Alcatel-Lucent Enterprise Communication Solutions 2012 Offers Standard Offer Chapter 15 Security. July Ed.01 Ref.: 8AL TCASA\15

Transcription

1 Alcatel-Lucent Enterprise Communication Solutions 2012 Offers Standard Offer Chapter 15 Security July Ed.01 Ref.: 8AL TCASA\15

2 Copyright Alcatel-Lucent All rights reserved. Passing on and copying of this document, use and communication of its contents not permitted without written authorization from Alcatel-Lucent. Notice: While reasonable effort is made to ensure that the information in this document is complete and accurate at the time of printing, we can not assume responsibility for any errors. Changes and/or corrections to the information contained in this document may be incorporated into future issues. This document introduces the Alcatel-Lucent OpenTouch and OmniPCX Enterprise Communication Server, their products and features. All documents associated to this introduction cover most of the aspects for designing offers based on current manufacturers and business partner agreements. They include introductory explanations to position the offer in relation to client needs. References to indepth documentation are indicated to direct you to product descriptions or product sites. Who Should Use this Document? As an introductory offer, this document can be used by Alcatel-Lucent vendors, clients, partners and associates involved with the implementation of Alcatel-Lucent systems. 2/47 Alcatel-Lucent Enterprise Communication Solutions

3 Table of contents 1 Global security view The user-centric security blueprint Applying the security blueprint Perimeter security Network access control Identity management Application security Mobile security Security management 8 2 PBX and applications security: core platforms Security features list overview Com server Linux OS advantages Linux: customized for the OmniPCX Enterprise VLAN segmentation Defense actions Access controls (passwords, filters, etc.) Internal security Network time protocol Log and Syslog files Media gateway Resistance against DoS attacks Separation of TDM and IP traffic Binaries signature check Voice mail application OmniVista 4760 /OmniVista Password policy enforcement Back up and disaster recovery process Sending PKI (public key infrastructure) Alcatel-Lucent OmniTouch 8400 Instant Communications Suite Authentication High availability IP terminals Business continuity Anti-ARP spoofing Anti-ARP cache poisoning Protection against DHCP server intrusion Anti-MAC spoofing TFTP request check Connect message filtering Verification of binaries MMI protections PC port and traffic isolation X SIP/TLS and SRTP 24 3/47 Alcatel-Lucent Enterprise Communication Solutions

4 3 Network security VoIP firewall TeoZ (Alcatel-Lucent Applications Partner Program) 25 4 Security of configuration and management Authentication Communication server authentication OmniVista 4760/OmniVista 8770 authentication OmniTouch 8400 ICS authentication Securing management exchanges Secured SNMP Secured shell (SSH) Secured HTTP (HTTP over SSL) Secured legacy remote management 29 5 Communication security Protection against theft of service (toll fraud) Transfer protection Forwarding protection Protection on internal phones External call restriction Restricted access to a phone set Out of service option Discrimination calendar for external calls DISA (direct inward system access) protection control Calling line identification Call monitoring feature IP Touch security Encryption architecture Security modules MGSec Signaling and voice encryption on IP media gateway): SoftMSM IP Touch security in an ABC network Encryption compatibilities SIP/TLS support Verticals certification Payment card industry data security standard Health insurance portability and accountability 45 6 Antivirus software Antivirus software and the OmniPCX Enterprise OmniVista 8770-specific recommendations for anti-virus 47 4/47 Alcatel-Lucent Enterprise Communication Solutions

