SIP trunking and off-switch or trunks-to-trunk forwards/transfers should be disabled when not required, and a Session Border Controller (SBC) considered for enhanced SIP security. Links between IP Office systems should be secured.
Procedure
If using SIP trunks, IP Office must be connected externally via a properly configured Firewall; see Limiting IP Network Exposure for more information. IP Office must never be connected directly.
Unless SIP trunks are configured for a particular LAN interface, the System > LAN1/2 > VoIP > SIP Trunks Enable setting must be disabled.
Many IP Office customers rely on the Services Providers to provide a secure SIP trunk environment. For a stronger security posture, implementation of the Avaya Session Border Controller for Enterprise (Avaya SBCE) is recommended as a best practice. Avaya SBCE also provides Advanced Services such as Secure Remote Worker and Encryption Service supporting VPN-less access to IP Office for SIP endpoints outside the enterprise firewall. The Avaya SBC for Enterprise is a solution specifically tailored for IP Office. For more information see: http://www.avaya.com/usa/product/avaya-session-border-controller-for-enterprise.
If an SBC or SIP Application Level Gateway (ALG) is deployed, you must move some security measures from the IP Office to the SBC/ALG. The IP Office source IP address blacklisting should be disabled with the No User Source Number 'B_DISABLE_SIP_IPADDR'. The SBC/ALG black/white listing must be activated to compensate.
Off-switch forwards/transfers should be disabled on a per-system or per-user basis, with the system setting taking precedence over the user.
Per-user setting is: User > Telephony > Supervisor Settings > Inhibit Off-Switch Forward/Transfer. This can also be set via User Rights.
System-wide setting is: System > Telephony > Telephony > Inhibit Off-Switch Forward/Transfer.
Analog trunks-to-trunk forwards/transfers should be disabled on a per-line basis unless required, using Line > Analog Options > Allow Analog Trunk to Trunk Connect.
Other changes to restrict calls are contained in Preventing Unwanted Calls.
IP Office Lines (SCN trunks) may be secured using the Line > Line > Transport Type of WebSocket Client or WebSocket Server, and a Line > Line > Security setting of Medium or High.
One IP Office system must be the WebSocket client, the other the server. The Primary and Secondary should always be the WebSocket server.
For the High setting, certificate configuration is required; see Certificates and Trust for more information.
For Server Edition deployments, Secure IP Office Lines should always be used.
