Using Virtual Lans; Mac Filtering And Authentication; Firewalls And Traffic Filtering; Virtual Private Networks (Vpns) - Avaya 3616 Installation Manual

Installation Guide
authentication, Michael message integrity check (MIC) and Temporal Key Integrity Protocol (TKIP).
FSR not only addresses the roaming issue, but also provides strong security measures for
authentication, privacy and data integrity.

5.2 Using Virtual LANs

Virtual LANs (VLANs) can be used to segregate traffic into different security classes. By using
separate VLANs, data traffic can utilize the most robust but processing-intensive security methods.
The 802.1Q standard establishes a method for inserting VLAN membership information into Ethernet
frames via header-information tags. The AVPP and AWTS Open Application Interface do not generate
or forward these tags, but are otherwise compatible with 802.1Q tags up to the Ethernet switch ports
used for these componets.

5.3 MAC Filtering and Authentication

Most access points can be configured to allow or deny association of wireless clients based on their
unique MAC addresses, which can be used as a method of securing the wireless LAN. This process
generally works, but can cause some performance issues on some APs.

5.4 Firewalls and Traffic Filtering

The traffic filtering capabilities of firewalls, Ethernet switches and wireless switches can also be used
as an additional security layer if set up to allow only certain types of traffic to pass onto specific areas
of the LAN. To properly provide access control, it is necessary to understand the type of IP traffic used
by the Avaya wireless telephones including the ports used by the Avaya telephony switch interface
and SRP protocol ID 119.
The Avaya wireless telephones and AVPP use TCP and UDP and other common IP protocols from
time-to-time. These include DHCP, DNS, WINS, TFTP, FTP, NPT, Telnet, ARP and ICMP. Avaya
uses proprietary UDP channels between the infrastructure components that use UDP ports 5454 -
5458. The PTT mode of the Avaya 3626 and 3645 wireless telephones use the multicast IP address
224.0.1.116, which Avaya wireless telephones and infrastructure components also use to locate and
maintain each other.

5.5 Virtual Private Networks (VPNs)

Virtual Private Networks (VPNs) are secure, private network connections. VPNs typically employ some
combination of strong encryption, digital certificates, strong user authentication and access control to
provide maximum security to the traffic they carry. They usually provide connectivity to many devices
behind a VPN concentrator. The network can be broken into two portions - protected and unprotected:
1) The area behind the VPN server is referred to as the "protected" portion of the network. Sensitive,
private network equipment such as file servers, e-mail servers and databases reside in this
portion.
2) The area in front of the VPN server is referred to as the "unprotected" network, where the wireless
APs and less sensitive network equipment often reside.
VPNs offer an extremely effective method for securing a wireless network. Many network
administrators implement VPNs to maintain the integrity of their wireless LANs by requiring wireless
users who need access to the protected portion of the network to connect through a VPN Server.
Most voice devices, such as the Avaya wireless telephones, do not require access to the protected
portion of the network. Placing the Avaya wireless telephones, and AVPP on the unprotected network
and requiring data users to connect to the VPN ensures that the network is protected against hackers
seeking to access sensitive information within the network core.
Octiober 2008 15