Transcript
IP Telephony Contact Centers Mobility Services
WHITE PAPER
Securing Business Communications Applications in Converged Networks - Best Practices July 2005
avaya.com
Table of Contents Introduction ....................................................................................................................... 1 Security Starts With Planning .......................................................................................... 1 The Avaya Trusted Communications Framework ........................................................... 2 Implementation and Operational Security...................................................................... 5 Managing Security ............................................................................................................. 7 The Avaya Enterprise Service Platform ........................................................................... 8 Self-Management ............................................................................................................ 10 Conclusions ..................................................................................................................... 10
Trademark Information: All brand, product and company names are the trademarks or registered trademarks of their respective companies. The Extreme Networks logo is a trademark of Extreme Networks. HP is a trademark of Hewlett-Packard Company. Juniper Networks is registered in the U.S. Patent and Trademark Office and in other countries as a trademark of Juniper Networks, Inc. Polycom, is a registered trademark Polycom, Inc. in the U.S. and other countries. Linux® is a registered trademark of Linus Torvalds. CERT Coordination Center is a trademark or registered trademark of Carnegie Mellon; Software Engineering Institute in the United States and/or other countries. The SANS (SysAdmin, Audit, Network, Security) Institute was established in 1989 as a cooperative research and education organization. Microsoft, Windows, Windows Server 2003, Microsoft SQL Server, Microsoft Outlook are trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries. Red Hat® is a registered trademark of Red Hat Software, Inc. Red Cent Corporation is the sole owner of the information collected on RedCent.net. UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large. VulnWatch is a computer security vulnerability disclosure mailing list. SecurityFocus, DeepSight, Analyzer, Extractor, and Bugtraq are trademarks of SecurityFocus. Cisco®, Cisco Systems®, Cisco IOS®, and IOS® are registered trademarks of Cisco Systems, Inc. or its affiliates in the U.S. or certain other countries. Sun, Sun Microsystems, the Sun Logo, iForce, Solaris, and the Java logo are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. SCO UNIX is a trademark of The Santa Cruz Operation, Inc. SSH is a trademark or registered trademark of SSH Communication Security in the United States and/or other countries. VeriSign, the VeriSign logo and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign and its subsidiaries in the United States and in foreign countries. Network Associates, McAfee, SpamKiller, powered by SpamAssassin, WebShield, ePolicy Orchestrator, and PrimeSupport, are registered trademarks or trademarks of Network Associates, Inc. and/or its affiliates in the US and/or other countries. SecureLogix, SecureLogix Corporation, and the SecureLogix Diamond Emblems are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other products or services mentioned in this document are identified by the trademarks, service marks, or product names as designated by the companies who market those products. Inquiries concerning such trademarks should be made directly to those companies.
avaya.com
1
Introduction The need for increased security within the business environment has been steadily increasing over the last decade. Spurred on by the growth of the Internet and its use for business transactions, efficient networking between businesses, their customers, partners, and suppliers has become a requirement for business success. Yet as businesses have opened up their networks to communicate, they have also opened up opportunities for security breaches including unauthorized access, disclosure of proprietary information, and malicious attacks on their networks, networked devices, and applications. With widely publicized security breakdowns, government regulatory actions have been imposed including Sarbanes Oxley, Gramm-Leach Bliley, HIPAA, the USA Patriot Act and Basel II for Europe, all of which have instituted strict requirements for privacy protection and security measures that have significant penalties for non-compliance. The need to secure communications among an ever widening group of constituencies has jump-started a transformation in the underlying communications technology, applications and associated processes. The migration to converged networks and IP telephony applications running on converged networks offers tremendous advantages in terms of cost, flexibility and new application capabilities. However, converged networks and applications introduce new security challenges that must be addressed in order to reap their advantages without leaving businesses open to new liabilities. New business communications applications are being integrated with core business processes, and any risk to their availability threatens the operations of the business. For this reason business continuity must also be factored into the integrated effort to secure a business’s converged environment. Fortunately for enterprise technology planners and managers, there is an emerging set of best practices that can be used to achieve required levels of security and privacy protection. While there is no one silver bullet for securing an enterprise communication environment, there are a number of necessary steps that have been documented by various security experts.1 These steps include: • Effective planning for multi-layered security (i.e. defense in depth) to meet business and regulatory requirements • Deployment of a robust security architecture and “best-of-breed” solution components • Secure implementation processes and maintaining operational security practices • Managing security through proactive monitoring, and event management, remediation and follow up actions The focus of this white paper will be on exploring the details of emerging best practices and how Avaya supports these best practices for securing your communications environment.
