Escolar Documentos
Profissional Documentos
Cultura Documentos
Note
October 2008
avaya.com Security in Application Enablement Services for the Bundled and Software Only Solutions
Table of Contents
Introduction........................................................................................................................... 1
Section 1: Firewall............................................................................................................ 1
a. PAM Issue................................................................................................... 14
b. PAM MOTD (Message of the Day)................................................................... 14
Appendices.......................................................................................................................... 15
1. Firewall
3. Network Access
5. Password Management
9. Audit trails
10. Certificates
Section 1: Firewall
Firewall software provides protection to a server from the network. RedHat Linux ES 4.6 (Version 4 Update 6) comes
with a firewall software package called iptables. It controls the network packet filtering code in the Linux kernel.
The Bundled Server comes pre-packaged and pre-configured with firewall software. AE Services has
implemented the firewall using the Red Hat Linux iptables package. The firewall is always on by default. The
firewall on the Bundled Server will keep only specific ports and port-ranges open. Traffic on all other ports
will be disabled by default. The firewall is filtered for all INCOMING (TCP/UDP) connections/packets only. All
OUTGOING (TCP/UDP) connections/packets are not filtered for any ports. Port filtering is turned on for each
NIC of the Bundled Server.
For the Software Only solution, we strongly recommend enabling the firewall on the AE Services server. The
firewall software should be configured to use only those ports that are absolutely required.
AE Services uses the following ports by default (for the Bundled and Software Only Solutions). Where
appropriate, ports only accessible via the local loopback interface are marked as “Local Only”. For “Local
Only”, AES components are connecting to other internal AES components using these ports. For “Inbound”
ports, an entity external to AES is initiating the connection. For the application protocols, this will be a client
application, but for protocols like H323 and RTP, these connections are initiated during registration and call
setup. For “Outbound” ports, AES will initiate the connection setup.
avaya.com Security in Application Enablement Services for the Bundled and Software Only Solutions
53 DNS Outbound
67 DHCP 67 Outbound
1050-1065 TSAPI Session TLINKS (16 is max number of supported switches) TCP Inbound
4101-4116 System Management Service (SMS) Proxy (aka OSSI Proxy) TCP Local Only
8080,8443 Tomcat : OAM, Web Services, Licensing (8080 disabled by default) TCP Inbound
avaya.com Security in Application Enablement Services for the Bundled and Software Only Solutions
It should be noted that some of these ports and port ranges are configurable via the OAM Ports web page. On
the Bundled Server, changes to the OAM Ports screen will automatically reconfigure the firewall rules.
In some instances a customer or Avaya technician may want to change the port filtering rules (port or port
ranges) on the firewall. It is highly recommended that the OAM Port screen be used to perform all port
changes. All port value changes applied by the OAM Port screen will cause the firewall to be automatically
reconfigured to support the new rules.
Firewall setting modifications for ports not listed on the port screen can be done by using various options
available through the Linux iptables command. The iptables command is only available to users with root
(sroot) level privileges.
Note: By default, the firewall is automatically started when the Bundled Server boots up. The default rules
that are implemented by the firewall are in /etc/init.d/iptables. A script /opt/mvap/bin/firewallUpdater.sh runs
each time the AE Service is started to regenerate the firewall rules based on the current port configuration
settings. Any firewall changes made outside of the script will be discarded when the AE Service is
restarted. In order to make the firewall changes persistent for ports not on the OAM port screen the firewall
configuration script must be modified by the System Administrator to include the additional port values.
For each of the below commands, the System Administrator must SSH into the Bundled Server first, and then
“su” to the root (sroot) level account.
This will list all the firewall rules including the Rule Numbers. There are three chains (table) for which rules
will be listed.
At any point, if the iptable rules are misconfigured, then restarting the iptables will re-load the default iptable rules.
Use the following command: iptables modify --add (INPUT | OUTPUT | FORWARD) (tcp|udp) xxxx, where xxxx is the
port number to enable
Use the following command: service iptables modify --reject (INPUT | OUTPUT | FORWARD) (tcp|udp) xxxx, where
xxxx is the port number to enable
Use the following command: iptables modify --remove (INPUT | OUTPUT | FORWARD) (tcp|udp) xxxx, where xxxx is
the port number to be removed
ix. Allowing access to a range of ports in the Firewall (see above Note)
Use the following command: iptables modify --add-range (INPUT | OUTPUT | FORWARD) (tcp|udp) xxxx yyyy,
where xxxx is the from-port and yyyy is the to-port.