5 1 Global security view Securing communications for all voice and data applications as well as employee mobility is the key to supporting new business models and enabling a trusted dynamic enterprise that competes effectively in today s business environment. Security must become a positive enabler to drive business performance. To achieve this objective, enterprises must have a corporate-wide strategy a security blueprint that allows the enterprise to be open for business and, at the same time, provide a trusted environment. This requires a shift to a user-centric approach to security, delivered from within the network to protect networks, people, processes and knowledge. 1.1 The user-centric security blueprint A user-centric security blueprint can enable a powerful shift to a trusted, dynamic enterprise. At the same time, enterprises manage risk, protect private data, and maintain compliance. With a security blueprint, enterprises can keep satisfying the demands of employees, business partners, and customers for always-on, always available voice and data applications, that can be accessed from anywhere and at any time. The blueprint looks at security for the enterprise as being delivered from within the network to protect networks, people, processes and knowledge. If abiding by the blueprint, the enterprise benefits from: A network that is user-aware and provides security for voice, data and mobility, and enables compliance with policy enforcement and audit People securely collaborating across organizational boundaries, leveraging business-tobusiness relationships, Web 2.0, and cloud computing without security-imposed human productivity barriers Processes that are agile, automated and always secured Knowledge in the form of protected private data, as well as secured knowledge sharing The user-centric security blueprint prescribes a global, corporate-wide security infrastructure that provides a consistent and corporate-wide application of security. 1.2 Applying the security blueprint If following a user centric security blueprint, enterprises are positioned to leverage new business models made possible by Web 2.0, cloud computing and mobile communications technology. Applying this security blueprint for a trusted, dynamic enterprise, requires an end-to-end approach to security. Enterprises must move beyond looking at point solutions that address specific security requirements for one area of the enterprise, to integrated solutions that enable the user centric security blueprint. figure: User-centric security deployment offers a visual representation of the solution map that meets these objectives. Deploying solutions complying with the user centric security blueprint starts with gaining an understanding of what perimeter security exists within the enterprise. Moving along the path laid out by the blueprint, the next step is to examine the need for network access control solutions to ensure that adequate controls are in place to allow a user and or a device onto the network. Fine grained controls may be required to enable users to access the network resources and applications they want access to, once they have been accepted onto the network. 5/47 Alcatel-Lucent Enterprise Communication Solutions

6 Once the voice and data fabric are secured and appropriate fine grained controls are in place, the next consideration is to target directly specific applications that require extra special treatment. This is followed by solutions to protect the mobile user and mobile assets of the corporation, such as laptops Perimeter security Choosing a perimeter security solution usually implies different choices according to the various types of enterprises. It is also greatly dependent on security strategy. If an enterprise prefers to follow a best-of-breed approach to threat management - then separate solutions are required for firewall/vpn, anti-virus, anti-malware and web filtering. If an integrated approach to threat management is preferred, then a unified threat management and firewall solution is attractive. If an enterprise has many independent branch offices, an integrated solution which includes routing functionality, referred to as a security router, is an approach to be considered. In today s network, a web application firewall is a must to protect web servers and web-facing applications. One overall consideration in controlling security operations costs is scalability and manageability of the perimeter solution chosen, especially for enterprises with many locations to protect. 6/47 Alcatel-Lucent Enterprise Communication Solutions

7 1.2.2 Network access control Identity management Network access control can be achieved by looking at several categories of solutions. Starting with IP address management that offers the ability to provide an address to devices connected to the network, followed by host integrity check solutions that ensure that it is safe to allow a device on the network, ending with role-based access control solutions. Host integrity check solutions will determine if a device is configured in accordance with enterprise policy and that it contains no malware before the device is allowed onto the network. It is a must in any wireless environment where users connect devices to the network at will. Enterprises that have a stringent need to protect certain servers and applications or are in highly regulated industries, should consider role-based access control solutions to provide the required controls with audit. These solutions can be deployed without having to re-configure networks on a physical level to achieve security requirements. Identity management is essential to user-centric security and starts with an enterprise-wide password management platform and directory server farm. Many organizations today will consider the move to some form of strong authentication based on certificates coupled with two factor-identifications of end users and devices. Providing a rich set of interface and control points to the voice and data fabric of the enterprise is key to the deployment of an Authentication, Authorization and Accounting (AAA) infrastructure. Of course, an enterprise-wide single sign-on capability is also important to provide an internal secured environment that remains enabling for employees. With the move to Web 2.0 and cloud computing the addition of a federated identity management capability may be necessary Application security The deployment of new applications such as VoIP, the adoption of new business models leveraging Web 2.0 and the Cloud, and new compliance regulations create the need for security solutions that protect user activity with an understanding for the application being used by the end user. With the deployment of VoIP, it is important that the existing enterprise security can ensure that the new virtualized perimeter defense and possibly encryption requirements for VoIP are met. In the case of Web 2.0 and the Cloud, solutions that secure individual Web services and can act as a trusted intermediary with the Cloud are becoming a must have for protecting enterprises. Solutions ensuring that enterprises are compliant with regulation in the processing of monetary transactions and control the cost of being compliant are important to many enterprises. 7/47 Alcatel-Lucent Enterprise Communication Solutions

