materials. Avaya shall not be responsible
for any modifications, additions, or deletions to the original published version of Documentation unless
such modifications, additions, or deletions were performed by or on the express behalf of Avaya. End
User agrees to indemnify and hold harmless Avaya, Avaya's agents, servants and employees against all
claims, lawsuits, demands and judgments arising out of, or in connection with, subsequent modifications,
additions or deletions to this documentation, to the extent made by End User.
Link disclaimer
Avaya is not responsible for the contents or reliability of any linked websites referenced within this site or
Documentation provided by Avaya. Avaya is not responsible for the accuracy of any information,
statement or content provided on these sites and does not necessarily endorse the products, services, or
information described or offered within them. Avaya does not guarantee that these links will work all the
time and has no control over the availability of the linked pages.
Warranty
Avaya provides a limited warranty on Avaya hardware and software. Refer to your sales agreement to
establish the terms of the limited warranty. In addition, Avaya’s standard warranty language, as well as
information regarding support for this product while under warranty is available to Avaya customers and
other parties through the Avaya Support website: https://support.avaya.com/helpcenter/
getGenericDetails?detailId=C20091120112456651010 under the link “Warranty & Product Lifecycle” or
such successor site as designated by Avaya. Please note that if You acquired the product(s) from an
authorized Avaya Channel Partner outside of the United States and Canada, the warranty is provided to
You by said Avaya Channel Partner and not by Avaya.
“Hosted Service” means an Avaya hosted service subscription that You acquire from either Avaya or an
authorized Avaya Channel Partner (as applicable) and which is described further in Hosted SAS or other
service description documentation regarding the applicable hosted service. If You purchase a Hosted
Service subscription, the foregoing limited warranty may not apply but You may be entitled to support
services in connection with the Hosted Service as described further in your service description documents
for the applicable Hosted Service. Contact Avaya or Avaya Channel Partner (as applicable) for more
information.
January 7, 2020 Avaya Aura Session Manager Security Design 5

Hosted Service
THE FOLLOWING APPLIES ONLY IF YOU PURCHASE AN AVAYA HOSTED SERVICE
SUBSCRIPTION FROM AVAYA OR AN AVAYA CHANNEL PARTNER (AS APPLICABLE), THE TERMS
OF USE FOR HOSTED SERVICES ARE AVAILABLE ON THE AVAYA WEBSITE, HTTPS://
SUPPORT.AVAYA.COM/LICENSEINFO UNDER THE LINK “Avaya Terms of Use for Hosted Services” OR
SUCH SUCCESSOR SITE AS DESIGNATED BY AVAYA, AND ARE APPLICABLE TO ANYONE WHO
ACCESSES OR USES THE HOSTED SERVICE. BY ACCESSING OR USING THE HOSTED SERVICE,
OR AUTHORIZING OTHERS TO DO SO, YOU, ON BEHALF OF YOURSELF AND THE ENTITY FOR
WHOM YOU ARE DOING SO (HEREINAFTER REFERRED TO INTERCHANGEABLY AS “YOU” AND
“END USER”), AGREE TO THE TERMS OF USE. IF YOU ARE ACCEPTING THE TERMS OF USE ON
BEHALF A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE
AUTHORITY TO BIND SUCH ENTITY TO THESE TERMS OF USE. IF YOU DO NOT HAVE SUCH
AUTHORITY, OR IF YOU DO NOT WISH TO ACCEPT THESE TERMS OF USE, YOU MUST NOT
ACCESS OR USE THE HOSTED SERVICE OR AUTHORIZE ANYONE TO ACCESS OR USE THE
HOSTED SERVICE.
Licenses
THE SOFTWARE LICENSE TERMS AVAILABLE ON THE AVAYA WEBSITE, HTTPS://
SUPPORT.AVAYA.COM/LICENSEINFO, UNDER THE LINK “AVAYA SOFTWARE LICENSE TERMS
(Avaya Products)” OR SUCH SUCCESSOR SITE AS DESIGNATED BY AVAYA, ARE APPLICABLE TO
ANYONE WHO DOWNLOADS, USES AND/OR INSTALLS AVAYA SOFTWARE, PURCHASED FROM
AVAYA INC., ANY AVAYA AFFILIATE, OR AN AVAYA CHANNEL PARTNER (AS APPLICABLE) UNDER
A COMMERCIAL AGREEMENT WITH AVAYA OR AN AVAYA CHANNEL PARTNER. UNLESS
OTHERWISE AGREED TO BY AVAYA IN WRITING, AVAYA DOES NOT EXTEND THIS LICENSE IF
THE SOFTWARE WAS OBTAINED FROM ANYONE OTHER THAN AVAYA, AN AVAYA AFFILIATE OR
AN AVAYA CHANNEL PARTNER; AVAYA RESERVES THE RIGHT TO TAKE LEGAL ACTION AGAINST
YOU AND ANYONE ELSE USING OR SELLING THE SOFTWARE WITHOUT A LICENSE. BY
INSTALLING, DOWNLOADING OR USING THE SOFTWARE, OR AUTHORIZING OTHERS TO DO SO,
YOU, ON BEHALF OF YOURSELF AND THE ENTITY FOR WHOM YOU ARE INSTALLING,
DOWNLOADING OR USING THE SOFTWARE (HEREINAFTER REFERRED TO INTERCHANGEABLY
AS “YOU” AND “END USER”), AGREE TO THESE TERMS AND CONDITIONS AND CREATE A
BINDING CONTRACT BETWEEN YOU AND AVAYA INC. OR THE APPLICABLE AVAYA AFFILIATE
(“AVAYA”).
Avaya grants You a license within the scope of the license types described below, with the exception of
Heritage Nortel Software, for which the scope of the license is detailed below. Where the order
documentation does not expressly identify a license type, the applicable license will be a Designated
System License. The applicable number of licenses and units of capacity for which the license is granted
will be one (1), unless a different number of licenses or units of capacity is specified in the documentation
or other materials available to You. “Software” means computer programs in object code, provided by
Avaya or an Avaya Channel Partner, whether as stand-alone products, pre-installed on hardware
products, and any upgrades, updates, patches, bug fixes, or modified versions thereto. “Designated
Processor” means a single stand-alone computing device. “Server” means a Designated Processor that
hosts a software application to be accessed by multiple users. “Instance” means a single copy of the
Software executing at a particular time: (i) on one physical machine; or (ii) on one deployed software
virtual machine (“VM”) or similar deployment.

License types
Designated System(s) License (DS). End User may install and use each copy or an Instance of the
Software only on a number of Designated Processors up to the number indicated in the order. Avaya may
require the Designated Processor(s) to be identified in the order by type, serial number, feature key,
Instance, location or other specific designation, or to be provided by End User to Avaya through electronic
means established by Avaya specifically for this purpose.
Named User License (NU). You may: (i) install and use each copy or Instance of the Software on a single
Designated Processor or Server per authorized Named User (defined below); or (ii) install and use each
copy or Instance of the Software on a Server so long as only authorized Named Users access and use
the Software. “Named User”, means a user or device that has been expressly authorized by Avaya to
access and use the Software. At Avaya’s sole discretion, a “Named User” may be, without limitation,
designated by name, corporate function (e.g., webmaster or helpdesk), an e-mail or voice mail account in
the name of a person or corporate function, or a directory entry in the administrative database utilized by
the Software that permits one user to interface with the Software.
Shrinkwrap License (SR). You may install and use the Software in accordance with the terms and
conditions of the applicable license agreements, such as “shrinkwrap” or “clickthrough” license
accompanying or applicable to the Software (“Shrinkwrap License”).
Heritage Nortel Software

“Heritage Nortel Software” means the software that was acquired by Avaya as part of its purchase of the
Nortel Enterprise Solutions Business in December 2009. The Heritage Nortel Software is the software
contained within the list of Heritage Nortel Products located at https://support.avaya.com/LicenseInfo
under the link “Heritage Nortel Products” or such successor site as designated by Avaya. For Heritage
Nortel Software, Avaya grants Customer a license to use Heritage Nortel Software provided hereunder
solely to the extent of the authorized activation or authorized usage level, solely for the purpose specified
in the Documentation, and solely as embedded in, for execution on, or for communication with Avaya
equipment. Charges for Heritage Nortel Software may be based on extent of activation or use authorized
as specified in an order or invoice.
Copyright
Except where expressly stated otherwise, no use should be made of materials on this site, the
Documentation, Software, Hosted Service, or hardware provided by Avaya. All content on this site, the
documentation, Hosted Service, and the product provided by Avaya including the selection, arrangement
and design of the content is owned either by Avaya or its licensors and is protected by copyright and other
intellectual property laws including the sui generis rights relating to the protection of databases. You may
not modify, copy, reproduce, republish, upload, post, transmit or distribute in any way any content, in
whole or in part, including any code and software unless expressly authorized by Avaya. Unauthorized
reproduction, transmission, dissemination, storage, and or use without the express written consent of
Avaya can be a criminal, as well as a civil offense under the applicable law.
Virtualization
The following applies if the product is deployed on a virtual machine. Each product has its own ordering
code and license types. Note that each Instance of a product must be separately licensed and ordered.

