Table of Contents
Advertisement
Security
Avaya capitalizes on Linux' security advantage
The Avaya S8700 and S8300 Media Servers run under the Linux operating system that has two
important security features:
Built-in protection against certain types of Denial of Service (DOS) attack, such as SYN
floods, ping floods, malformed packets, oversized packets, sequence number spoofing,
ping/finger of death, etc. Attacks are recognized at the lower levels of the software and
their effect is blunted. (It is not possible for a target system to always provide service
during a DOS attack. Rather, the protection is to automatically resume service as soon as
the attack is removed.)
The Linux kernel is compiled with a set of options to precisely tailor its operation to
maximize security consistent with required operation of the system. These include a
number of built-in firewall and filtering options. All file and directory permissions are set to
minimize access as much as possible consistent with proper system operation. The disk
drives of the S8700 and the S8300 servers contain multiple partitions, each of which is
restricted according to the type of data that it contains. All unneeded services are disabled
either permanently or through administration for those services. Disabled services and
capabilities include NFS, SMB, X-windows, rcp, rlogin, and rexec. The system
administrator has additional control of which services are visible from the multiple Ethernet
interfaces that are connected to the enterprise LAN. Other Ethernet interfaces are
permanently configured to restrict services.
One-time passwords
Standard login accounts use static passwords that can be used multiple times to log in to a
system. Anyone who can monitor the login messages can also capture passwords, and use the
passwords to gain access. You can administer the S8700 and the S8300 servers for one-time
passwords that have a fixed-user name but not a fixed password. In this case, users must
supply a unique, one-time password for each session, and even if the password is
compromised, it cannot be reused. When a system is covered by an Avaya service contract, all
logins that are accessed by Avaya Services technicians are protected by one-time passwords.
Shell access
Access to a "shell" from which arbitrary commands can be executed is not granted by default to
a login on an S8700 or an S8300 server. When a login is created, the system administrator can
specify whether or not the account is permitted to have shell access. Accounts that are denied
shell access can either log in to an Avaya Communication Manager administration screen or a
Web page upon successful login. In both cases, the operations that these logins can perform
are restricted. Generally, only people who perform hardware maintenance or software
maintenance on the server need shell access permissions administered in their login accounts.
190 Avaya Application Solutions IP Telephony Deployment Guide
Advertisement
Table of Contents