Use the following command: iptables modify --remove-range (INPUT | OUTPUT | FORWARD) (tcp|udp) xxxx yyyy,
where xxxx is the from-port and yyyy is the to-port.
b. Bundled Solution
i. Shell Monitoring
AE Services has configured the bash rpm to log all shell command activity to the Linux system logs in /var/
log/messages. This includes any command that is typed by a user or invoked by any software within the AE
Services server. System Administrators can monitor these logs for unusual system activity.
ii. Tripwire
AE Services uses the Tripwire software available from Fedora Linux to do system monitoring and intrusion
detection. Tripwire allows System Administrators the ability to monitor for possible intrusion into a system.
The Tripwire software is installed via a Linux RPM on the Bundle Server. AE Services provides an RPM
to configure and start tripwire. After installation of the AE Services software, Tripwire is configured to
automatically startup upon reboot.
On the first startup, Tripwire builds a database of all files that it is monitoring. Thereafter periodically (once
every day at 4.02 a.m.), if Tripwire detects any database changes or security violations when it runs the
integrity check, it generates a report located at /var/lib/tripwire/report with any violations that were found. In
addition, a SNMP Trap will be issued to each configured SNMP Trap destination.
Important: It is strongly recommended to view these daily tripwire reports and clean them up appropriately.
Otherwise, over time, these reports will occupy disk space.
Note: It is the responsibility of the system administrator to view and delete these reports and SNMP Traps.
Once the tripwire reports have been viewed, the tripwire database must be updated in order to prevent the
security violation from being raised again. Since Tripwire is installed during the initial install process, a
default password is generated and used to configure Tripwire. In order for Tripwire to be updated, Tripwire
must be reinstalled by the System Administrator such that a valid user password is provided. This password
will be used by the System Administrator to update Tripwire on all future requests.
The complete set of instructions for Tripwire configuration is located in the Application Enablement Services
Administration and Maintenance Guide Release 4.2, under the section titled “Using Tripwire”.
Items 1-4 of the following command summary must be executed by a user with root (sroot) privileges.
4. View the Tripwire reports: Use the command: twprint –m r --twrfile /var/lib/tripwire/report/<filename>.twr
5. All SNMP Traps are managed from the OAM Alarm Viewer screen. This screen will allow an administrator
the ability to view or clear a generated alarm.
avaya.com Security in Application Enablement Services for the Bundled and Software Only Solutions
Section 3: Network Access
a. Software Only Solution
It is recommended to disable telnet, ftp, rsync and rsh as these network programs are insecure. Instead we
recommend the use of SSH, SFTP and SCP. To disable telnet and the other services listed above use the
chkconfig command.
b. Bundled Solution
The Bundled Server allows only SSH, SFTP and SCP. Telnet, ftp, rsync and rsh have been disabled.
The AE Services OAM web-pages provide access to CTI OAM Administrators which requires login
authentication from the Linux platform or an Enterprise Directory (Active Directory, Domino, OpenLDAP,
etc…). The Enterprise Directory connection from OAM supports the use of the LDAP-S (Secure LDAP)
protocol. The administrator account used to access OAM is the same login that is used to access the AE
server using a remote connection with a program like SSH. The OAM web-pages also provide access to
User Management Administrators which requires authentication from a secure LDAP database. It is strongly
recommended that all logins/passwords to the Linux platform, Web OAM (CTI and User Management) as well
as the secure LDAP database (User management) be changed during first login as well as periodically. Avaya
will be changing the passwords periodically (every 90 days) for all Avaya logins (craft and sroot). Customers
are advised to change passwords for all customer logins.
CTI Client Application Users are required by TSAPI, JTAPI, DMCC and Telephony Web Service applications in
order to authenticate the application. These users may be authenticated against either the AE Services User
Management LDAP database or against an Enterprise Directory.
Administrative role for Not associated Read and write access to User Management.
User Management with Linux.
No access to CTI OAM Administration or Security Administration.
Note: To acquire the Administrative role for User Management, a
user must have an administered account in the local LDAP data
store with the Avaya role set to userservice.useradmin.
Auditor users Read-only access to the following functions in CTI OAM Administration:
• Administration > Security Database > CTI Users:
List All Users and Search Users
• Certificate Management
• Status and Control
• Alarms
• Logs
Backup_Restore backuprestore Read and write access to the following Maintenance functions:
• Backup Database
• Restore Database
Avaya_Maintenance avayamaint Read and write access to the following CTI OAM Admin functions:
• Maintenance,
• Logs
• Utilities
avaya.com Security in Application Enablement Services for the Bundled and Software Only Solutions
The following Linux accounts exist on the AES server by default.