For example, if the end user customer or Avaya Channel Partner would like to install two Instances of the
same type of products, then two products of that type must be ordered.
Third Party Components

“Third Party Components” mean certain software programs or portions thereof included in the Software or
Hosted Service may contain software (including open source software) distributed under third party
agreements (“Third Party Components”), which contain terms regarding the rights to use certain portions
of the Software (“Third Party Terms”). As required, information regarding distributed Linux OS source
code (for those products that have distributed Linux OS source code) and identifying the copyright holders
of the Third Party Components and the Third Party Terms that apply is available in the products,
Documentation or on Avaya’s website at: https://support.avaya.com/Copyright or such successor site as
designated by Avaya. The open source software license terms provided as Third Party Terms are
consistent with the license rights granted in these Software License Terms, and may contain additional
rights benefiting You, such as modification and distribution of the open source software. The Third Party
Terms shall take precedence over these Software License Terms, solely with respect to the applicable
Third Party Components to the extent that these Software License Terms impose greater restrictions on
You than the applicable Third Party Terms.
The following applies only if the H.264 (AVC) codec is distributed with the product. THIS PRODUCT IS
LICENSED UNDER THE AVC PATENT PORTFOLIO LICENSE FOR THE PERSONAL USE OF A
CONSUMER OR OTHER USES IN WHICH IT DOES NOT RECEIVE REMUNERATION TO (i) ENCODE
VIDEO IN COMPLIANCE WITH THE AVC STANDARD (“AVC VIDEO”) AND/OR (ii) DECODE AVC
VIDEO THAT WAS ENCODED BY A CONSUMER ENGAGED IN A PERSONAL ACTIVITY AND/OR
WAS OBTAINED FROM A VIDEO PROVIDER LICENSED TO PROVIDE AVC VIDEO. NO LICENSE IS
GRANTED OR SHALL BE IMPLIED FOR ANY OTHER USE. ADDITIONAL INFORMATION MAY BE
OBTAINED FROM MPEG LA, L.L.C. SEE HTTP://WWW.MPEGLA.COM.
Service Provider
THE FOLLOWING APPLIES TO AVAYA CHANNEL PARTNER’S HOSTING OF AVAYA PRODUCTS OR
SERVICES. THE PRODUCT OR HOSTED SERVICE MAY USE THIRD PARTY COMPONENTS
SUBJECT TO THIRD PARTY TERMS AND REQUIRE A SERVICE PROVIDER TO BE
INDEPENDENTLY LICENSED DIRECTLY FROM THE THIRD PARTY SUPPLIER. AN AVAYA CHANNEL
PARTNER’S HOSTING OF AVAYA PRODUCTS MUST BE AUTHORIZED IN WRITING BY AVAYA AND
IF THOSE HOSTED PRODUCTS USE OR EMBED CERTAIN THIRD PARTY SOFTWARE, INCLUDING
BUT NOT LIMITED TO MICROSOFT SOFTWARE OR CODECS, THE AVAYA CHANNEL PARTNER IS
REQUIRED TO INDEPENDENTLY OBTAIN ANY APPLICABLE LICENSE AGREEMENTS, AT THE
AVAYA CHANNEL PARTNER’S EXPENSE, DIRECTLY FROM THE APPLICABLE THIRD PARTY
SUPPLIER.
WITH RESPECT TO CODECS, IF THE AVAYA CHANNEL PARTNER IS HOSTING ANY PRODUCTS
THAT USE OR EMBED THE G.729 CODEC, H.264 CODEC, OR H.265 CODEC, THE AVAYA CHANNEL
PARTNER ACKNOWLEDGES AND AGREES THE AVAYA CHANNEL PARTNER IS RESPONSIBLE
FOR ANY AND ALL RELATED FEES AND/OR ROYALTIES. THE G.729 CODEC IS LICENSED BY
SIPRO LAB TELECOM INC. SEE WWW.SIPRO.COM/CONTACT.HTML. THE H.264 (AVC) CODEC IS
LICENSED UNDER THE AVC PATENT PORTFOLIO LICENSE FOR THE PERSONAL USE OF A
CONSUMER OR OTHER USES IN WHICH IT DOES NOT RECEIVE REMUNERATION TO: (I) ENCODE
VIDEO IN COMPLIANCE WITH THE AVC STANDARD (“AVC VIDEO”) AND/OR (II) DECODE AVC
VIDEO THAT WAS ENCODED BY A CONSUMER ENGAGED IN A PERSONAL ACTIVITY AND/OR

WAS OBTAINED FROM A VIDEO PROVIDER LICENSED TO PROVIDE AVC VIDEO. NO LICENSE IS
GRANTED OR SHALL BE IMPLIED FOR ANY OTHER USE. ADDITIONAL INFORMATION FOR H.264
(AVC) AND H.265 (HEVC) CODECS MAY BE OBTAINED FROM MPEG LA, L.L.C. SEE HTTP://
WWW.MPEGLA.COM.
Compliance with Laws

You acknowledge and agree that it is Your responsibility for complying with any applicable laws and
regulations, including, but not limited to laws and regulations related to call recording, data privacy,
intellectual property, trade secret, fraud, and music performance rights, in the country or territory where
the Avaya product is used.
Preventing Toll Fraud

“Toll Fraud” is the unauthorized use of your telecommunications system by an unauthorized party (for
example, a person who is not a corporate employee, agent, subcontractor, or is not working on your
company's behalf). Be aware that there can be a risk of Toll Fraud associated with your system and that, if
Toll Fraud occurs, it can result in substantial additional charges for your telecommunications services.
Avaya Toll Fraud intervention

If You suspect that You are being victimized by Toll Fraud and You need technical assistance or support,
call Technical Service Center Toll Fraud Intervention Hotline at +1-800-643-2353 for the United States and
Canada. For additional support telephone numbers, see the Avaya Support website: https://
support.avaya.com or such successor site as designated by Avaya.
Security Vulnerabilities
Information about Avaya’s security support policies can be found in the Security Policies and Support
section of https://support.avaya.com/security.
Suspected Avaya product security vulnerabilities are handled per the Avaya Product Security Support
Flow (https://support.avaya.com/css/P8/documents/100161515).
Downloading Documentation
For the most current versions of Documentation, see the Avaya Support website: https://
support.avaya.com, or such successor site as designated by Avaya.
Contact Avaya Support

See the Avaya Support website: https://support.avaya.com for product or Hosted Service notices and
articles, or to report a problem with your Avaya product or Hosted Service. For a list of support telephone
numbers and contact addresses, go to the Avaya Support website: https://support.avaya.com (or such
successor site as designated by Avaya), scroll to the bottom of the page, and select Contact Avaya
Support.

Trademarks
The trademarks, logos and service marks (“Marks”) displayed in this site, the Documentation, Hosted
Service(s), and product(s) provided by Avaya are the registered or unregistered Marks of Avaya, its
affiliates, its licensors, its suppliers, or other third parties. Users are not permitted to use such Marks
without prior written consent from Avaya or such third party which may own the Mark. Nothing contained
in this site, the Documentation, Hosted Service(s) and product(s) should be construed as granting, by
implication, estoppel, or otherwise, any license or right in and to the Marks without the express written
permission of Avaya or the applicable third party.
Avaya is a registered trademark of Avaya Inc.
All non-Avaya trademarks are the property of their respective owners. Linux® is the registered trademark
of Linus Torvalds in the U.S. and other countries.

Introduction
Purpose
This document provides an overview of the security considerations, features, and solutions for Avaya
Aura® Session Manager.
This Security Guide addresses security issues from two perspectives:
1. The security services offered by the platform to implement a solution.

2. The security of the platform itself with hardened settings.
This document:
• does not provide an in-depth analysis of security-related topics.

• is not the primary configuration guide for the various product security services.
For more security-related information, see Administering Avaya Aura® Session Manager or the context-
sensitive help in the OAM interface.
This document provides Avaya partners, customers, Sales Personnel, and System Engineers with the
information required to answer questions regarding data network and system security.
Disclaimer
Avaya uses reasonable commercial efforts to ensure the information provided here is accurate as of this
date. Avaya may change any underlying processes, architecture, product, description or any other
information described or contained in this document. Avaya disclaims any intention or obligation to update
or revise the document, whether as a result of new information, future events, or otherwise. The
document is provided “as is”, and Avaya does not provide any warranty of any kind, express or implied.
Information classifications and non-discloser

agreement requirements

This document provides security-related information in the following categories:
Classification Description
This classification is for sensitive business information, intended strictly for use
Avaya Restricted within Avaya. Unauthorized disclosure can have a severe adverse impact to Avaya
or its customers, Business Partners, and/or suppliers.
This classification applies to less sensitive business information intended for use
within Avaya. Unauthorized disclosure can have significant adverse impact to
Avaya Confidential
Avaya or its customers, Business Partners, and/or suppliers. Information that can
be considered private is in this classification.
This classification applies to all other information that does not clearly fit into the
two classifications above and is considered sensitive only outside of Avaya. While
Avaya Proprietary disclosure might not have serious adverse impact on Avaya or its customers,
Business Partners, and/or suppliers, the information belongs to Avaya and
unauthorized disclosure is against policy.
This classification applies to information explicitly approved by Avaya management

Public
as non-sensitive information available for external release.
The information contained in this document is public and includes references to other information sources.
Some of these sources disclose both confidential and proprietary information and require a non-disclosure
agreement (NDA) with Avaya.
Product Description
As the SIP routing element for all SIP communications, Session Manager must be resilient to attacks that
can cause service disruption, malfunction, or theft of service. Avaya products inherit a number of
mechanisms from legacy communications systems to protect against toll fraud or the unauthorized use of
communications resources. Unified Communications capabilities that merge telephony services with the
data services on the enterprise data network must provide adequate protection, not only against the
threats inherited from legacy communications systems, but also against threats from the data networking.
Telephony services are protected from security threats such as:
• Denial of Service (DoS) attacks

• Malware such as viruses, worms, and other malicious code
• Theft of data
• Theft of service
Figure 1. Network connections of Session Manager

In Session Manager, there are three new network conditions based on whether:
• Data Storage Clustering is enabled.

• AADS is paired with Session Manager.
The three ports and details are:
• Port 7001 for Cassandra clustering. This port is communication channel between Cassandra nodes.
• Port 8085 for AADS as the JMX port to Cassandra.

• Port 9042 for AADS as the port to which Cassandra DB queries are sent.
The default value for all the three ports is Disabled.