8 Security enabling the reliability of IP telephony Alcatel-Lucent is partnered with Thales, a major security player in the domain of Defense and Enterprises, in order to provide a high performance encryption solution responding to real time voice criteria (delay and commutation time). The IP Touch security solution brings: Secure download of binaries and configuration files in IP Phones and IP Media gateways The integrity of call control signaling (ensuring that messages have not been modified) The capability to encrypt call control signaling and voice flows The equipment concerned with encryption includes: The range of communications servers (IPAS, IPRS, IPCS) and passive communication servers (PCS) The Media Gateways IP range (Common Hardware or Crystal) The IP Touch range (Alcatel-Lucent 8 series) IP Desktop Softphone application (software emulation of Alcatel-Lucent IP Touch 4068 Phone set) OmniTouch 8600 MIC client (softphone) OmniTouch 8400 ICS servers (application servers and media servers) IP Touch security is a commercial option of Alcatel-Lucent OmniPCX Enterprise Communication Server (both hardware and software) Mobile security Many enterprises today have employees that spend much of their working hours outside the enterprise perimeter using mobile computing devices such as laptops. Solutions for securing mobile laptops must address the concern of private information stored on them risking being lost or stolen and also address the need to be able to configure laptops at any time Security management Security management requires a number of platform choices covering performance and event management, patch management, vulnerability detection and compliance management. Solutions deployed for performance and event management must be able to install in a global enterprise, collect a rich set of data from the voice and data fabric, and provide a robust event response and 8/47 Alcatel-Lucent Enterprise Communication Solutions

9 escalation engine. Solutions for patch management must be able to integrate with enterprise platforms that manage mobility. 9/47 Alcatel-Lucent Enterprise Communication Solutions

10 2 PBX and applications security: core platforms Alcatel-Lucent provides mechanisms, tools and protocols to ensure a secure fully-fledged global solution. In-depth defenses Global security of the information system within a company is based on: An individualized perception of the hardening of each component of the system (networks, servers, Com Servers, media gateway ) supporting client applications Secure access to this system and filtering of the traffic going through the system (type of traffic expected, concepts of bandwidths allocated by reservation or by prioritization of the applications) Protection of the configuration of these elements (restricted access, definition of administrator rights) Protection of critical applications (confidentiality, integrity, availability) In order to protect the core of the information system, company security is deployed on several levels. Each level, from the physical element to the deployed application, implements a specific function delaying access to confidential information for non-authorized parties. The OmniPCX Enterprise products and solutions are part of the global Alcatel-Lucent security polices and best practices framework (security-by-default strategy). 2.1 Security features list overview Authentication IPBX server management o o Local authentication database (password policy enforcement) Remote authentication (RADIUS) Client/device (IP Touch) network access o IEEE 802.1X (MD5 and TLS) Traffic filtering IPBX server o Trusted hosts file o TCP wrapper function Client/device (IP Touch) o ARP spoofing protection o PC port switch VLAN filtering Encryption IPBX server configuration mode 10/47 Alcatel-Lucent Enterprise Communication Solutions

11 o SSHv2 for secure sessions (Telnet, FTP, etc.) o SSLv2/v3 for secure HTTP session o SNMP v1/v2c/v3 for complete NMS integration Client/device (hardphone and softphone) confidentiality (signaling protocol and media) o IPSEC and Secure RTP (AES 128 bits) o SIP TLS and Secure RTP (AES 128 bits) for NOE/SIP Integrity Media gateway and IP Touch binaries signatures System maintenance and access o Dual port (hot standby mode) o Local and remote logging (Syslog) o Serial console port for local and remote (call back modem dialup) access o Network time protocol (NTP) server and client for network-wide time synchronization User authorization to communication services Call monitoring feature with OmniVista 8770 and OmniVista 4760 Internal toll fraud protection by class of services Definition of PIN codes for business or personal call Restricted access for transfer/forwarding barring categories Secure access to direct inward system access (DISA) function 2.2 Com server The operating system used by the Alcatel-Lucent OmniPCX Enterprise Communication Server is based on Linux (kernel ). Historically, the open nature of the Linux source code has allowed the Linux community to audit operating system development and solve potential security problems before they become actual problems on customer systems. Alcatel-Lucent has invested the time and effort to further harden the Linux operating system environment for OmniPCX Enterprise use Linux OS advantages The advantages that make Linux one of the most stable and secure operating systems available as a free operating system include: A source code fully open in terms of kernel and utilities - there is no "security by obscurity" A large and active developer base that ensures constant security auditing of the source code The massive worldwide user base for Linux ensures that each aspect of Linux security is tested within a vast range of different computing environments on all kinds of hardware 11/47 Alcatel-Lucent Enterprise Communication Solutions