Password
Account Default Naming
Name Group Password Purpose Policy Password Change Policy
cust susers Yes For customer use See Password Password should be
securityadmin Management changed by customer after
Section initial installation and
periodically there after.
craft susers Yes For Avaya Technician use At least 8 Will be changed periodically
securityadmin chars, no (every 90 days) once the
dictionary system is registered with
words or Avaya Services
palindromes.
sroot root Yes For Avaya Technician use At least 8 Will be changed periodically
chars, no (every 90 days) once the
dictionary system is registered with
words or Avaya Services
palindromes.
Note: Direct root login is disabled for both SSH (only on the Bundled Server) and Web OAM.
The above platform logins provide specific access to resources on the AE Services server. For example, a root
level login will be allowed to restart AE Services on the platform. While from OAM, any login belonging to the
group susers can restart AE Services. All logins will have access to the AE Services logs under /var/log/avaya/aes.
Note: By default the “root” account is disabled on the Bundled Server and the “sroot” account is used by
Avaya Services to obtain root level access. Be aware that the root account may be re-enabled by setting the
root password.
Passwords for all Linux accounts are stored securely by the Linux platform.
avaya.com Security in Application Enablement Services for the Bundled and Software Only Solutions
User Management Administrator Accounts
User Management Administrators are authenticated against a Local LDAP store on the AES server.
Password
Account Name Default Password Naming Policy Password Change Policy
craft Yes Controlled by Avaya None
Services
User Management uses roles for authorization purposes. User Administrators must have the userservice.
useradmin role set. A User Administrator can create other user accounts and then assign them a userservice.
useradmin role to create other User Administrators.
Passwords are stored MD5 encrypted by the LDAP server backing User Management.
The SDB can be optionally enabled or disabled. By default the SDB is disabled. In the disabled state, a user has
the ability to control any device registered on AES including devices belonging to another user. In the enabled
state, a user must be authorized in the SDB to control a device. The user may be optionally categorized as
having “Unrestricted Access” or “Restricted Access”. By default a user is granted “Restricted Access”
Note: A user with “Unrestricted Access” has the ability to control any device registered on AES.
In order to add a user into the SDB, the user must be created in User Management as a CTI user. If the SDB
is disabled and an Enterprise Directory is used for authentication, a user does not have to be created in User
Management.
The DMCC service uses a Communication Manager (CM) Station extension and password to register a DMCC
device on behalf of the client application. It is strongly recommended that each DMCC device have its
own unique password administered in CM for a corresponding extension (station). CM allows up to 8 digit
passwords for each extension.
A possible configuration exists where a user application may not have to be aware of a device’s password
for registration. If the SDB is enabled and a user is configured in the SDB for “Unrestricted Access”,
the registration process will succeed when a password is not supplied as long as the extension’s class of
restriction (COR) on CM has the options “Can Be Service Observed:” and “Can Be A Service Observer:” set to
yes. This feature is only available on CM 5.1 and higher. Otherwise the user application must be aware of the
password for each device for the registration process to succeed.
avaya.com Security in Application Enablement Services for the Bundled and Software Only Solutions
10
See the chapter titled “The Security Database”, of the Application Enablement Services Administration and
Maintenance Guide Release 4.2 for details on configuration of the various authentication options.
The following table outlines the services that perform administration and authorization on the AE Services server.
TSAPI CTI Yes, against local LDAP Uses the Security Database (SDB) which specifies which
or Enterprise Directory devices a user is allowed to control. The SDB feature is
disabled by default.
JTAPI CTI Yes, against local LDAP Uses security database which specifies which devices a user
or Enterprise Directory is allowed to control. The SDB feature is disabled by default.
Telephony Web CTI Yes, against local LDAP Uses security database which specifies which devices a user
Services or Enterprise Directory is allowed to control. The SDB feature is disabled by default.
User Management User Admin Yes, against local LDAP Users must have userservice.useradmin roles set to perform
Web Services or Enterprise Directory User Management Administration.
Once a user account enters the password expiration warning period, an indication will be provided from the OAM
interface listing the number of days left. A Change Password screen will be available from OAM once this message
is displayed to allow a user the ability to change their password. A remote SSH connection to the AES server will
only inform the user of the number of days left before the account is locked. The user will have to use the Linux
command “passwd” in order to change their password.
The following table represents additional capabilities available using OAM and their default values.
Connection Encrypted
Link Name Connection Between Type Used By (4.2)
DMCC (Formerly CMAPI) Application and AE Services TCP DMCC service Yes by default
TSAPI/JTAPI CSTA 1 ASN.1 Application and AE Services TCP TSAPI/JTAPI service Yes based on
config
H.323 Signaling AE Services and TCP, UDP DMCC service Yes based on
Communication Manager config
AEP Secure Transport Link AE Services and TCP TSAPI, JTAPI, CVLAN, Yes
Communication Manager DMCC Call Information
Important: It is strongly recommended that the applications using Telephony Services, User Service and
System Management Services (SMS) use the HTTPS link for maximum security.