Platform security
Avaya uses the open-source Red Hat Enterprise Linux operating system as a secure foundation for
communications. This hardened operating system provides only those functions that are necessary for
securing critical call processing applications. The operating system also protects the customers from toll
fraud and other malicious attacks.
The Linux operating system limits the number of access ports, services, and applications, and protects
the system from typical modes of attack.
Figure 1. Secure by Default
Avaya has modified or hardened the Linux operating system in several ways to minimize vulnerabilities
and to improve security.
Unused RPMs removed

The Linux general distribution includes Red Hat Package Management (RPM) modules that install,
uninstall, verify, query, and update software packages. Because the Avaya IP telephony application does
not need all RPMs, Avaya removed unused RPMs from the general RPM distribution. In addition to
making the software file images smaller and more manageable, the operating system is more secure
because attackers cannot compromise RPMs that are not present.
To determine the RPM files that Avaya uses, use the rpm -qa command in the command line interface
(CLI) of the Session Manager server.

Unnecessary IP ports closed

Many Linux modules, such as SSH or Apache or TLS (HTTPS), are applications that open ingress
network services. Avaya limits the ingress network services only to those applications that are necessary
for the telephony applications to minimize exposure of the operating system to network-based attacks. By
default, Avaya disables the less secure network services such as TELNET and File Transfer Protocol
(FTP).
CTRL-ALT-DELETE key sequence

You cannot restart the platform using the CTRL-ALT-DELETE key sequence. The CTRL-ALT-DELETE key
sequence is disabled in the base platform installation.
Network Layer Security
VLAN segregation
Session Manager supports Virtual LAN (VLAN) segregation of SIP and Management networks. Session
Manager has a separate management access interface for all management communication between
Session Manager and Avaya Aura® System Manager.
Avaya recommends the following:
1. Place the Session Manager SIP interface and Session Manager Management interface in different
VLAN segments.
2. Place the Session Manager Management interface in a management VLAN that is not accessible
from the SIP Network.
3. System Manager must be accessible through the management VLAN to manage Session Manager.
From a security perspective, perform VLAN segregation.
Session Manager Firewall protection

Session Manager uses Network/Transport and SIP firewalls to protect Session Manager from Network
and SIP DoS attacks.
Network/Transport firewall
Session Manager uses the IPTables network firewall to protect Session Manager against various network-
based Denial of Service (DoS) attacks and to open all the TCP or UDP ports that Session Manager uses.
All TCP or UDP ports that are not used by services running inside Session Manager are closed by default.
Session Manager has the IPTables Network Firewall running in the Session Manager Management Server
for filtering Management traffic.
Figure 1. Session Manager Network Firewall/DoS Protection

The Network Firewall default rules are configured automatically during installation. As defined in the
Session Manager ports and protocols document, the default rules ensure that all ports used by the
Session Manager Management Interface are opened and all unused TCP or UDP ports are closed. SIP
Listen ports are opened or closed dynamically as per the customer Network Routing Policy (NRP) defined
in the SIP Entity configuration in System Manager. HTTP port 80 is dynamically opened or closed based
on the Session Manager Administration Global Settings. The Network Firewall also provides Network
Layer DoS Protection. The following is a list of the default protections provided by the Network Firewall:
• TCP Syn Flood

• IP Options
• ICMP timestamps
• ICMP redirects
• Source Routed Packets
• Reverse Path Forwarding
• Invalid IP Packets
• Bad TCP Packets
For information on the ports and protocol that Session Manager uses, see Software and firmware
updates.
SIP Security
SIP firewall
Session Manager uses a SIP Application layer firewall to provide protection against SIP DoS attacks.
Additionally, all encrypted SIP TLS are decrypted before applying the SIP firewall policy.

Default SIP firewall rules

The SIP firewall configuration provides set of rules. Use the default rules in Session Manager after initial
installation.
In Session Manager, the default Action Type for each firewall rule is None, and the Log Type is Yes.
Alarming is turned off.
For earlier releases of Session Manager, Avaya recommends changing the Action Type of all the default
rules from Rate Limit to None. For an explanation and the procedure, see PSN004136u, How to
Modify Avaya Aura® Session Manager default firewall rules to no longer “Rate Limit” connections.
Rules (Enabled)
The following are the rules enabled in the default rule set:
1. Log high new calls rateThis rule logs High new-calls rate messages when the calls rate exceeds the
threshold and SIP messages are being dropped.
2. Log high traffic from UA ConnectionSIP Firewall rule to log High traffic level from same UA
Connection messages when the call rate exceeds the threshold and the associated SIP messages are
being dropped.
3. Log high rate of INVITE Flood from UA Connection This rule logs INVITE flood from same UA
Connection messages when the INVITE count threshold is exceeded with no dropping of incoming
messages.
4. Log slow INVITE Flood from UA ConnectionThis rule logs slow INVITE flood from same UA
Connection messages when the INVITE message count threshold is exceeded and incoming INVITE
messages are being dropped.
5. Log REGISTER Flood from UA ConnectionThis rule rate logs REGISTER flood from same UA
Connection messages when the REGISTER message count threshold is exceeded and incoming
REGISTER messages are being dropped.
6. Log OPTION Flood from UA ConnectionThis rule rate logs OPTION flood from same UA
Connection messages when the OPTION message count threshold is exceeded and incoming
OPTION messages are being dropped.
7. Log high traffic from SIP EntitySIP Firewall rule to log High traffic level from same remote ip
messages when the calls rate exceeds the threshold and the associated SIP messages are being
dropped.
8. Log on INVITE flood from SIP Entity Rule to log INVITE flood from same remote ip messages when
the INVITE message count threshold is exceeded. The default action is that no alarm is generated and
no incoming messages are dropped.
9. Log on high traffic from a user within SIP Entity Connection This rule logs High traffic level from
same user messages when the threshold is exceeded. The default action is that no alarm is generated
and no incoming messages are dropped.
10. Log on INVITE flood from a user within SIP Entity Connection This rule logs High traffic level
(INVITE) from same user messages when the threshold is exceeded. The default action is that no
alarm is generated and no incoming messages are dropped.

11. Log on REGISTER flood from a user within SIP Entity Connection This rule logs High traffic level
(REGISTER) from same user messages when the threshold is exceeded. The default action is that no
alarm is generated and no incoming messages are dropped.
12. Log on OPTION flood from a user within SIP Entity Connection for TCPThis rule logs High traffic
level (OPTIONS) from same user messages when the threshold is exceeded. The default action is that
no alarm is generated and no incoming messages are dropped.
13. Log on OPTION flood from a user within SIP Entity Connection for TLSThis rule logs High traffic
level (OPTIONS) from same user messages when the threshold is exceeded. The default action is that
no alarm is generated and no incoming messages are dropped.
14. Log OPTION flood from a user within untrusted SIP Entity Connection for TCPRule to log High
traffic level (OPTIONS) from same user messages when the threshold is exceeded and incoming
INVITE messages are being dropped.
15. Log OPTION flood from a user within untrusted SIP Entity Connection for TLSRule to log High
traffic level (OPTIONS) from same user messages when the threshold is exceeded and incoming
INVITE messages are being dropped.
Blacklist (Disabled)
No Blacklist rules are present in the default rule set.
Whitelist (Disabled)
No Whitelist rules are present in the default rule set.
HTTP or HTTPS Denial-of-Service Protection

Avaya telephony devices use HTTP or HTTPS connections to connect to the Personal Profile Manager
(PPM) server in Session Manager.
Session Manager provides the following default security measures for the HTTP or HTTPS connections:
• Connection LimitsConnection Limits provide DoS protection from an attacker attempting to open a
large number of HTTP or HTTPS connections with Session Manager and consuming all resources. By
default, a remote entity is limited to a maximum of 3 HTTP or HTTPS connections to Session Manager.
In addition, Session Manager limits the maximum number of total HTTP or HTTPS connections to 4096
to maintain resources for SIP connections.
• PPM connection timeoutThe timeout provides resource optimization in Session Manager by closing
connections that are no longer in use or when there is no activity on a connection.
• Packet Rate limitingPacket Rate limiting provides DoS protection from a hacker sending a flood of
packets over HTTP or HTTPS connections with Session Manager. By default, a remote entity is limited
to a maximum of 200 packets per second on an HTTP or HTTPS connection to Session Manager. The
range is 1-500.
Note:

If all PPM (HTTP or HTTPS) traffic is redirected to an HTTP proxy and the Session Manager is
receiving all HTTP or HTTPS requests from an HTTP proxy, adjust or disable connection limit and
Packet Rate limit thresholds accordingly.
Session Manager Port Matrix
Avaya Aura® Session Manager Port Matrix documents contain information about the ports and protocols
that Session Manager uses. See the Port Matrix documents at https://support.avaya.com/security.
Platform accounts
The following is the list of logins created when Session Manager is installed:
• asset: A login created during the installation of the Security Module software. By default, access to the
system using this login is disabled.
• CDR_User: A restricted shell login for the Call Detail Recording (CDR) feature that collects call data
from the Session Manager server. This login is restricted to sftp access only.
• craft: An Avaya services login that accesses the system remotely for troubleshooting. The craft login
authenticates using Enhanced Access Security Gateway (EASG). For more information on EASG, see
Avaya services accounts.
• csadmin: Login used by the Solution Deployment Manager.
• customer: The customer must ensure the security of this login account. The system permits the
customer login to run tools on the Session Manager server that do not require root access.
• init: An Avaya services login that accesses the system remotely for troubleshooting. The init login
Avaya services accounts.
• jboss: A login created for running the management jboss and is not a login account.
• postgres: A login created by the installation of the Session Manager software PostgresSQL database
system. Access to the system using this login is disabled.
• spirit: A login created by the Secure Access Link remote alarming and remote access module for Avaya
services. Access to the system using this login is disabled.
• sroot: An Avaya services login that accesses the system remotely for troubleshooting. The sroot login
Avaya services accounts.. This login is only accessible on the server console.
• wsuser: A login created for running WebSphere and is not a login account.