12 The on-going development of Linux ensures that it stays on the cutting edge of many Unix security developments Linux: customized for the OmniPCX Enterprise As part of Alcatel-Lucent hardening of the Linux operating system, all non-essential software has been removed from the Alcatel-Lucent customized version of the OS. The advantages include reducing: The provided distribution size (the Alcatel-Lucent package is 50 MB while the public version is 700 MB) The potential security risks imposed by the excess software Although Alcatel-Lucent has eliminated over 85% of the standard Linux core distribution, several optional features remain within the Alcatel-Lucent distribution. Only those services that are vital for operation are enabled by default. For example telnet remains within the Alcatel-Lucent distribution of Linux, but is disabled by default because it is unsecured, and replaced by SSH. There are no Graphic User Interface (GUI) environments such as X11, KDE or Gnome. There are no resource tools for remote file and print sharing available in the Alcatel-Lucent distribution. Features such as LPR, NFS and Samba (Microsoft compatible) are not present in any format VLAN segmentation For the highest possible levels of security, Alcatel-Lucent strongly recommends segmentation between voice and data networks. In this way, strong security methodologies and perimeter controls can be used to ensure the integrity of both environments. For Quality of Service, ease of management and security reasons; voice and data traffic should be logically separated. From a security perspective, separating traffic into differing Ethernet broadcast domains provides for better DoS resilience and allows for the establishment of strong boundary security practices. In addition to the VLAN segmentation, and if information exchanges are necessary between the different logical networks, a security policy should be deployed to control the flows between VLANs using Access Control List. This security policy can be based on addresses end-users and IP flows used by these end-users or VLAN identities. For more information about VLAN segmentation and descriptions about assignment, see module More Information - Additional IP Services - Automatic VLAN Assignment (AVA) Defense actions Defenses against Denial-of-Service DoS attacks The Com Server is hardened to resist attacks by broadcast flooding. An internal defense mechanism allows for a minimum reservation of processor power to the primary function of the Com Server: Call Handling. For each release, test campaigns are systematically carried out to address all categories of attack. Alcatel-Lucent Enterprise Solutions Division has implemented the set of security tools recommended by the Corporate Alcatel-Lucent Network Security Group to audit, test and harden the products, and track potential issues. Defenses against erroneous data attacks, tools (generating Teardrop) 12/47 Alcatel-Lucent Enterprise Communication Solutions

13 Timeout, Land, Ping of Death) and Nessus suite are used to address the most famous denial of service (DoS) attacks. Part of the test campaign is also based on tools (built by companies like Codenomicom) for verifying the implementation and the resilience of protocols such as H323, SIP, etc. Regarding the storm packets or flooding attacks, various tools generating TCP flood, SYN, ACK, FIN, URG, RST, PSH-Ping flood, Echo Reply flood, Bad TTL flood, and broadcast storm are used. All audit results are analyzed by the Alcatel-Lucent R&D department. For instance, critical issues reported in Nessus results are corrected in maintenance releases of the OmniPCX Enterprise. Independent consultants (Miercom) have already tested our solutions, including the security aspects. For example, using similar tools they confirmed Alcatel-Lucent s results concerning DoS attacks. For more information in connection with the Media Gateway, see Media gateway For more information about IP terminal protection, see IP terminals Access controls (passwords, filters, etc.) Our ToIP application is installed on a customized Linux system. The number of generic system accounts is reduced to the minimum and some specific system accounts used to access functions of our application are automatically created at installation. The following table provides a summary of available system accounts after installation: Name Function Origin Creation Login FTP Root superadmin account Linux by default YES (console only) NO Bin Owner of several binaries Linux by default NO NO Daemon Owner of /var/spool/at Linux by default NO NO Ftp Anonymous FTP access Linux by default NO YES Httpd HTTP owner Linux by default NO NO Nobody Owner of TFTP daemon Linux by default NO NO Ppp Setup IP link on V24 Linux by default NO YES Swinst Software installation and configuration Alcatel- Lucent by default YES (console only) YES Mtcl Maintenance and configuration Alcatel- Lucent by default YES YES Adfexc File transfer with OmniVista 8770 Alcatel- Lucent by default NO YES Client Limited maintenance access Alcatel- optional YES YES 13/47 Alcatel-Lucent Enterprise Communication Solutions