Any configuration changes using the OAM interface will be logged including all login attempts into the web
interface. The OAM interface is mainly backed by a relational database. As part of the OAM logging process,
the logs will contain the login name of the individual making the change, the date/time of the change, the IP
address of the connecting system, and a synopsis of the before and after data changes.
The Host Authentication and Authorization (AA) feature available on the AE Server is used to provide an
additional layer of validation for connecting remote hosts that want to communicate with the AE Services
DMCC or TR87. The Host AA feature is configurable using the OAM web interface. This feature validates the
client certificate received by the server against a set of credentials. Two areas of validation exist.
The first area of validation, which is focused on authentication, verifies that the certificate received from
the client is valid. For instance, the certificates “Not Valid Before” and “Not Valid After Date” are checked
against the server’s current date/time. In addition, the certificate is verified to be signed by a trusted CA. The
second area of validation, which is focused on authorization, determines if the Common Name (CN) in the
client certificate matches one of the CN’s listed on the server as a trusted host. If the client certificate fails
the basic certificate validation or if the CN does not match any of the specified trusted hosts, the connection
will be refused and a log message will be created. By default this feature is disabled for DMCC. TR87 has the
authorization feature disabled and the authentication feature enabled by default.
On the client application server, the DMCC Java SDK only has the ability to validate the received AES server
certificate is signed by a trusted CA and the certificates “Not Valid Before” and “Not Valid After Date” is
valid. The ability to verify a certificate’s CN against a trusted host list is not provided by the SDK. The client
side validation feature is controlled with the use of a SDK property. By default this feature is displayed.
avaya.com Security in Application Enablement Services for the Bundled and Software Only Solutions
14
Section 11: JAR File Security
AE Services digitally signs each of the jar files provided by the AES platform. Digitally signed jars provide a way to
protect jar files from tampering which include modification or deletion of existing files in the jar or the addition of
new files after the jar has been created. If this remained unchecked the ability for someone to rewrite or remove a
file as a way to circumvent a security feature or obtain sensitive data remained plausible. For example, if someone is
able to replace a piece of code that handles incoming digits, the user will be able to rewrite and replace the existing
file to capture all the entered digits and send them off to another server or email address for retrieval.
When a jar file security violation is detected, AE Services will not start and a security violation message will be
logged. In addition, the OAM CTI Administration main page will list the name of each jar file which failed validation.
See the Application Enablement Services Installation and Upgrade Guide for a Software-Only Offer Release 4.2
for further details.
b. Bundled Solution
The Bundled Server comes pre-packaged with RedHat Linux ES 4.6 along with AE Services software. The Bundled
Server has only the minimum Linux software RPMs that are required for the proper functioning of the OS. This also
means that only those Linux services that are absolutely needed by AE Services have been enabled on the box. This way
only those ingress software ports have been enabled that are really needed. This reduces the security risk significantly.
See the Application Enablement Services Installation and Upgrade Guide for a Bundled Server Release 4.2
for further details.
avaya.com Security in Application Enablement Services for the Bundled and Software Only Solutions
15
Section 14: Vulnerability Tracking (Bundled and Software Only solution)
Avaya has an active organization which tracks security advisories and susceptibility of Avaya products to
vulnerabilities described in those advisories. This organization coordinates these advisories issued by vendors
who supply operating systems or software components to Avaya. To sign up for advisory notification, please go
to http://support.avaya.com and Select “My e-Notifications”.
For more detail on Avaya tracking policies and practices, please see:
http://support.avaya.com/elmodocs2/security/security_vulnerability_response.pdf
http://support.avaya.com/elmodocs2/security/security_vulnerability_classification.pdf
Appendices
These following appendices outline some potential options for configuration changes that may help make the
AE Services Bundled Server more secure. This configuration changes require root access and would typically
need to be performed by Avaya Services technician running as sroot.
1. Configuration options for changing inactivity timeouts for shell and OA&M access
a. cd $CATALINA_HOME/webapps/MVAP/WEB-INF
b. edit web.xml
c. Modify the session-timeout element (this value is in minutes). The default entry (30 minutes) looks like.
<session-timeout>30</session-timeout>
a. cd /etc/profile.d
b. Edit mvap.sh
c. Change TMOUT value. This value is seconds. The default entry looks like
export TMOUT=1800
to change to 15 minutes for instance do the following:
export TMOUT=900