Note:
The Enhanced Access Security Gateway secures the following logins and prevents unauthorized access
to the Session Manager servers by the non-Avaya services personnel:
• sroot
• init
• craft
Using the customer login account, you can run most of the maintenance and troubleshooting commands.
You do not need root access for standard maintenance and support purposes. For more information, see
the Product Support Notice PSN003925u at https://downloads.avaya.com/css/P8/documents/100169866
Directory Security
Session Manager secures the file system partitions for the directories /tmp, /home, /data, partitions /var/
log, /var/log/audit and /var with the noexec and nosuid commands.
System Integrity and Monitoring
The auditd daemon logs the use of privileged commands. The auditd daemon also logs actions such as
unauthorized attempts to delete or change files, system time changes, scheduling jobs, permission
changes, and adding accounts.
For system status and performance monitoring, see the appropriate sections in Administering Avaya
For information related to system events and alarms, see Troubleshooting Avaya Aura® Session
Manager.

Application account and session management
The following sections describe the specific application security measures that Session Manager
provides.
Role Based Access Control

The administrator manages Role Based Access Control (RBAC) using the System Manager Web console.
The following built-in roles provide read or write access to the Session Manager and Routing pages:
• Network Administrator
• System Administrator
• Avaya Services Administrator
The administrator can define custom roles using the Session Manager and Routing web pages. With the
Session Manager RBAC feature, a system administrator can add different administrative privileges to a
set of users to access and modify Session Manager and Routing web pages.
Application Password/PIN Policy

For information about password and security policies for all administrators, see Administering Avaya
Application Session Limits

Active sessions
• The number of simultaneous sessions for each Session Manager is 90,000.

• The number of session creations per second per Session Manager is 100.
• The number of session creations per second per Survivable Remote Branch Session Manager is 10.
• The number of System Manager simultaneous active sessions is 50.
Application Inactivity Timeouts
• By default, the system suspends a user session after 30 minutes of inactivity. When the session
becomes inactive, the user must log in to the System Manager again.
• Session Manager times out after a user has been inactive for 10 minutes.

Audit Trails and Security Logs
An audit trail/log is a chronological sequence of records showing who has accessed a computer system
and what operations a user performed during a specified time. Audit trails are recorded in reference to two
basic areas: Linux-based shell commands, and any application management-based changes. Session
Manager configures the bash rpm to log all shell command activity to the Linux system logs in /var/log/
cmd_history.log. Activity includes login attempts (success and failure) and any command that is entered
by a user or invoked by any software within the server. The log provides an audit trail for all shell activity.
All log files are configured to roll over at a specific interval to prevent the log files from using the entire
disk space. Some Linux system logs on Session Manager are readable only from the root account.
Administrators can view or download contents of some of the Session Manager Linux system logs and
application logs on the Log Harvester page on the System Manager web console (under Events, Logs >
Log Harvester). Viewing the logs on the Log Harvester page eliminates the need for root access to the
Session Manager. For more information regarding the log harvester feature, see Administering Avaya
Aura® System Manager.
Security information is logged in or notified through:
• the Syslog security log in the location/var/log/secure

• Miscellaneous logs that track security-related information:
• Linux access security log
• Platform command history log
• IP events
• Session Manager logs
• Web Services application logs
• System Manager central log
Auditable events
The system logs the following security-related events:
• Attempted login or log off, whether successful or not.

• System level commands issued by users.
• Establishment of a new administrative access session regardless of the port of entry.
• Assignment of a user profile to an administrative session.
• Display, list, modification, addition, or deletion of a user profile.
• Any administrative access to local user accounts to view, add, change, and delete.
• Failed attempt to access an object or execute an action to which the user does not have access.

• Any access to the security control configuration of the server: logging configuration, the PAM
configuration, and the SIP firewall configuration.
• Trust management activities, as in certificate administration.
• Result of request by application to open or close a pinhole in network firewall.
• A change in SIP firewall mitigation policy.
• SIP firewall detects that SIP message has matched one of its rules.
Note:
You cannot disable logging of security events.

Use of Cryptography
This section describes the use of cryptography, including certificates and keys, by Session Manager.
Trust, Certificate, and Key Management /PKI

Digital certificates certify that a public key belongs to its reputed owner. To ensure greater trust, a trusted
party can sign the public key and the information about its owner, creating a public-key certificate, usually
called a certificate. Similar to a driver license, a certificate guarantees the identity of its bearer.
A trusted party that issues digital certificates is called a certification authority (CA), similar to a
governmental agency that issues drivers licenses. A CA can be an external certification service provider
or a government, or the CA can belong to the same organization as the entities it serves. CAs can also
issue certificates to other sub-CAs, which create a tree-like certification hierarchy called a public-key
infrastructure (PKI).
The certificate Session Manager uses to assert its identity to the far end is called the Identity Certificate.
The issuer or CA certificates that Session Manager uses to verify and validate the identity of the far end
are referred to as Trusted Certificates.
Removal of Default Certificates in Session Manager

In Session Manager, Avaya SIP CA issued certificates are no longer supported for new installations.
Default certificates, also known as demo certificates, are non-unique identity certificates that are
automatically installed on newly shipped Session Manager servers. Default certificates are not secure and
do not meet current NIST standards.
New Session Manager servers no longer use the Avaya SIP Product CA issued Default Certificates. New
customer networks can request an Identity Certificate from the System ManagerTrust Management that is
signed by the System Manager Certificate Authority.
For upgrades, Session Manager preserves the previous certificate. If a demo certificate was in use in the
previous release, the certificate is preserved through the upgrade.
Existing customers who either must replace an existing Session Manager server or want to add a Session
Manager to an existing network of Session Manager can use the initTM -d or the initTM --demo command
to download old demo certificates. Avaya recommends that customers use the newer certificates as soon
as possible.
There are three ways to manage certificates:
• Use the new Identity Certificate issued by System Manager (default).

• Use third party ID certificates.

• Restore the insecure Avaya SIP Product CA issued ID certificates. The system displays an advisory
warning message when using this option.
Note:
Read all certificate-related sections of this guide before making a decision on certificate-related changes
to your setup.
Viewing Session Manager Identity Certificates
Determine if the Session Manager is using the default demo Identity Certificate. The Issuer Name field for
a demo certificate displays the following information: O=Avaya INC.,OU=SIP Product Certificate
Authority,CN=SIP Product Certificate Authority.
Procedure
1. On the home page of the System Manager Web Console, in Services, click Inventory > Manage
Elements.
2. Select the appropriate Session Manager instance.
3. Click More Actions > Configure Identity Certificates.
4. Select the Security Module SIP entry.
5. Verify the Issuer Name field.
Updating Session Manager Trusted Certificates
Establishing TLS sessions with customer or third-party devices requires exchanging issuer certificates
between Session Manager and the third-party device.

Procedure
Use the System Manager interface to provision additional trusted certificates to Session Manager.
Issuing a unique identity or server certificate to Session

Manager
Session Manager uses the Trust Management service within System Manager to request an identity or
server certificate. During installation, Session Manager prompts you for the location information of System
Manager and also prompts you for an enrollment password. Session Manager uses this information to
request a unique identity certificate from the Trust Management service of System Manager.
The internal CA signed certificate is the default certificate from Avaya CA. You can add a third-party
identity certificate for Session Manager as an alternative to using the internal CA signed certificate.
For information on how to obtain an enrollment password and to switch to third party certificates, see
Administering Avaya Aura® Session Manager.
Defining server trust relationships with Digital

Certificates
To establish mutually authenticated SIP TLS connections between Session Manager and any other Avaya
or third-party application/server/telephone, it is essential that either end can establish the identity of the
other party during the initial TLS handshake and establish the relationship, back to a known trusted third-
party. To enable this exchange and establish this trust relationship, both parties should provide their chain
of trust.
Session Manager to third-party applications or servers

Use only unique, non-default identity or server certificates within Session Manager when interoperating
with third-party applications or servers. Network Routing Policy (NRP) in System Manager defines SIP
Entities and Entity Links. The following information within NRP is used for authenticating SIP Entities by
performing validation on IP/Transport Layer and TLS Layer.
1. FQDN or IP Address of the SIP entity.

2. Credential name of the SIP entity.
3. Protocol of entity links. This is the SIP connection transport type (TCP/TLS/UDP).

4. Trust State of the entity link. This defines whether the entity link is trusted or not.
Certificate Revocation Lists
Digital Certificates identify communication entities in a Public Key Infrastructure (PKI). Certificate
Authorities (CAs) issue certificates with a validity period. During validation, communicating entities ensure
the certificate has not expired and also check the revocation status of the certificate. At times, the issuing
CA might want to revoke the certificate before it expires. For example, when an employee leaves the
company, the CA must revoke the certificates issued to that employee to avoid misuse. Session Manager
7.1 uses the Certification Revocation List (CRL) method for checking certificate revocation.
CRLs contain a list of serial numbers for certificates that are revoked. Entities with a revoked certificate
must no longer be trusted. To revoke a certificate:
• The Certificate Authority (CA) administrator can log on to a CA and revoke the certificate.
• The CA publishes the CRL to an HTTP or LDAP repository referenced in the CRL Distribution Point
(CDP) extension of a certificate.
Session Manager performs the required certificate revocation checks based on the global Certificate
Revocation Check policy that is configured on System Manager.
If Certificate Revocation Checking is enabled, every certificate exchanged while establishing a TLS
connection is verified against a CRL. Before using a CRL, Session Manager verifies the validity of CA’s
digital signature in a CRL.
System Manager provides the ability to periodically download CRLs in advance to make them available
before a TLS connection is attempted. If a CRL is not previously downloaded, the system might attempt to
download the CRL when trying to establish a TLS connection. In that case, the system attempts to
download the CRLs from the URI specified in the certificate’s CRL Distribution Point (CDP) extension.
Multiple CDP locations may be included in the CDP extension. If multiple CDP locations are specified, an
attempt is made to download a CRL from the first location, followed by the next location, and so on, until
the system either downloads a CRL or times out.
CRL revocation checking options
The following CRL revocation checking options are available:
• Mandatory: The certificate is considered valid if all CRLs in a certificate chain can be fetched and no
certificate is present on any CRL.

