Manualshelf

User manual

ManualsBrandsAastra ManualsCell PhoneAMC 3.0
101102103104105106107108109110
21/1551-ASP 113 01 Uen N2 2014-01-28 107
S
ECURITY
10 Security
Attention to the security aspects of an IP telephony infrastructure is
increasingly growing by corporate Chief Information Officers (CIOs), IT
administrators, and users. Voice over IP traffic (both signaling and
media) must be protected from a number of attacks, for example, media
streams eavesdropping, toll-fraud attacks, and signaling modification.
For this reason, it is necessary to protect both the VoIP signaling
messages as well as the media streams.
The following security measures are supported in MX-ONE Telephony
System:
Secure RTP (SRTP) to protect media streams
MX-ONE supports the use of SRTP for media encryption in the IP
phones and MGU and IPLU based gateways.
Transport Layer Security (TLS) to protect signaling messages
TLS guarantees the signaling privacy when the SRTP keys are
interchanged between the parties.
Support for a number of flexible security policies, in order to support
environment with different security requirements
The main principle for the security policy is that it directs if an exten-
sion is allowed to register to the system or not. Once the extension
is registered, the calls to any other party is allowed from a security
perspective.
SIP terminals have to authenticate themselves using HTTP digest
authentication. If a PIN code is assigned to the user the authentication
will also be done together with SIP request as the INVITE. To protect the
communication between MX-ONE servers can IPSec be used.
The servers are MX-ONE running on operating systems that have been
hardened to resist the most common network attacks. Known vulnerable
services are shut down and file integrity is checked periodically. Addi-
tionally, customers are recommended to implement security policies that
cover patch management and antivirus software updates. It is recom-
mended to use some type of antivirus software and to have automatic
updates, of the security patches, activated. To overcome the VLAN
separation, server farms should be protected by fire walls and Intrusion
Detection Systems (IDS) that are able to block attacks.
All management interfaces towards MX-ONE servers can be run over
secure protocols, such as SSH and HTTPS. Management operations
and access to such interfaces are logged to have maximum control.
Users and administrators always have to authenticate themselves
before being able to access the system. Additionally, an access control