Platform and application security details

Last Updated : Aug 23, 2021 |

For additional information on security, refer to the Avaya IP Office™ Platform Security Guidelines manual.

Platform

  • The IP Office for Linux operating system is based on Red Hat Enterprise Linux that is further hardened for defaults, packages, and users.

  • The operating system of Server Edition Expansion System (L) is developed for IP Office. The operating system is simple, stable, and reliable.

  • The operating system of Server Edition Expansion System (V2) is developed for IP Office. The operating system is simple, stable, and reliable.

  • Components that are secure:

    • Software security engine for all the components.

    • Hardware security engine for Office Server Edition Expansion System (V2).

    • Internal Access Control Engine polices for external service requests and internal applications.

Manager

  • Transport Layer Security (TLS) secures the communications between IP Office Manager and IP Office and insecure ciphers are disabled.

  • Provides Role based user access control (RBAC).

  • Provides comprehensive user account and password controls.

  • You can enable a PKI Trust domain.

  • The system generates warnings messages if administrative passwords are set to default. The system sends alarms or login failure.

  • The system records all the accesses in the audit trail.

  • You can disable unused services and ports such as HTTP.

Administration user accounts

The administration user accounts can be controlled for:

  • Password complexity

  • Previous password history (administrative accounts only)

  • Change password on next login

  • Idle lockout and login failure lockout

  • Time and date the account expires (administrative accounts only)

Single sign-on (SSO)

  • Administration credentials to log in to Linux Platform settings are securely transferred to Manager, SSA,Voicemail Pro client.

  • All administrative logins on all IP Office components including Voicemail Pro and Avaya one-X® Portal for IP Office use security settings of IP Office.

  • Server user management feature in Web Manager synchronizes administrative user credentials with all components of IP Office including Voicemail Pro and Avaya one-X® Portal for IP Office in IP Office Server Edition Solution.

Audit trail

  • Each IP Office system maintains an audit trail of access and configuration change.

  • Linux Platform settings also maintains an audit trail.

  • The IP Office system displays the audit trail in IP Office Server Edition Manager and SSA.

Public Key Infrastructure (PKI)

  • IP Office supports X.509 certificates

  • The Server Edition Primary and the Application server support an integrated Certificate Authority (CA)

  • The Trusted Certificate Store can be configured and Identity certificate is available.

  • The system performs a Certificate Signing Request (CSR) through Simple Certificate Enrollment Protocol (SCEP).

  • The system creates a self-signed Identity certificate that can be copied to all HTTPS/TLS interfaces.

  • Flexible controls to enforce Trust domain on specific services. Extended trust controls for PKI .

  • Web Management Console,Voicemail Pro and Avaya one-X® Portal for IP Office on Linux support X.509 certificates, but not PKI.

LAN

  • The servers and expansion systems are thoroughly tested for resistance to Denial of Service and other attacks

  • Server Edition Expansion System (V2) supports a configure able Firewall

  • Time profiles on Server Edition Expansion System (V2) only

  • Static NAT and NAPT in Server Edition Expansion System (V2)

  • ICMP Filtering

  • L2TP/PPP VPN on Server Edition Expansion System (V2) only

  • PAP or CHAP password exchange

  • Idle or quota timeout

  • IPSec VPN on Server Edition Expansion System (V2) only

Endpoints

  • Username and PIN or password or login code are in the IP Office configuration, and you can administer these through IP Office Server Edition Manager

  • You can use HTTP or HTTPS for settings and firmware upgrades

  • You cannot make calls unless you are logged in

Call barring

  • You can configure flexible call barring controls using login name or account code to allow internal, local, national or international calls on the basis of every user and system.

  • You cannot use speed dials, transfers, forwarding, and conferences to bypass controls.

  • You can enable trunk to trunk calls using IP Office Server Edition Manager. Trunk to trunk calls are disabled by default.

  • SIP trunk configuration for incoming calls must match URIs..

  • You can use SMDR (CDR) to create a record of all calls.

Voicemail Pro client

  • You can enforce user login with Personal Identification Number (PIN) and configure complexity for the PIN.

  • You can enforce PIN change when the user logs in for the first time.

  • Idle timeout.

Related information
Design Considerations