Application Note

ManualsBrandsAvaya ManualsTelephoneAvaya 4600 Series IP Telephones

Avaya Solution & Interoperability Test Lab

Application Notes for Mirage Networks CounterPoint in an

Avaya IP Telephony Infrastructure – Issue 1.0

Abstract

These Application Notes describe a configuration where the Mirage Networks CounterPoint

network access control appliance protects the subnets where an Avaya Media Server, an Avaya

Media Gateway, and Avaya IP Telephones reside against rapidly propagating threats. During

compliance testing, the CounterPoint detected basic ping and port scans that often precede

threats on the protected subnets, and mitigated basic Denial of Service (DoS) attacks.

Information in these Application Notes has been obtained through compliance testing and

additional technical discussions. Testing was conducted via the DeveloperConnection

Program at the Avaya Solution and Interoperability Test Lab.

RL; Reviewed:

SPOC 9/23/2005

Solution & Interoperability Test Lab Application Notes

1 of 17

MirageCP.doc

Summary of content (17 pages)

PAGE 1
Avaya Solution & Interoperability Test Lab Application Notes for Mirage Networks CounterPoint in an Avaya IP Telephony Infrastructure – Issue 1.0 Abstract These Application Notes describe a configuration where the Mirage Networks CounterPoint network access control appliance protects the subnets where an Avaya Media Server, an Avaya Media Gateway, and Avaya IP Telephones reside against rapidly propagating threats.
PAGE 2
1. Introduction These Application Notes describe a configuration where the Mirage Networks CounterPoint appliance is deployed in an Avaya IP telephony infrastructure. CounterPoint is a network access control appliance that is designed to protect the internal corporate network against rapidly propagating threats that originate inside the network. CounterPoint operates within the network interior, and is complementary to perimeter security solutions.
PAGE 3
COM PACT COM PACT Avaya S8710 Media Server Avaya G650 Media Gateway VLAN 100: 192.45.100.0/24 Avaya P333T-PWR Power over Ethernet Stackable Switch Port 1/24 VLAN 100 802.1q Trunk VLAN Mirror Port 0/22 (VLANs 53, 100) Port 0/23 Catalyst 3560 1 VLAN 51: 192.45.51.
PAGE 4
2. Equipment and Software Validated The following equipment and software/firmware were used for the sample configuration provided: Equipment Avaya S8710 Media Server Avaya G650 Media Gateway TN2312BP IP Server Interface TN799DP C-LAN Interface TN2302AP IP Media Processor Avaya 4600 Series IP Telephones Avaya P333T-PWR Power over Ethernet Stackable Switch Mirage Networks CounterPoint C-245 Cisco Catalyst 3560 Series Switch PC RL; Reviewed: SPOC 9/23/2005 Software/Firmware 3.0 (340.3) 21 15 104 1.8.
PAGE 5
3. Configure Mirage Networks CounterPoint C-245 This section describes the steps for configuring the Mirage Networks CounterPoint C-245 to protect the subnets (VLANs 53 and 100 in the sample configuration) where the S8710 Media Server, G650 Media Gateway, and IP telephones reside. The subnet (VLAN 51) where the attacker PC resides cannot be protected due to the VLAN mirror function of the Cisco Catalyst 3560.
PAGE 6
Step Description 3. Assign a descriptive name and click on “OK”. 4. Select the Subnets tab and click on the “+” icon. 5. Enter the subnet information for this VLAN, and check the “Add Protected Range” checkbox to protect the entire subnet*. Click on “OK”. * To protect specific ranges within the subnet, uncheck the “Add Protected Range” checkbox and configure the ranges in the Protected Subnets tab (not described in these Application Notes) 6. Select the Gateway tab and click on the “+” icon.
PAGE 7
Step Description 7. Enter the default gateway of the subnet and click on “OK”. 8. Select the Deception tab. Set Deception Mode to “On”. RL; Reviewed: SPOC 9/23/2005 Solution & Interoperability Test Lab Application Notes ©2005 Avaya Inc. All Rights Reserved. 7 of 17 MirageCP.
PAGE 8
Step Description 9. Select the Cloak tab. The default values may be used. RL; Reviewed: SPOC 9/23/2005 Solution & Interoperability Test Lab Application Notes ©2005 Avaya Inc. All Rights Reserved. 8 of 17 MirageCP.
PAGE 9
Step Description 10. Select the Advanced tab. Set MAC Validation to “On”. Note: MAC validation is required in order to detect spoofing. RL; Reviewed: SPOC 9/23/2005 Solution & Interoperability Test Lab Application Notes ©2005 Avaya Inc. All Rights Reserved. 9 of 17 MirageCP.
PAGE 10
Step 11. Click on the “Edit Segment IP” icon. Description 12. Assign an IP Address to the CounterPoint C-245 on this VLAN and click on “OK”. RL; Reviewed: SPOC 9/23/2005 Solution & Interoperability Test Lab Application Notes ©2005 Avaya Inc. All Rights Reserved. 10 of 17 MirageCP.
PAGE 11
Step Description 13. Expand the VLAN tree and select one of the two interfaces. These two VLAN interfaces reside on the two ports connected to the Catalyst 3560. Click on “Enable”. Repeat this step for the other interface. RL; Reviewed: SPOC 9/23/2005 Solution & Interoperability Test Lab Application Notes ©2005 Avaya Inc. All Rights Reserved. 11 of 17 MirageCP.
PAGE 12
Step Description 14. Select one of the interfaces and click on the “Pair” button. 15. Select the other interface from the pull-down list and click on “OK”. RL; Reviewed: SPOC 9/23/2005 Solution & Interoperability Test Lab Application Notes ©2005 Avaya Inc. All Rights Reserved. 12 of 17 MirageCP.
PAGE 13
Step Description 16. Click on the “Configure Changes” icon on the bottom left of the CounterPoint Manager main window. 17. Click on “Save” and then “Close”. RL; Reviewed: SPOC 9/23/2005 Solution & Interoperability Test Lab Application Notes ©2005 Avaya Inc. All Rights Reserved. 13 of 17 MirageCP.
PAGE 14
Step Description 18. Repeat Step 2 – 17 as necessary to protect other VLANs. In this configuration, the steps were repeated for VLAN 53. 4. Configure Cisco Catalyst 3560 This section describes the steps on the Cisco Catalyst 3560 for configuring the VLAN mirror, the two ports connected to the Mirage Networks CounterPoint C-245, and the port connected to the Avaya P333T-PWR. The steps assumed that the VLANs and routing among VLANs have already been configured on the Catalyst 3560. Step Description 1.
PAGE 15
5. Configure Avaya P333T-PWR From the Avaya P333T-PWR CLI, assign VLAN 100 to all ports, including the port connected to the Cisco Catalyst 3560, and configure the port as an 802.1q trunk port. set port vlan 100 1/1-24 set trunk 1/24 dot1q 6. Interoperability Compliance Testing The interoperability compliance testing focused on verifying that the Mirage Networks CounterPoint C-245 detected basic ping and port scans, and mitigated basic Denial of Service (DoS) attacks. 6.1.
PAGE 16
7. Verification Steps The following steps may be used to verify the configuration: • • • From the attacker PC, run ping scans on the protected subnets and verify that the CounterPoint C-245 correctly reports the scans. From the attacker PC, run port scans on specific targets in the protected subnets and verify that the CounterPoint C-245 correctly reports the scans. From the attacker PC, send basic ping and port floods to specific targets in the protected subnets.
PAGE 17
©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya Logo are trademarks of Avaya Inc. All trademarks identified by ® and ™ are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners. The information provided in these Application Notes is subject to change without notice.