Security Starts With Planning Realization of a secure and continuous communications environment begins with an effective plan for security and business continuity policies and practices specific to the business. Careful consideration must be given to the enterprise’s current business model and objectives, its industry regulatory requirements, and its current security posture. Financial and healthcare enterprises, for example, must conform to specific regulatory requirements that deal with the protection of customer and patient information that goes beyond the requirements for other industry verticals. Additionally, constituencies within the enterprise must buy-in to any security system since security and business continuity investments and practices require both capital and human resources.
COMMUNICATIONS AT THE HEART OF BUSINESS
2
Security planning for converged business communications applications requires a combination of skills and expertise that have not co-existed in the past. When voice and data networks and applications were isolated from each other, different security priorities existed. Voice applications running on dedicated networks were not subject to eavesdropping or malicious hacking into administrative controls. With voice applications now running on converged data network infrastructures, these applications are subject to all of the security dangers associated with data networks. Special consideration also must be paid to IP telephony applications availability, since their real-time communication requirements and their integration with critical business processes require even higher availability rates than traditional mission critical data applications. Securityrelated remediation approaches must not compromise their availability. Organizations face new security concerns in a converged network since each application and device on that converged network represents a potential vector for malicious attacks. Protecting the traditional data network is only part of the solution. The concerns are not new, but attacks can occur through security gaps brought about by the convergence of two, formerly separate networks. Denial of Service, eavesdropping, invasion of privacy through signal protocol tampering, identity spoofing, and toll fraud are just some of the most significant concerns in a Voice over IP environment. Converged networks require converged security that expands traditional data security policies and procedures to protect the privacy of all network information, including IP telephony traffic. Also, traditional data security practices can impact IP telephony voice quality if not engineered correctly. So, a converged network must be designed to comply with IT security policies while not impeding the performance of critical network applications. Converged security from Avaya starts with a vulnerability assessment to identify network and policy gaps that can be exploited by an attacker. Avaya then provides security policy development consulting which assists the IT organization in defining the procedures, responsibilities, controls and security measures required to protect assets in a converged environment. Avaya brings expertise to the complex task of designing a secure information infrastructure and ensures that the security measures defined in a policy are designed into the security framework. The combination of converged security policies and security assessments create a foundation that enables enterprises to plan, implement, and manage the comprehensive architecture and controls needed for protection in a converged network. This ensures secure and continuous communications, while improving Quality of Service (QoS), and the ability to maintain and monitor multi-vendor, converged networks and applications. It also provides the framework and capabilities to allow businesses to comply with security and privacy regulations. Avaya also delivers business continuity consulting by providing the analysis, planning and procedures necessary to increase network availability while avoiding network outages and reducing the time to recover should man-made or natural disaster related outages occur. These services cover a complete range of risk evaluation, risk reduction and ongoing support that help businesses identify vulnerabilities, lower risk, and increase control so that vital communications and critical operations can continue under virtually any circumstance.