• Best effort: The certificate is considered valid if none of the CRLs in a certificate chain that have been
fetched indicate that the certificate has been revoked, or if CRL cannot be fetched.
• Off: No CRL revocation checking is performed.
NIST Compliance
The National Institute of Standards and Technology (NIST) develops cryptographic standards for the
United States government. NIST recommends that starting in 2014, the digital signatures of Identity
Certificates use SHA2 hashing and 2048–bit RSA keys. NIST required at least 2048-bit RSA keys. Using
the GUI, customers have the option to create larger keys, such as 4096.
• Session Manager uses SHA–256 and 2048-bit RSA keys for signing new Identity Certificates by
default.
• Session Manager uses SHA–512 for passwords.
• Session Manager is compliant with NIST SP800-131a.
SIP providers now require client applications, such as Session Manager, to use certificates with a digital
signature that is formed with SHA-256 and 2048-bit RSA keys.
To operate with the web browser application, Avaya customers must replace the demo certificates with
certificates issued by the System Manager Certificate Authority.
Transport Layer Security

Session Manager supports Transport Layer Security (TLS) 1.2 to:
• Provide a higher level of security than earlier TLS versions to protect users from known attacks.
• Provide flexibility for defining cryptography algorithms.
The TLS protocol provides three essential services to all applications: encryption, authentication, and data
integrity.
Viewing the TLS version

Procedure
1. On the home page of the System Manager Web Console, under Elements, select Session Manager
> System Status > Security Module Status.
2. Select the appropriate Session Manager.
3. Click Connection Status.
4. Select a filter.
5. Click Apply Filter.
The TLS version displays in the Transport field.
IP/Transport layer validation

When a SIP entity connects to Session Manager over TCP or TLS port, Session Manager verifies:
1. The IP address matches one of the SIP entities configured in NRP which have trusted entity links
with the Session Manager. If SIP entities are configured as FQDN, DNS resolution is made before this
verification is made.
2. Transport for the incoming SIP connection matches with one of the entity link associated with this
SIP entity and Session Manager. Also, the Trust State of the entity link must be configured as trusted.
Session Manager does not accept connections matching untrusted entity links.
For SIP packets over UDP, Session Manager performs the same validations for each packet. For SIP TLS
connections further validation is performed as described in next section.
TLS Layer validation

Session Manager applies the following validations for SIP TLS connections:
1. Mutual TLS authentication: During the TLS handshake, the SIP entity and Session Manager
validate the certificate of each other and perform mutual TLS authentication.
Note:
Session Manager can enforce certificate validation for SIP endpoints. Session Manager rejects
communication if the certificate is not trusted or invalid.
2. Additional validation of the SIP entity identity certificate: If the mutual TLS authentication is
successful, further validation is performed using the credential name or the far end IP address of the
SIP entity identity certificate.

3. If the credential name string is empty, the connection is accepted.

4. If the credential name string is not empty, the credential name and the IP address of the SIP
entity is searched in the identity certificate provided by the SIP entity.
5. CN value from the subject
6. subjectAltName.dNSName
7. subjectAltName.uniformResourceIdentifier. For IP address comparison, the IP address
string is converted to SIP:W.X.Y.Z before comparison. W.X.Y.Z is the remote socket IPV4
address. Also case insensitive search is performed in this case.
8. On the Session Manager Administration page, an administrator can enable or disable the TLS
endpoint certificate validation feature.
Ability to disable TLS versions
Session Manager supports TLS versions 1.0, 1.1, and 1.2. TLS version 1.0 is the least secure, while
version 1.2 is the most secure. Based on the capability of the SIP entity, the system negotiates and
establishes the highest common TLS version. For example, if the SIP entity supports TLS version 1.0,
then after capability negotiation Session Manager establishes a connection with TLS version 1.0.
Negotiating a lower TLS version might not be acceptable to customer configurations that have known
vulnerabilities.
With Session Manager Release 7.1.2, a system administrator can define the minimum allowed TLS
version for the global SIP entity and for each SIP entity. In some scenarios, the SIP entity does not
support a TLS version equal to or above the minimum allowed TLS version. In this case, the SIP entity
cannot establish a connection with Session Manager.
Session Manager Release 7.1.2 adds two global policies that govern the minimum allowed TLS versions
for the SIP Entities and SIP endpoints respectively. For more information, see Administering Avaya Aura®
Session Manager.
When negotiating TLS versions, Session Manager starts with the latest TLS version. However, the system
allows the version downgrade only up to the global policy defining the minimum allowed TLS version. For
example, a customer does not want to allow TLS connections with the SIP Entities earlier than version
1.1. The administrator can accordingly set the global policy of minimum allowed TLS version for SIP
Entities to 1.1. This ensures that Session Manager allows TLS connections with the SIP Entities at a
minimum of TLS version 1.1 or later.

To ensure that upgrades are non-interruptive, the value of this setting after upgrade is set to 1.0. You must
manually change the minimum allowed TLS version when required. For new installations, the version is
set to version 1.2 by default.
Credential Name configuration
The following are use cases for credential name configuration:
1. If you do not want to perform additional validation on a SIP Entity identity certificate or you are not
using SIP TLS for connecting to the SIP entity, leave this field empty.
2. If you want to verify that a specific string or SIP Entity FQDN is present within the SIP Entity identity
certificate, enter that string or SIP Entity FQDN using regular expression syntax.
3. If you want to verify the SIP Entity IP address is present within the SIP Entity identity certificate,
enter the SIP Entity IP address using regular expression syntax. The IP address is searched by default
when any string is configured in the Credential name.
Session Manager Secure Protocols
Transport
Link Description Initial Key Determination
protocol
SIP Trunks to/from

SIP signaling TLS TLS
Session Manager
Personal Profile
SIP telephone to
Manager (PPM) HTTPS TLS
Session Manager
download
Access to the System

Manager console for
Adminaccess HTTPS TLS
Session Manager
administration

Transport
Link Description Initial Key Determination
protocol
Pre-shared secrets.
Jgroups:
• Share information between Session

Managers for distributed bandwidth
management such as Call Admission
Control (CAC).
• Share the subscriptions and
registrations information on Session
Managers. Sharing information related
to routing telephone calls and routing
event related messages is critical to
State information shared
Jgroups/ proper operation of Session Manager
Jgroups between Session
multicast redundancy.
Manager instances
• Occasionally propagate distributed
settings between Session Managers
for debugging and custom settings.
For example, global settings for timers
and others that are not provisioned
through System Manager require root
access and are reserved for
development and detailed tier 4
support. The data sent over this port is
single-DES encrypted. The DES key
is fixed, cannot be changed, and is the
same for all Session Managers.
Log messages sent from

Logging Session Manager to STUNNEL TLS
System Manager
Session Manager supported encryption algorithms

Session Manager implements cryptographic algorithms and methodologies that are generally accepted in
the INFOSEC community. Cryptographic functions are selected based on an assessment of getting
approval under a FIPS-140-2 or Common Criteria certification assessment.
Note:
Use of SRTP to encrypt media or bearer traffic is transparent to Session Manager.

Avaya Services access
Data transmission to and from Avaya services in support of customer equipment is protected through non-
secure data networks such as the Internet, over modems, and through SNMP notifications. Contact Avaya
services for more information.
Avaya services accounts

Enhanced Access Security Gateway (EASG) provides a secure method for Avaya support personnel to
access the Avaya Aura® Application remotely. Access is under the control of the customer. EASG must
be enabled for Avaya Services to perform the required maintenance tasks. Session Manager supports
(EASG) challenge and response authentication and authorization solution. EASG uses dedicated EASG
certificate to create a response and requires Session Manager to use the EASG Certificate Public Key to
verify the response. The following table describes the services login details:
Account Service Level Privileges
sroot Root Services Root, same as ‘root’.
craft susers craft cannot perform login administration or change customer services.
init susers Same as craft
Avaya Services Accounts and Authentication
Credentials management
Credentials such as usernames and passwords for standard Linux accounts in Session Manager are
stored in the following directories:
• /etc/passwd
• /etc/shadow
• /etc/group
The backup files are stored in directories such as /etc/passwd- and /etc/group-.
Session Manager does not use a database to store credentials information. However, UPM and PPM data
are stored in the Session Manager database.
• Passwords for local accounts are stored in/etc/shadow. Passwords in /etc/shadow are stored as a one-
way hash. You can access the file/etc/shadow using the root login.
• Any user logged into Linux can view user names and group membership for local accounts.

EASG Login Authentication

Enhanced Access Security Gateway (EASG) authenticates the following Avaya Services logins to access
Session Manager:
• craft
• sroot
• init
The Session Manager EASG challenge/response functionality will utilize the EASG certificate and is
compatible with the EASG capability of other Avaya products.
The list of key parameters includes but is not necessarily limited to the following:
• Authentication File ID (AFID) is the parameter that the ASG login in screen displays as the Product
ID.
• Product Name
• Product Release
• Common Name (for example, host.domain.com)
• Authentication file generation date and time
• Authentication file request type
• ASG key type
• Password type
• Authentication File System (AFS) Request ID (Note: Authentication files from AFS are encrypted using
AES)
Privilege escalation
Session Manager supports privilege escalation with the su and sudo commands. Technicians who need
higher privileges must log in using the normal service accounts and then escalate privileges using su or
sudo to perform more restrictive tasks. sudo -l displays a list of restricted commands that are accessible
to the user.
Authentication
You can configure System Manager to authenticate administrative users using external authentication
services such as an enterprise directory, a database, or a RADIUS server. An administrative account is
provisioned within System Manager during installation for initial access.
Note:
Access to the Session Manager host (OS) is not recommended in this release and all management
functionality of Session Manager is performed through System Manager.
System Manager supports external authentication services that provide:

• Centralized control of enterprise logins and passwords

• Enforcement of password aging, complexity, minimum length, and reuse requirements
• Avaya product adherence to the enterprise corporate security standards regarding logins and
passwords
Authentication
Description and Interoperability information
Mechanism
This is the default mechanism and is configured to be done against the embedded
database such as Postgres.
DB
Interoperability: This release of System Manager is tested to interoperate with
Postgres
System Manager can be configured to authenticate against the enterprise LDAP for
administrator authentication. These users still need to be provisioned in the System
Manager database because System Manager requires the authorization information
LDAP to provide privilege based access to the users.
Interoperability: This release of System Manager has been tested to interoperate with
openLDAP
Administrative users can also be authenticated against a RADIUS server. This setup
supports token based authentication mechanisms similar to the SecurID. But LDAP
authentication, the users authenticating using this mechanism need to be provisioned
RADIUS in the System Manager database for authorized access.
Interoperability: This release of System Manager is tested to interoperate with
FreeRADIUS

Resources
Documentation
The following documents are available at http://support.avaya.com.
For the latest information, see the Session Manager Release Notes.
Title Description Audience
Overview
IT management
Avaya Aura® Session Manager Overview Describes the key features of Session
and Specification Manager.
System administrators
Sales engineers
Describes the Avaya Virtualized Environment,
Avaya Aura® Virtualized Environment Implementation
design considerations, topology, and
Solution Description engineers
resources requirements.
Support personnel
Network administrators,
Avaya Aura® Session Manager Security Describes the security considerations,
services, and support
Design features, and solutions for Session Manager.
personnel
Contains enhancements, fixes, and
Avaya Aura® Session Manager 7.1
workarounds for the Session Manager 7.1
Release Notes Services and support
release.
personnel
Implementation

Describes how to deploy the Avaya Aura®

Deploying Avaya Aura® applications from Services and support
virtual applications using the System Manager
System Manager personnel
Solution Deployment Manager.
Describes how to deploy the Session

Services and support
Deploying Avaya Aura® Session Manager Manager virtual application in a virtualized
personnel
environment.
Deploying Avaya Aura® Branch Session Describes how to install and configure Branch Services and support
Manager Session Manager in a virtualized environment. personnel
Describes how to use the System Manager

Routing Web Service API Programming Services and support
Routing Web Service API for Session
Reference personnel
Manager.
Describes how to upgrade and migrate the

Upgrading and Migrating Avaya Aura® Avaya Aura® virtual applications using Services and support
applications from System Manager System Manager Solution Deployment personnel
Manager.
Using
Using the Solution Deployment Manager Deploy and install patches for Avaya Aura
client applications.
Administration
Administering Avaya Aura® Session Describes the procedures to administer

Manager Session Manager using System Manager.
Describes the procedures to administer

Administering Avaya Aura® Communication Manager as a feature server
Communication Manager Server Options or an evolution server. Provides information
related to Session Manager administration.

Avaya Aura® Session Manager Case

Provides common administration scenarios. System administrators
Studies
Installation and upgrades
Installing the Dell™ PowerEdge™ R610 Describes the installation procedures for the Services and support
Server Dell™ PowerEdge™ R610 server. personnel
Installing the HP ProLiant DL360 G7 Describes the installation procedures for the Services and support
Server HP ProLiant DL360 G7 server. personnel
Installing the HP ProLiant DL380p G8 Describes the installation procedures for the Services and support
Server HP ProLiant DL380p G8 server. personnel
Installing the HP ProLiant DL360 G9 Describes the installation procedures for the Services and support
Server HP ProLiant DL360 G9 server. personnel
Describes the procedures to upgrade Session Services and support

Upgrading Avaya Aura® Session Manager
Manager to the latest software release. personnel
Describes the migration and installation

Migrating and Installing Avaya Appliance Services and support
procedures for Appliance Virtualization
Virtualization Platform personnel
Platform.
Describes the patch deployment and

Using the Solution Deployment Manager Services and support
installation procedure for Avaya Aura®
client personnel
applications.

Maintaining and Troubleshooting
Contains the procedures for maintaining Services and support

Maintaining Avaya Aura® Session Manager
Session Manager. personnel
Contains the procedures to troubleshoot

Troubleshooting Avaya Aura® Session Services and support
Session Manager, resolve alarms, and replace
Manager personnel
hardware.
Finding documents on the Avaya Support website
Procedure
1. Navigate to http://support.avaya.com/.
2. At the top of the screen, type your username and password and click Login.
3. Click Support by Product > Documents.
4. In Enter your Product Here, type the product name and then select the product from the list.
5. In Choose Release, select an appropriate release number.
6. In the Content Type filter, click a document type, or click Select All to see a list of all available
documents.
For example, for user guides, click User Guides in the Content Type filter. The list displays the
documents only from the selected category.
7. Click Enter.
Training
The following table contains courses that are available on https://www.avaya-learning.com. To search for
the course, in the Search field, enter the course code and click Go.

New training courses are added periodically. Enter Session Manager in the Search field to display the
inclusive list of courses related to Session Manager.
Course code Course title
1A00236E Knowledge Access: Avaya Aura® Session and System Manager Fundamentals
Knowledge Access: Avaya Aura® Session Manager and System Manager

4U00040E
Implementation
5U00081V Session Manager Administration
5U00082I Session Manager and System Manager Administration
5U00082R Session Manager and System Manager Administration
Knowledge Access: Avaya Aura® Session Manager and System Manager

5U00050E
Support
System Manager Implementation, Administration, Maintenance and

5U00095V
Troubleshooting
Avaya Aura® Session Manager Implementation, Administration, Maintenance

5U00096V
and Troubleshooting
Avaya Aura® Session and System Manager Implementation, Administration,

5U00097I
Maintenance and Troubleshooting
5U00105W Avaya Aura® Session Manager Overview
ATC01840OEN Survivable Remote Session Manager Administration
ATU00171OEN Session Manager General Overview

Course code Course title
ATC00175OEN Session Manager Rack and Stack
ATU00170OEN Session Manager Technical Overview
What is new in Avaya Aura® System Manager 7.0 and Avaya Aura® Session
2011V
Manager 7.0
Viewing Avaya Mentor videos
Avaya Mentor videos provide technical content on how to install, configure, and troubleshoot Avaya
products.
About this task

Videos are available on the Avaya Support website, listed under the video document type, and on the
Avaya-run channel on YouTube.
Procedure
• To find videos on the Avaya Support website, go to http://support.avaya.com and perform one of the
following actions:
• In Search, type Avaya Mentor Videos to see a list of the available videos.
• In Search, type the product name. On the Search Results page, select Video in the Content Type
column on the left.
• To find the Avaya Mentor videos on YouTube, go to www.youtube.com/AvayaMentor and perform one
of the following actions:
• Enter a key word or key words in the Search Channel to search for a specific product or topic.
• Scroll down Playlists, and click the name of a topic to see the available list of videos posted on the
website.
Note:

Videos are not available for all products.
Support
Go to the Avaya Support website at http://support.avaya.com for the most up-to-date documentation,
product notices, and knowledge articles. You can also search for release notes, downloads, and
resolutions to issues. Use the online service request system to create a service request. Chat with live
agents to get answers to questions, or request an agent to connect you to a support team if an issue
requires additional expertise.
Using the Avaya InSite Knowledge Base
The Avaya InSite Knowledge Base is a web-based search engine that provides:
• Up-to-date troubleshooting procedures and technical tips

• Information about service packs
• Access to customer and technical documentation
• Information about training and certification programs
• Links to other pertinent information
If you are an authorized Avaya Partner or a current Avaya customer with a support contract, you can
access the Knowledge Base without extra cost. You must have a login account and a valid Sold-To
number.
Use the Avaya InSite Knowledge Base for any potential solutions to problems.
1. Go to http://www.avaya.com/support.
2. Log on to the Avaya website with a valid Avaya user ID and password.The system displays the
Avaya Support page.
3. Click Support by Product > Product Specific Support.
4. In Enter Product Name, enter the product, and press Enter.
5. Select the product from the list, and select a release.
6. Click the Technical Solutions tab to see articles.
7. Select relevant articles.

Avaya Security Advisories
The Avaya Product Security Support Team (PSST) is responsible for the following:
• Managing Avaya product vulnerabilities and threats.

• Maintaining information posted at support.avaya.com/security.
• Performing security testing and auditing of Avaya’s core products.
• Resolving security-related field problems in support of Avaya Global Services.
• Managing the securityalerts@avaya.com mailbox.
The PSST actively monitors security issues related to the following:
• Avaya products.
• Products that are incorporated into Avaya products.
• General data networking and telecommunications, as identified by government agencies.
When a security vulnerability is identified, the PSST determines the susceptibility of Avaya products and
assigns one of four risk levels: High, Medium, Low, and None. Depending on the category of risk, the
PSST creates an Avaya Security Advisory to notify customers of the vulnerability.
Depending on the vulnerability and its risk level, the advisory might include a recommended mitigation
action. A recommendation could be the use of a third-party-provided patch, a planned Avaya software
patch or upgrade, or additional guidance regarding the vulnerability.
How do I get Avaya Security Advisories?

Avaya Security Advisories are posted on the Security Support Web site at http://support.avaya.com/
security. Customers can register at Avaya’s support web site to receive email notifications of Avaya
security advisories. The advisories are distributed in a time frame as indicated in the following table:
Avaya’s vulnerability
Target intervals between assessment and notification
classification
High Within 24 hours
Medium Within 2 weeks
Low Within 30 days
None At Avaya’s discretion

Customers can sign up to receive advisories by email on the Avaya Security Support Web site by
following these steps:
1. Browse to http://support.avaya.com.
2. If you do not have an account, go to http://sso.avaya.com and click Register Now and follow the
instructions. To register, you need an Avaya SSO login and a Sold To number.
3. Once you have set up an SSO user ID and password you can enroll for the E-Notifications you wish
to receive.
4. To do that, click the My E-Notifications link, which can be accessed from the home page for the
Web site (http://support.avaya.com) or by selecting the My E-Notifications link under Online Service
Manager.
5. To enroll for the E-Notifications you wish to receive, click Add New E-Notifications.
6. If you select one of the five radio buttons on the top portion of the page, you will receive e-mail
notifications when new content is added or revised for all Avaya products under the following content
areas:
◦ Product Correction Notices
◦ Security Advisories
◦ Product Support Notices – High Priority
◦ End of Sale Notices
◦ Services Support Notices
7. To receive an e-mail notification for a particular product, select the radio button next to Choose from
the Product list and then select the product for which you are interested in receiving notifications. You
will then be asked to select the release and content types from available release/content type
combinations for the selected product.
If you have questions about enrolling for My E-Notifications on the Avaya Customer Self Service website,
send an email message to support@avaya.com.
Avaya Security Vulnerability Classification
Related references
The Avaya Product Security Support Team (PSST) classifies vulnerabilities relative to their potential threat
to Avaya products. Avaya’s Security Vulnerability Classification document (https://
support.avaya.com/css/P8/documents/100066674)
The following table summarizes the three main categories.