14 Name Function Origin Creation Login FTP Lucent The "client" account, not present by default, can be optionally created. Shell access and FTP access are restricted to some accounts. Only the system accounts present in this table are available. No new account can be created. As a result, the use of shared system Ids for logging to the Com Server is mandatory. Note: Certain accounts that were available in previous releases, but are unnecessary for system operations, have been suppressed in order to restrict unauthorized access by a backdoor. These accounts include mtch, adm, halt, sync, shutdown and install Security by default design During the initial installation of the product, security is activated and password configuration in the system (accounts access) is forced into operation by default. The customer takes the responsibility for changing the user passwords (root, mctl, swinst, and adfexc) Expiring passwords The expiration of passwords is activated. The "time to live" of passwords can be configured with a maximum of 999 days before access to the account is blocked by the system. Five days before the expiration date, a warning stating that "the password will expire in x days" is displayed at each login Password policy Minimum length Comparison between the new password and previous ones Maximum useful life Warning before expiration time Maximum number of failed authentication attempts The new password must be made of a minimum of 8 digits (lower or upper case, figures, punctuation signs) The new password must be different from the last three passwords. At least half of the digits must be different from the last used password From 11 to 999 days 5 days (for each login) 3 Note: It is not possible to use the "root" access directly from telnet. Access is only available via a direct console port, and the user must be physically on the site Disabling account A quarantine mechanism can be configured by the administrator to block access to a system account for a short period of time (15 seconds) when the maximum number of failed authentication attempts (3 by default) is reached. This mechanism is a protection against brutal force attacks. Note: At login, if there is no user action for 300 seconds, the session is stopped. 14/47 Alcatel-Lucent Enterprise Communication Solutions

15 Shadow passwords On a Linux system without the Shadow Suite installed, user information (including passwords) is stored in clear in the typical /etc/passwd file. With the Shadow Suite, the MD5 algorithm hashes all passwords and stores them in a specific file /etc/shadow with restricted access rights. Although not altogether impossible, it is very difficult to take a randomly encoded password and recover the original one Internal security Internal security measures include: Shadow passwords Trusted Hosts TCP Wrapper Trusted hosts The trusted hosts function isolates the OmniPCX Enterprise network interface of the LAN. When an IP device is not explicitly registered no dialog (incoming or outgoing) is allowed between this IP device on the network and the Com Server via Ethernet. All IP routes are deleted, including default routes. When the trusted hosts function is configured to cater for several trusted IP devices, an IP static route is created for each IP device. The trusted hosts are the IP phones, media gateways, network management stations, etc. The hostname field contains the name of the trusted hosts from which remote access is possible. Enabled by default, this security feature allows the customer to deny remote access for unfamiliar IP devices to the CPU supporting the Com Server. There are two trusted hosts groups: those connected to Ethernet interfaces and those connected to other links (SLIP, PPP). Configuration is performed using a specific menu (within the Netadmin tool) which specifies a list of trusted hosts (and their IP addresses). On Linux operating systems, the file /etc/hosts.equiv lists the hosts of the network trusted by your computer; this is your trusted hosts file. This file consists of one column with the hostname or the IP address of each trusted device. It is possible to declare a range of IP addresses (for IP phones) in the trusted hosts file TCP Wrapper TCP Wrapper is a public domain tool that provides filtering services for Linux or Unix servers. When an unprotected Linux computer is connected to a network, the computer's system is exposed to other computer users connected to the network. A hacker can determine which users are logged on to a given server, and may also be able to find out the identities of individual computers. The hacker can then determine when a workstation is likely to be idle, and access and use that workstation while it is unattended. TCP Wrapper Firewall Capability TCP Wrapper operates by intercepting and filtering incoming requests for the network services. For example, if an external host attempts to use the FTP service, TCP Wrapper checks to see if that external entity is authorized to transfer files. If it is authorized, then access is permitted; if not, access is denied. 15/47 Alcatel-Lucent Enterprise Communication Solutions