The Avaya Trusted Communications Framework One of the results of security and business planning is to develop and adopt an appropriate communications architecture that can deliver a systematic approach to secure and continuous communications. A systematic approach helps ensure that the best practices of creating security in depth are applied across all dimensions of enterprise communications including:
avaya.com
3
• Secure infrastructure elements • Secure access, authentication and authorization • Secure applications • Survivability and failover A comprehensive, secure and continuous communications architecture that can effectively incorporate best security practices is best implemented through an open systems approach, which allows the integration of best-of-breed solutions available from a wide array of solution providers in the marketplace. A careful balance should be established between the selected architecture and leading modular solutions components. This balance avoids single vendor lock-in based upon proprietary approaches to both architecture and solutions components. While single vendor implementations might at first appear attractive, their value will often prove to be short lived as the market produces improvements that a single vendor, no matter how large, can match. For lowering risk, Avaya provides a pervasive, multi-layer Trusted Communications Framework that encompasses services, access, applications, infrastructure, and management in the design and migration of multi-vendor communications networks. The Avaya framework is based on an open standards and interoperability model that can offer an attractive starting point for businesses seeking a blueprint for their secure and continuous communications architectures. It is built on the best practices of security in depth by creating multiple layers of security that are distributed throughout the communications environment. This Trusted Communications Framework is also based on a fundamental assumption that security must be built in to each solution component rather than added on after the fact. Executing on this premise, Avaya has built security and failover capabilities in its communications products and applications and has adopted a partnering approach with leading infrastructure and applications providers that share this design priority.
Figure 1. Avaya Trusted Communications Framework
COMMUNICATIONS AT THE HEART OF BUSINESS
4
Working with strategic partners including Extreme Networks, HP, Juniper Networks and Polycom, Avaya is supporting an interoperable and multi-vendor approach to business communications applications and the data networks they run on. Avaya has also announced a strategic development agreement with Juniper Networks to jointly develop and deliver secure converged communications solutions. These solutions tightly integrate Avaya business communication applications with Juniper Networks’ routing and security technology that have been recently bolstered by their acquisition of the enterprise security capabilities of Kagoor (i.e. session border control and VoIP telephony enabled firewalls) and Netscreen (i.e., firewall, intrusion detection systems, anti-virus and Deep Packet Inspection (DPI)). Avaya is also pursuing an open and industry sponsored approach to improving IP telephony by co-founding the VoIP Security Alliance (VOIPSA). VOIPSA was created in early 2005 with the goals of rallying vendors, telecom providers and researchers to improve VoIP security by formalizing testing practices, making more security tools available, and sharing security best practices. Avaya has committed its resources to VOIPSA by becoming a member of VOIPSA’s Technical Advisory Board.2 Avaya has concentrated some of its own development resources on building secure and continuous capabilities into its suite of “best-of-breed” business communications applications including Avaya MultiVantageTM Communications Applications, Avaya Modular Messaging and Avaya Interaction Center. In order to help prevent confidential information from leaking into a competitor’s hands, Avaya pioneered in media encryption technology by delivering Avaya Media Encryption (AEA). This algorithm minimizes performance impact to existing equipment while substantially increasing the level of privacy. As technology advanced and hardware performance increased in power, AEA was implemented as a standards-based media encryption algorithm. One of the greatest ongoing threats to converged communications has been the increasing severity of viruses. Avaya has addressed the threat of viruses through a number of different approaches within the Trusted Communications Architecture. Many Avaya products mitigate the risk of viruses by shipping with a hardened LINUX operating system that removes all unnecessary attachments even before the virus has a chance to infect the server and spread through the network infrastructure. To mitigate the risk of worms or Trojan horses, the majority of non-essential LINUX services are removed. This eliminates the vulnerability by removing exposed elements of LINUX that can be used to launch a potentially destructive worm and bring down a network. Avaya has built a number of secure and continuous capabilities into its applications. Examples include: Access Security (Identity • Authentication • Directories) • User authentication, single sign-on support, non-repudiation • Endpoint media encryption, VPN clients for PDA and desktops • Standards: LDAP, RADIUS; Future: XACML, SAML Application Security (Security Policy • Roles • Privacy Hardened Architecture) • E911, malicious call trace, multi-level pre-emption (MLPP), crisis alerts • Class of restrictions, sophisticated dial and calling plans • Media encryption, backup data encryption, password management • Applications role-based access, speech self service, secure customer contact • Broadcast/alert messaging, enabling a mobile and virtual work force
avaya.com
5
Infrastructure Security (Services • Gateways • Network • Wireless) • Hardened Linux OS, intrusion detection, network isolation, system alerts • VPN, Firewall, DoS protection, network device authentication • Standards: IPSec, IKE, RSA, TLS, 802.1X, H.323, H.235 The Trusted Communications Framework delivers a dynamic blueprint for building a secure and continuous communications environment. The Avaya commitment to open standards and interoperability enables enterprise planners to effectively map out their business specific security architecture with the freedom to insert best-of-breed applications into the converged communications environment. Avaya also delivers strong built-in security and resiliency capabilities to all of the components of the architecture that it provides to its customers.