Avaya’s Security Vulnerability Classification
Vulnerability classification Criteria for classification
The product is vulnerable to:
• Attacks from a remote unauthenticated user who can easily access high-
level administrative control of a system or critical application without
interaction with a user of the product beyond standard operating
High
procedures.
• Attacks from remote unauthenticated user who can easily cause the
system or a critical application to shutdown, reboot, or become unusable
without requiring interaction with a product user.
The product does not meet criteria for high vulnerability, but is vulnerable to:
• Attack from a user who can access a user account, and access does not
directly require the privileges of a high-level administrative account.
Medium • The system and/or critical application shutting down, rebooting, or

becoming unusable, and an existing administrative or local account is
used for this attack.
• Attack from a user who can access a local user account from which
higher-level privileges are available.
The product does not meet criteria for medium or high vulnerability, but is
vulnerable to:
• Compromise of the confidentiality, integrity, or availability of resources,

Low
although any compromise is difficult or unlikely without non-standard direct
user interaction.
• Non-critical applications shutting down, rebooting, or becoming unusable.
A related third-party product has a vulnerability, but the affected software

None package(s), module(s), or configuration(s) are not used on an Avaya product.
There is no vulnerability.
• Avaya’s Security Vulnerability Classification document: https://support.avaya.com/css/P8/documents/

100066674
• Example of a High-risk advisory: https://downloads.avaya.com/css/P8/documents/100062710
• Example of a Medium-risk advisory: https://downloads.avaya.com/css/P8/documents/100064239
• Example of a Low-risk advisory: https://downloads.avaya.com/css/P8/documents/100064944

• Example of a risk level of None: https://downloads.avaya.com/css/P8/documents/100064240
Advisory organization
Overview
The overview describes the vulnerability. For operating system or third-party software, the overview
provides a link for quick access to a Web site for more information. The linked information provides:
• A description of the risk.

• Instructions on how to correct the problem, which might include:
• Installing an update.
• Revising administration of the product.
• A description of what additional security fixes, if any, are included in the update.
For Avaya software-only products, the advisory provides a listing of the specific Avaya products that use,
but are not bundled with, operating system software that might be vulnerable. Information includes:
• The product version affected.

• Possible actions to take to reduce or eliminate the risk.
For Avaya system or turnkey products, the advisory provides a listing of the specific Avaya products that
are vulnerable or are bundled with operating system software that might be vulnerable. Information
includes:
• The level of risk.

• The product version affected.
• Possible actions to take to reduce or eliminate the risk.
The advisory provides steps to remove the vulnerability. The steps might include installing a security
update, administering a security feature, or performing a software upgrade. For operating system and
third-party software, the recommended action is normally identified through the Web site links in the
security advisory.

Software and firmware updates
Avaya Security update delivery

Avaya makes security updates available on or through the Avaya Security Web site at http://
support.avaya.com/security. In addition, Avaya incorporates security updates, if applicable, in subsequent
software release packages.
Based on the classification of vulnerability and the availability of a vendor-supplied update, Avaya makes
a best effort attempt to provide remediation actions based on the following target intervals:
Vulnerability Target remediation intervals
If Avaya needs to develop a software update, the Avaya Security Advisory

provides a timeline for availability of the update. Avaya incorporates the fix into a
High separate service pack or update (30 days maximum delivery time).
If a software patch is available for installation or another action is recommended,
the Avaya Security Advisory describes the actions.
If Avaya needs to develop a software update, Avaya includes the update in the
next major release that can reasonably incorporate the update. If no new major
releases are scheduled for a product, and Avaya is providing maintenance
Medium support, Avaya incorporates the fix into a separate service pack or update (1
year maximum delivery time).
If Avaya needs to develop a software update, Avaya includes the update in the
next major release that can reasonably incorporate the update. If no new major
releases are scheduled for a product, and Avaya is providing maintenance
Low support, Avaya incorporates the fix into a separate service pack or update (1
year maximum delivery time).
None No remediation actions are required.
Avaya product development staff incorporates a third-party update into the software in one of three ways:
• Avaya bundles the specific update or the new release of the affected software with the Avaya Session
Manager software such that the security-related updates are automatically incorporated into the Avaya
product operation.

• Avaya modifies the Session Manager software so that the specific update or the new release of the
affected software is appropriately incorporated into the Session Manager operation.
• Avaya modifies the specific update or the new release of the affected software so that the security-
related updates are automatically incorporated into the Session Manager operation.
When Avaya incorporates one or more security fixes into its software, the fixes might be delivered in one
of three forms:
• A security update: includes operating system and/or third-party software security fixes.
• An Avaya software update: includes software security fixes to the Avaya application software.
• An Avaya full release of software: includes all software for the Avaya product, including software
security fixes to the Avaya application software and/or security fixes for the operating system and third-
party fixes.
Validating a security update

When Avaya determines that a third-party security update applies to one or more of its products, Avaya
verifies there are no adverse effects to the published functionality of the products. In addition, when third-
party updates are included in the new software releases, the products are thoroughly tested.
Avaya-generated security updates are tested on all affected products before release. Avaya security
updates are tested before incorporation into subsequent releases. Testing meets the requirements of
internal Avaya testing standards, including the following:
• Denial of Service
• Encryption standards
• Certificate management
• Audits and logging
• Access control

Regulatory compliance
The following sections describe how Session Manager supports regulatory compliance for PCI, HIPAA,
and FISMA.
Considerations for customers who must comply with

the Payment Card Industry DSS
Note:
The PCI standard applies to global merchants and card processing service providers. It is recommended
that customers rely on appropriate legal counsel and requirements of their card issuers for interpretation
of the standard’s requirements. Suggestions in this document are not to be construed as a substitute for
legal advice or a definitive list of all possible legal considerations.
The PCI Data Security Standard (DSS) is a set of comprehensive requirements for enhancing payment
account data security. The PCI DSS was developed by the founding payment card brands of the PCI
Security Standards Council, including American Express, Discover Financial Services, JCB International,
MasterCard Worldwide and Visa International, to facilitate the broad adoption of consistent data security
measures on a global basis. This comprehensive standard helps organizations proactively protect
customer account data.
Session Manager data to which PCI might apply includes customer cardholder data such as account
numbers, CCV codes, and card holder names. To the extent that a company uses data collected or
transmitted by Session Manager as part of its overall card payment processing, the company can use
security-related features of Session Manager to secure the data and support PCI compliance. When
Session Manager is deployed in a customer network environment that touches card processing or
cardholder data, all components of Session Manager may be considered in scope for PCI assessment
purposes. The following table shows the key features of Session Manager that can protect cardholder
information and demonstrate the merchant and service provider compliance with PCI:


HIPAA
Note:
This law applies to U.S. customers only. Avaya recommends that customers rely on appropriate legal
counsel and outside auditors for interpretation of the act’s requirements. Suggestions in this document are
not to be construed as a substitute for legal advice or a definitive list of all possible legal considerations.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires health care providers to
disclose to health care recipients the ways in which the institution may use and disclose private
information. HIPAA also requires health care providers to protect the privacy of certain individually
identifiable health data for health care recipients.
Session Manager data to which HIPAA might apply includes customer names and telephone numbers,
and called and calling number data.
Use of the following key features can protect patient privacy and demonstrate the health care provider’s
compliance with HIPAA.


FISMA
Note:
This law applies to U.S. customers only. It is recommended that customers rely on appropriate legal
counsel and outside auditors for interpretation of the act’s requirements. Suggestions in this document are
not to be construed as a substitute for legal advice or a definitive list of all possible legal considerations.
The Federal Information Security Management Act of 2002 provides for development and maintenance of
minimum controls required to protect Federal information and information systems.
Telecommunications systems and commercially developed information security systems are in the
systems referenced under this act.
As a result, usually, government agencies can use Avaya’s security-related features to secure
telecommunications data. Session Manager security features can also help prevent unauthorized access
to the customer’s network, in general.
Features related to system security and documented in more detail in other sections of this document.
This document will assist customers with meeting FISMA requirements as shown in the following table:

Considerations for non-US customers who must

comply with regulations
Any specific country might have unique regulations that raise compliance issues for Avaya products. For
example, countries such as Switzerland and Liechtenstein have Banking Secrecy laws that require a
financial organization to tell a customer when the customer’s identity has been revealed or that
information that might reveal the customer’s identity has been released. Such revelations can have
negative affect on a bank’s business. Therefore, a bank’s communications services must be secure to
prevent unauthorized access to the data. Data such as names, telephone numbers, account codes, and
so on to that end. Session Manager through the authentication processes, access control, and encryption
methods, can protect call detail records, as well as the calls to customers. In this way, Avaya can help a
customer comply with banking secrecy laws and protect the integrity of its business. Avaya also offers
these security features to protect administered the data that might reveal a customer’s identity, as might
be the case. For example, if a customer’s IP address or phone number is contained within the firewall
rules established for the product.
Basel II
Basel II: International Convergence of Capital Measurement and Capital Standards. It is a Revised
Framework and is a comprehensive set of banking standards compiled by the Basel Committee on
Banking Supervision. The national banking overseers in many European countries seek to implement
country specific laws and procedures to meet the Basel II standards. To measure risk levels for a banking

standards, Basel II mandates tracking loss of event data. Which includes financial systems hacking, theft
of data, and impersonation. To this end, Avaya systems offer a number of security features, such as those
described in the previous paragraph. Thus, minimizing loss event data, and therefore, risk level
measurements.
For any country in which Session Manager is sold, there might be a need to inform customers about
Session Manager support for governmental regulations. In this case, the sales engineer or account
executive recommend to engage an Avaya legal officer, security specialist, or a compliance specialist.
Who will determine the specific ways in which Session Manager might help the customer comply with
regulations.
Common Criteria
The Common Criteria for Information Technology Security Evaluation (CC) and the companion Common
Methodology for Information Technology Security Evaluation (CEM) are the technical basis for an
international agreement. The Common Criteria Recognition Agreement (CCRA) ensures that:
• Products’ security properties are evaluated by competent and independent licensed laboratories to
determine their assurance.
• Supporting documents that are used within the Common Criteria certification process define how the
criteria and evaluation methods are applied when certifying specific technologies.
• The certification of the security properties of an evaluated product are issued by a number of Certificate
Authorizing Schemes. This certification being based on the result of their evaluation.
• These certificates are recognized by all signatories of the CCRA.
The CC web portal (http://www.commoncriteriaportal.org/index.html) reports the status of the CCRA, the
CC, and the certification schemes, licensed laboratories, certified products and related information, news,
and events.

