AVAYA DOCUMENTATION CENTER
Find answers to your technical questions and learn how to use our products
No results found
Search suggestions:
- Use fewer tags and filters.
- Use different search terms.
Filters
AVAYA DOCUMENTATION CENTER
Find answers to your technical questions and learn how to use our products
No results found
Search suggestions:
- Use fewer tags and filters.
- Use different search terms.
Filters
IP Office Security Guidelines
Session Border Controllers & IP Office
Last Updated : Jan 21, 2025 |
A Session Border Controller (SBC) is a system component evolved to add security and interoperability between SIP endpoints and call servers like IP Office. In addition to security and interoperability, SBCs like Avaya’s Session Border Controller for Enterprise (Avaya SBCE) add further features such as resilience and edge proxy services.
IP Office supports many SBC features; it is important to understand the differences between Avaya SBCE and IP Office when designing a deployment. For the strongest security posture, implementation of the Avaya SBCE is recommended as a best practice.
The following table summarizes the differences between IP Office and Avaya SBCE:
SBC Feature |
IP500 V2 |
IP Office Linux |
ASBCE |
|---|---|---|---|
Security |
|||
Customized hardened OS |
– |
✓ |
✓ |
Deployment within DMZ [1] |
– |
– |
✓ |
Requires external firewall [2] |
✓ |
✓ |
✓ |
Internal firewall[3] |
✓ |
✓ |
✓ |
Secure Media[4] |
✓ |
✓ |
✓ |
Secure Signaling[5] |
✓ |
✓ |
✓ |
TLS server name checks |
– |
– |
✓ |
Secure Settings files |
✓ |
✓ |
✓ |
Denial of Service resistance – ICMP, TCP, SIP |
–/✓/✓ |
✓/✓/✓ |
✓/✓/✓ |
Denial of Service resistance – TLS |
– |
✓ |
– |
Denial of Service resistance – H323 |
✓ |
✓ |
– |
Distribute Denial of Service resistance |
– |
✓ |
✓ |
Port scan blocking |
– |
– |
✓ |
Toll Fraud detection/prevention |
✓ |
✓ |
– |
Time of Day and Day of Week detection filters |
– |
– |
✓ |
Brute force login resistance[6] |
✓ |
✓ |
– |
Topology hiding |
✓ |
✓ |
✓ |
Message rate limiting |
– |
✓ |
✓ |
SIP protocol scrubbing |
✓ |
✓ |
✓ |
H323 protocol scrubbing |
✓ |
✓ |
– |
SIP UA whitelist |
– |
✓ |
✓ |
SIP UA blacklist |
– |
✓ |
✓ |
Configurable IP Address whitelist |
✓ |
✓ |
✓ |
Configurable IP Address blacklist |
– |
– |
✓ |
Dynamic IP Address blacklist |
✓ |
✓ |
✓ |
Interoperability |
|||
SIP UDP/TCP/TLS |
✓ |
✓ |
✓ |
H323 UDP/TCP/TLS |
✓ |
✓ |
– |
WebRTC |
– |
✓ |
✓ |
Media transcoding |
✓ |
✓ |
✓ |
Media anchoring |
✓ |
✓ |
✓ |
NAT traversal |
✓ |
✓ |
✓ |
Signaling adaptation |
✓ |
✓ |
✓ |
IPv4/IPv6 support |
✓/– |
✓/– |
✓/✓ |
VLAN support |
– |
✓ |
✓ |
MS Teams certification |
– |
– |
✓ |
DevConnect support |
✓ |
✓ |
✓ |
HTTP Reverse proxy[7] |
– |
– |
✓ |
Quality, Availability |
|||
Single server HA-resilience |
– |
✓ |
✓ |
Dual server geo-resilience |
– |
✓ |
✓ |
Alternate SIP routing |
✓ |
✓ |
✓ |
RTCPMON support |
✓ |
✓ |
✓ |
Media connection preservation |
✓ |
✓ |
✓ |
RTP QoS events & alarms |
✓ |
✓ |
– |
Notes
IP Office does not have sufficient port/service separation for DMZ placement.
External firewall should always be used.
Limited IP Office Linux firewall.
IP Office does not support AES-256 SRTP.
IP500 V2 does not support TLS GCM ciphers.
IP Office brute force login resistance should be disabled when routing via an SBC. ASBCE Call Walking feature may provide some resistance in certain situations.
If an SBC or SIP Application Level Gateway (ALG) is deployed, you must move some security measures from the IP Office to the SBC/ALG. The IP Office source IP address blacklisting should be disabled with the No User Source Number '
B_DISABLE_SIP_IPADDR'. The SBC/ALG black/white listing must be activated to compensate.
IP Office Subscription provides HTTP reverse proxy for management only (RSS feature).
Related information