Implementation and Operational Security Building on thoughtful planning and systematic, secure, and continuous architecture, care must be taken to effectively implement, deploy, and operate the security systems, processes and practices within the enterprise communications environment. Security planning and architectural design will yield no payoff without effective execution of the security processes and plans. Given the complexity involved in converged communications networks and applications, enterprise IT organizations often need expert help in implementation. Avaya offers extensive implementation support services through its own Global Services organization and its network of Authorized BusinessPartners to project manage and fully implement security solutions for a businesses communications environment. Following best-practice procedures and processes, Avaya and its partners are prepared to support customers with critical security deployment functions. Avaya monitors various groups for reported security vulnerabilities including: CERT, SANS, Microsoft, Red Hat, RedCent, FIRST, HP, VulnWatch, SecurityFocus – Bugtraq, Cisco, UNIRAS, Sun, SCO. If it is found that any product can be potentially impacted by any published advisories, Avaya communicates how the product might be affected (often times Avaya products are not vulnerable due to the removal of many of the common LINUX services) and the recommended mitigation plan if one exists.3 An important step in the deployment of a converged communications network is securing, or hardening, of the applications. Avaya Communications System Security delivers the expertise needed to assist customers with assuring that all possible measures have been taken to secure their Avaya systems and applications from security threats that can compromise information and system integrity. Relying on Avaya Global Services for this implementation provides a security proof point for internal IT security audits and helps achieve legislative or industry regulatory requirements. Security hardening solutions address security concerns in the following areas: • System Access Controls: Provide password management, account management, user/group access level, file permissions and administration • Application Controls: Implement recommended security controls that are available at the application layer for a given application solution type • Operating System: Mitigate vulnerabilities and apply appropriate security configuration and/or apply Operating System specific security patches • Network Services: Disable network daemon services that may potentially pose security risks to a system resource
COMMUNICATIONS AT THE HEART OF BUSINESS
6
Avaya also provides a support service designed to prevent toll fraud within IP telephony systems utilizing Avaya Communication Manager Software. This service provides comprehensive documentation on how to setup the system, provides security alerts and monitors toll fraud attacks. Avaya also provides the option to have Avaya Global Services institute an IP telephony system security lock-down against toll fraud and information loss as well as to indemnify customers against any experienced toll fraud losses. An important consideration for maintaining security in a converged business communications environment is securing unauthorized access to the network and network-based applications through external communications connections designed to facilitate maintenance and repair operations. Traditional modem connections to network and applications systems designed for maintenance have increasingly been viewed as potential security vulnerability gaps into the enterprise communications environment. To safeguard converged environments, enterprise planners must look to more secure access methods. Avaya has addressed this potential security concern by introducing the Secure Access and Control Service, an enhancement to Avaya Maintenance. Secure Access and Control provides a secure and auditable path between Avaya and customers’ sites that supports remote delivery of services. This software-based service connects to a customer’s network via a secure VPN and eliminates reliance upon modems and the Public Switched Telephone Network. By creating a single point of inbound and outbound access to customers’ networks, Secure Access and Control enables strong authentication and authorization to be enforced at that central access point and a detailed activity log of all system access to be maintained. Built upon the Secure Services Delivery Platform and the Secure Services Gateway, Secure Access and Control provides centralized security and detailed audit trial of Avaya access to customer equipment located on customer networks by Avaya personnel and Avaya EXPERT SystemsSM Diagnostic Tools. Secure Access and Control does not change the remote services itself but rather adds security and control to the delivery of those services. Secure Access and Control has the following key benefits: • Provides secure and standards-based converged network access for remote maintenance and management services. • Satisfies corporate security policy requirements to eliminate alternate access mechanisms (i.e., modems) on LAN-attached equipment. • Helps meets regulatory requirements that mandate an audit trail for all transactions. • Eliminates direct connectivity to equipment by modem and traditional telephony services resulting in decreased hardware, Telco, long distance costs. • Provides single point of alarm consolidation and inbound/outbound access to the corporate network. • Delivers real-time centralized control of authentication, authorization and audit trail to reduce potential for unauthorized access. • Provides customer self-service maintenance portal with access to audits trail information and reports. • Establishes customer control of network and device access. • Utilizes a standards-based approach that enables secure maintenance access for multi-vendor services support.