Denial-of-Service attacks
A Denial-of-Service attack occurs when the attacker attempts to make a particular resource too busy to
answer legitimate requests or to deny legitimate users access to the system. The net effect of DoS
attacks is to shut down a server or an application.
Session Manager is resilient to the DoS attacks listed in the following table without needing to reboot,
restart, or reload. Session Manager can automatically recover to full service after the Dos attack.
Attack type Description
Phony TCP SYN packets from random IP addresses at a rapid rate fill up the
SYN flood (TCP SYN)
connection queue and deny TCP services to legitimate users.
The Land attack combines IP spoofing with opening a TCP connection. It

sends a request to open a TCP connection (SYN flag in the header is on).
But, changes the IP address so that both the source and destination IP
addresses are the same as the destination host IP address. When the
destination host receives the packet, it sets a SYN, ACK to itself because
Land and LaTierra destination and source IP addresses are the same with the same sequence
number. The system expects a different sequence number related to the
SYN, ACK packet from the other host, so it keeps sending the ACK packet
back expecting an updated sequence number. This puts the host into an ACK
loop. The LaTierra attack is similar to the Land attack but, sends TCP packets
to multiple ports at once.
Large numbers of ICMP echo (PING) messages are sent with the forged
Smurf / Pong address of the intended victim and Layer 3 devices issue an ICMP reply or
pong. The traffic multiplies based on the number of responding hosts.
Like Smurf, Fraggle is a UDP flood that uses an IP broadcast address of the
Fraggle victim (IP spoofing) that results in an infinite loop of echo and reply
messages.

The Jolt2 attack raises the CPU utilization to 100% causing instability in the
system until the Jolt2 attack stops. Most instances of this attack are from
illegally fragmented packets:
• If no port number is passed as an argument then it sends illegally

fragmented ICMP ECHO (pings) packets to the specified port.
• If a port number is provided then it sends illegally fragmented UDP packets
to the specified port.
In both cases jolt2 sends a continuous stream of same fragmented packet in

which
Jolt1 and Jolt 2 • The fragment offset is 65520.

• The TTL is set to 255.
• The IP MF flag is set to zero.
These settings cause the IP checksum of the last fragment to equal zero,
which is illegal. Jolt2 then sends 9 bytes of IP data including the IP header 20
bytes (total of 29 bytes) but sets the total length to 68 bytes. The offset and
the packet length (65520 + 68) exceeds the maximum size of an IP datagram
imposed by the 16-bit total packet length field in the IP header (maximum
allowed packet size is 65563 bytes). This packet fails the integrity check and
discarded right away. However, some systems do not do the integrity check
and continue buffering these fragments. This can utilize 100% of the CPU
and in some cases crash the system.
Packet replay refers to the recording and re-transmission of message packets

in the network. Packet replay is a significant threat for programs that require
authentication sequences, because an intruder could replay legitimate
authentication sequence messages to gain access to a system. An attacker
can replay the same packet at different rate, and the system attempts
processing duplicate packets causing
Packet replay attack
• Total resource depletion
• Termination of existing connections
• Chaos and/or confusion in the internal buffers of the running applications
• System fails sometimes.
Most systems send out an Address Resolution Protocol (ARP) request for
their IP address to check for a duplicate IP address on the network. Some
systems update the ARP cache when they receive a gratuitous ARP packet.
The attacker can use the gratuitous ARP request to change the ARP table of
Gratuitous ARPs the host router’s MAC address and cause all packets to flow:
• Through the attacker's system.

• With an invalid MAC address for a router or important server.

The teardrop and associated attacks exploit the packet reassembly code that
breaks packets into smaller pieces (fragments) based on the network’s
Teardrop, overlap, or fragmented maximum transmission unit (MTU). When reassembled, packets are often
packets misaligned — the next fragment does not begin where the last fragment
ended but, inside the previous fragment memory allocation. This causes
memory allocation failures and the system to fail.
Because many ping utilities support ICMP echo requests, an attacker can
PING flood
send a large number of PING requests to overload network links.
The attacker sends finger requests to a specific computer every minute but,
Finger of death never disconnects. Failure to end the connection can quickly overload the
server’s process tables. The finger listen port number is 79 (see RFC 742).
The attacker can spoof the chargen service port (19) from one service on one
computer to another service on another computer. This type of attack can
Chargen packet storm
cause an infinite loop, loss of performance, or the total shutdown of the
affected network segments.
Malformed packets attacks try to deny service by causing protocol handlers to

end operation. Because of the difficulty they have processing odd formations
Malformed or oversized packets of a protocol or the packets sent as part of the protocol.
Oversized attacks place data in an order that is out of specifications or create
packets that are larger than the maximum allowed size.
Continuous transmission of out-of-band packets with the TCP URGENT flag

OOB nuke but without subsequent data to the most commonly attacked port (135-
Netbios Session Service), other ports are also possible targets.
The target responds to TCP packets sent from a multicast address causing a
SPANK
DoS flood on the target’s network.
Utilizing the Protos SNMP tool to test SNMP code, an attacker can generate
SNMP PROTOS thousands of valid SNMP packets with strange and anomalous values that
cause error conditions. For more information, see www.ee.oulu.fi.
As a subset of the widely deployed H.323 VoIP protocols and standards, H.

225v4 deals with the RAS and call signaling. An attacker can generate
H.323 / H.225v4PROTOS
thousands of valid H.225 packets with strange and anomalous values that
cause error conditions. For more information, see www.ee.oulu.fi.
This attack utilizes the Protos SIP testing tool from OULU University to test
SIP code for faulty implementations. The tool generates thousands of valid
SDP and SIP PROTOS SIP packets with strange and anomalous values that cause error conditions in
the implementation of the protocol. For more information, see www.ee.oulu.fi/
research/ouspg/protos/testing/c07/sip/index.html.

Avaya Aura Session Manager Security Design 1-7-2020

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Avaya Aura Session Manager Security Design 1-7-2020

Caricato da

Copyright:

Formati disponibili

Avaya Aura Session Manager Security

January 7, 2020 Avaya Aura Session Manager Security Design

January 7, 2020 Avaya Aura Session Manager Security Design

Credential Name configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

January 7, 2020 Avaya Aura Session Manager Security Design

January 7, 2020 Avaya Aura Session Manager Security Design 5

January 7, 2020 Avaya Aura Session Manager Security Design 6

Heritage Nortel Software

January 7, 2020 Avaya Aura Session Manager Security Design 7

Third Party Components

January 7, 2020 Avaya Aura Session Manager Security Design 8

Compliance with Laws

Preventing Toll Fraud

Avaya Toll Fraud intervention

Contact Avaya Support

January 7, 2020 Avaya Aura Session Manager Security Design 9

January 7, 2020 Avaya Aura Session Manager Security Design 10

1. The security services offered by the platform to implement a solution.

• does not provide an in-depth analysis of security-related topics.

Information classifications and non-discloser

January 7, 2020 Avaya Aura Session Manager Security Design 11

This document provides security-related information in the following categories:

This classification applies to information explicitly approved by Avaya management

• Denial of Service (DoS) attacks

Figure 1. Network connections of Session Manager

January 7, 2020 Avaya Aura Session Manager Security Design 12

• Data Storage Clustering is enabled.

The three ports and details are:

January 7, 2020 Avaya Aura Session Manager Security Design 13

The default value for all the three ports is Disabled.

January 7, 2020 Avaya Aura Session Manager Security Design 14

Unused RPMs removed

January 7, 2020 Avaya Aura Session Manager Security Design 15

Unnecessary IP ports closed

CTRL-ALT-DELETE key sequence

Network Layer Security

From a security perspective, perform VLAN segregation.

Session Manager Firewall protection

January 7, 2020 Avaya Aura Session Manager Security Design 16

• TCP Syn Flood

January 7, 2020 Avaya Aura Session Manager Security Design 17

Default SIP firewall rules

January 7, 2020 Avaya Aura Session Manager Security Design 18

HTTP or HTTPS Denial-of-Service Protection

January 7, 2020 Avaya Aura Session Manager Security Design 19

Session Manager Port Matrix

January 7, 2020 Avaya Aura Session Manager Security Design 20

System Integrity and Monitoring

January 7, 2020 Avaya Aura Session Manager Security Design 21

Application account and session management

Role Based Access Control

Application Password/PIN Policy

Application Session Limits

• The number of simultaneous sessions for each Session Manager is 90,000.

Application Inactivity Timeouts

January 7, 2020 Avaya Aura Session Manager Security Design 22

Audit Trails and Security Logs

• the Syslog security log in the location/var/log/secure

The system logs the following security-related events:

• Attempted login or log off, whether successful or not.

January 7, 2020 Avaya Aura Session Manager Security Design 23

You cannot disable logging of security events.

January 7, 2020 Avaya Aura Session Manager Security Design 24