avaya.com
7 Avaya DMZ
Customer DMZ
Customer Customer AAA Service NMS
Customer’s Site
User Authentication & Authorization
Avaya SSDP Platform
Avaya technician
Delegated Admin and User Interface Customer technician (access to reports status logs
PBX HTTPS
Device Access Policy Service
Secure IP-VPN tunnel
Logging, Reporting and Auditing
A SSH or � Telnet �
PBX
SSG Encrypted Channel
Customer technician (device access)
PBX
Red Alarms Blue Technician Access
Figure 2. Avaya Secure Access and Control
Managing Security Effective secure and continuous communications requires continuous vigilance and security management. Security management completes the best practices requirement for a systematic approach that starts with planning, then develops and deploys a comprehensive architecture and appropriate security solutions. Security management provides the ongoing monitoring, root cause analysis, remediation, and change management for the ongoing operation of the enterprise’s security functions across the converged infrastructure. The Avaya approach is based upon providing managed security within the context of its Remote Management Service for IP Telephony (RMS-IPT) service. RMS-IPT provides remote 24 x 7 security monitoring and network boundary protection for the Avaya S8700 Media Servers and Gateways. This service addresses many areas of vulnerability internally and externally, including the management, application and asset layers. The process starts with a security review that examines the documented IP telephony architecture and associated security policy by an Avaya security consultant. The review evaluates whether the necessary security measures have been properly designed into the architecture of the communications network that is to be monitored or managed. The review will also look at the associated security policy to determine if there are any gaps between the defined policies and how they are architected into the design of the IPT solution. This analysis provides recommendations to mitigate risks and identifies any potential issues with alarm processing that include: • Policy changes • Topology changes • Equipment re-configurations • Additional security applications/appliances when applicable • Additional Avaya services when applicable
COMMUNICATIONS AT THE HEART OF BUSINESS
8
Avaya Media Servers are equipped with 24x7 intrusion detection monitoring capabilities to identify security events, which are captured, analyzed and correlated in real time. Security monitoring and remediation covers 12 security-related events/alarms generated by the S8X00 Media Servers. Avaya uses four separate and unrelated systems to generate these security alarms. It collects and parses a subset of syslog messages derived from internal tracking systems to monitor: • Changes to key system files • Removal or movement of key system files • Unusual or abnormal usage of key system files • Alteration of audit files (often changed by hackers) • Addition or removal of users and/or groups • SSH, TFTP, and TELNET logins • Failed logins • A subset of network attacks Additionally, as part of the monitoring process, Avaya determines and logs the reasons for failed logins, as well as the offending IP addresses. Event notification and management based upon detection of security alarms, is also provided. Avaya initiates a client-specific escalation procedure upon detection of a problem and then works quickly to identify the source of the security alarm.
The Avaya Enterprise Service Platform Remote Managed Services for IP Telephony utilizes the Avaya Enterprise Service Platform (ESP) in providing a complete remote managed service. The Secure Intelligent Gateway (SIG) is at the core of the ESP and is deployed to customer sites in order to provide secure remote management of network and telephony equipment. The SIG runs on a hardened Red Hat 2.1 Enterprise Server with all unused packages removed by Avaya security experts. In addition, Transmission Control Protocol Wrappers and IP tables have been incorporated into the build to restrict the type of traffic allowed to connect to the SIG as well as to restrict the flows of traffic through the SIG. Management protocols such as http, https, ftp, telnet, ssh, snmp, syslog, and ping will only be allowed from the SIG to the customer environment. These access controls can be tailored to each customer environment to restrict data to and from specific hosts on the customer network. Additionally, Avaya utilizes Tripwire on the SIG to monitor key system files for change, modification, deletion, or abnormal usage. When Tripwire detects an issue, it generates an alarm that is immediately sent to the Network Operations Center for investigation. Avaya security professionals have performed numerous scans of the SIG using multiple industry-recognized scanning tools including Nessus and NMAP. Each vulnerability revealed was thoroughly investigated and addressed in order to ensure a hardened solution.
avaya.com
9
Avaya will provide additional security measures in the form of two-factor authentication and VPN technologies. A Netscreen integrated firewall/VPN appliance will be deployed with each SIG to provide a secure VPN with a minimum of 3DES encryption between the Avaya Network Operation Center and the SIG located on the customer premises. This appliance is deployed to secure the Avaya management traffic. It is expected that the customer will have a separate firewall in place to provide security for all other traffic entering the corporate network. Avaya will also ensure two-factor authentication to the SIG from the Network Operation Center. Each associate is authenticated using usernames, passwords and one-time passwords before they can access the servers in the ESP Data Centers. Once an associate is granted access to the Data Center servers, the same credentials are required to gain access to a SIG.
Figure 3. Avaya Remote Security Monitoring Services
Avaya also offers Managed Security Services for Voice, which provides remote, 24x7 security monitoring and network boundary protection for multi-vendor TDM voice networks and the TDM portions of hybrid converged networks, systems and applications – effectively providing “firewall” protection for voice networks. It addresses all areas of vulnerability internally and externally, at the perimeter, management and asset layers. Managed Security Services for Voice contains the following elements: • Telecommunications firewall based upon the SecureLogix ETM Platform. • 24/7 telecommunications firewall monitoring. • Security event reporting in accordance with the implemented security policy • Patch management of the customers’ telecommunications firewalls. • Security policy informational reports that help customers make intelligent decisions to improve security. • Security policy management to provide on-going support of the telecommunications firewall policy. For those Avaya customers looking for security management for their data infrastructure Avaya offers Managed Security Service for Data Networks. Managed Security Service for Data Networks provides remote, 24X7 security monitoring and network boundary protection for multi-vendor networks, systems and applications. Partnering with VeriSign, the service addresses all areas of vulnerability internally and externally at the perimeter, management and asset layers. Avaya Managed Security Services for Data Networks contains the following service elements: • Management of the customer’s firewall to protect against external intrusion. • Managed intrusion detection and notification of security attacks detected and blocked in the customer’s IDS system.
COMMUNICATIONS AT THE HEART OF BUSINESS
10
• Managed anti-virus protection and desktop firewall to protect the customers’ computers against viruses. Avaya updates the anti-virus software across all the desktops, and provides security notifications. • Security Defense Appliance (SDA) to deliver vulnerability scanning and intrusion detection through a faulttolerant communications and management device between the client site and the Security Operations Center (SOC). • Security Operations Centers (SOC) provides 24/7 monitoring. Managed Services offerings provide an abundant level of customer choices that incorporate the full range of security best practices. Avaya delivers on its commitments to building its platforms and services based on open standards and interoperability, which permits the incorporation of best-of-breed security solutions like those provided by Juniper Networks, VeriSign, McAfee and SecureLogix.
Self-Management For customers looking to maintain a self-managed network, Avaya Integrated Management provides a complete solution for system administration, network management, and provisioning of converged networks – including both voice and data communications. For security, user authentication is supported in order to access Integrated Management applications, and custom roles and access rights can be defined for multiple different administrator group levels. Secure Access Administration provides a centralized console for defining management users and assigning their privileges to network management applications and device configuration applications for access to Avaya branch office gateways and converged infrastructure switches. It can also be used to enable or disable login authentication to the Network Management Console, which is the central launching point for Avaya administration tools, device managers and network management applications. With Secure Access Administration, user lists can be defined and deployed to multiple devices in parallel, eliminating error prone device-by-device configuration. Secure Access Administration also supplies an internal API to network management applications for authenticating Avaya devices and gateways using Secure Shell (SSH) public keys. Avaya Multi-site Administration is a server based application designed to help network administration teams centrally manage large, complex voice networks consisting of multiple Avaya media servers and gateways. Graphical station and administration screens combined with wizards enable system administrators to rapidly learn and perform tasks that were previously difficult and time-consuming. To help global support organizations control access, up to 13 custom management privilege levels can be defined to map groups of administrators and their defined access rights to groups of voice systems. For additional security, an advanced logging feature provides management with transaction records of each administrator. Another application, Fault and Performance Manager, provides network management with a report on detected security violation.
Conclusions As enterprise networks migrate to converged and integrated architectures in order to achieve new business flexibility and efficiencies, enterprise IT planners are discovering an increased need to ramp up security considerations. Security must be planned for and built into converged communications networks and applications to achieve their design objectives.
avaya.com
11
Fortunately for enterprise technology planners and managers, there is an emerging set of best practices that can be utilized to achieve required levels of security and privacy protection. While securing an enterprise communication environment requires ongoing vigilance, there are a number of fundamental steps that must be taken to achieve acceptable levels of security within the enterprise environment. These steps include: • Effective planning for multi-layered security (i.e. defense in depth) that meets business and regulatory requirements • Deployment of a robust security architecture and “best-of-breed” solution components • Secure implementation process and maintaining operational security practices • Managing security through active monitoring, event management, restoration and follow up actions Avaya is a global leader in designing, implementing and managing secure converged business communications applications. The Avaya Trusted Communications Framework lays out a systematic approach to achieving best practices for secure communications within converged networks. The Avaya commitment to open standards and effective interoperability with other industry players is helping to build more robust security capabilities for its enterprise customers. Avaya can help your business achieve its security objectives as your migrate to converged communications. For more information on how Avaya can take your enterprise from where it is to where it needs to be, contact your Avaya Client Executive or Authorized Avaya BusinessPartner, or visit us at www.avaya.com Footnotes 1. For more on security best practices for a converged communications environment see Jim Metzler, “Best Security Practices for Converged Environment” (www.avaya.com), and National Institute of Standards and Technology, Security Consideration for Voice over IP Systems”, January 2005. 2. For more information on VOIPSA see www.voipsa.org. 3. Avaya has an active organization which tracks security advisories and susceptibility products to vulnerabilities described in those advisories. This organization coordinates advisories which generated in response to those advisories issued by vendors who operating systems or software components to Avaya. To sign up for advisory notification, go to http://support.avaya.com and select “My e-Notifications.” For more detail on Avaya tracking policies and practices, please see the following documents also located on http://support.avaya.com: • Avaya Product Security Vulnerability Response Policy • Avaya Security Vulnerability Classification Policy
About Avaya Avaya enables businesses to achieve superior results by designing, building and managing their communications infrastructure and solutions. For over one million businesses worldwide, including more than 90 percent of the FORTUNE 500®, Avaya’s embedded solutions help businesses enhance value, improve productivity and create competitive advantage by allowing people to be more productive and create more intelligent processes that satisfy customers.
For businesses large and small, Avaya is a world leader in secure, reliable IP telephony systems, communications applications and full life-cycle services. Driving the convergence of embedded voice and data communications with business applications, Avaya is distinguished by its combination of comprehensive, world-class products and services. Avaya helps customers across the globe leverage existing and new networks to achieve superior business results.
COMMUNICATIONS AT THE HEART OF BUSINESS
avaya.com
© 2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya Logo are trademarks of Avaya Inc. and may be registered in certain jurisdictions. All trademarks identified by the ®, SM or TM are registered trademarks, service marks or trademarks, respectively, of Avaya Inc., with the exception of FORTUNE 500 which is a registered trademark of Time Inc. All other trademarks are the property of their respective owners. Printed in the U.S.A. 07/05 • MIS2753