16 TCP Wrapper IP Security TCP Wrapper, embedded on our system, provides enhanced security IP services. It will log and control access for many IP services (such as FTP, telnet, shell, login, and TFTP) and services relating to the OmniPCX Enterprise (save-restore, audit, etc.). For each IP device defined in the list of trusted hosts, the customer must specify each IP application that is allowed remote access. It is possible to assign a profile that contains a minimum list of services for use in the OmniPCX Enterprise. The available profiles are: VoIP resources (IP-Phone, INTIPA/INTIPB, GA, GD, and LIOE): only TFTP is allowed 47XX (management): FTP, Telnet, Netaccess, Saverrest are allowed CPU: Shell, FTP, Telnet, TFTP, Rlis, Saverrest, Builddistant, Loaddistant are allowed Router: no service is allowed Only the "super user" is allowed to configure TCP Wrapper. When configuring security parameters, the manager must login as "root". Note: Unlike TCP-wrapper, the trusted hosts function is not available with a PPP link. Alcatel-Lucent recommends that telnet and login services are inhibited via TCP-wrapper to avoid reaching a host on the LAN Network time protocol The need for synchronized time is critical for today s network environments. As organizations grow and the network services they provide continue to increase, the challenges involved with providing accurate time to their systems and applications also increase. Every aspect of managing, securing and debugging a network involves determining when events occur. Time is the critical element that allows an event on one network node to be mapped to a corresponding event on another by using a log. In many cases, these challenges can be overcome by deployment of the NTP Service. The NTP (RFC 1305) is an Internet protocol used to synchronize the clocks of devices to a designated time reference, providing the benefits of a standard based time and the synchronization of logs and traps. The clocking information is synchronized via UTC (Universal Time Coordinated). NTP service is based on client-server architecture where a server provides clocking information to multiple clients over an IP network. The OmniPCX Enterprise can operate as an NTP server or client in order to provide or get clocking information Log and Syslog files Log Files Log files are available for several OmniPCX Enterprise applications/system operations: Storage of all management operations performed on the Com Server (Syslog mechanism) Storage of telephonic database updating Storage of communication costs 16/47 Alcatel-Lucent Enterprise Communication Solutions

17 Storage of OmniPCX Enterprise applications "incidents" Syslog file for intrusion management With the security-by-default mechanism, Syslog support is enabled on the Com Server. It registers all network events, as part of the process to prevent security issues. All events, regarding the kernel, the network interface, login, etc. monitored by the Linux system are distributed by origin and severity in files located in the directory /var/log (ex: messages, secure, auth.log, etc.). The Syslog files keep records or logs relating to: Connections (who is connected, and at what time) Unauthorized attempts to enter the system History of the system commands used Kernel and registration of the daemons used on devices No user interface is available via swinst or netadmin to access these files. The only way to read or modify them is via Linux commands such as vi or more. To avoid congestion on the disc caused by these files, an automatic mechanism rotates log files. They are compressed and renamed by this mechanism. The rotational schedule is weekly and/or when the file exceeds 500 Kb (before compression). 2.3 Media gateway Resistance against DoS attacks There is no Operating System that can be exploited to this purpose on interface boards or media gateway controllers. These include only function specific LINUX micro-kernels. Flood Limiting is similar to the protection provided by Alcatel-Lucent IP Phones. The TSC-LIOE, LIOE, INTIP, IOIP, GD and GA boards are designed to identify excessive Ethernet broadcast traffic rates, and ignore all broadcast traffic in excess of 300 pps. If an OmniPCX Enterprise IPMG interface receives traffic in excess of 300pps, only the first 300 packets will be accepted Separation of TDM and IP traffic IP networking functions are completely isolated from voice and signaling transport contamination. No service has been implemented (by Alcatel-Lucent or any third party) in OmniPCX Enterprise media gateway devices that would allow user access from TDM resources (ISDN, PSTN, analogue trunk, etc.) to IP networking resources within the IP Media Gateway. The only services supported through the TDM trunking interfaces to IP are: Tunneling of trunk signaling protocols Tunneling of trunk signaling protocols (ISDN, CAS, etc.) is handled via the Com Server through IP, where they are processed by the call handling application. Call processing of the Com Server is an automated function dedicated to specific signaling packets. All the packets that are not in strict compliance with the Alcatel-Lucent specification are discarded. Media (voice) is encapsulated into RTP streams 17/47 Alcatel-Lucent Enterprise Communication Solutions

18 The destination of RTP streams is under the control of the Com Server and can only reach RTP compliant devices, which excludes standard PCs (with the possible exception of IP softphones). e-remote Maintenance application The e-remote Maintenance application provides network administrators with the ability to access and manipulate IPMG resources remotely. This optional feature can terminate inbound calls to the local console interface, but does not allow for any PPP/SLIP type of remote access. Primary IPMG Functions: In addition to the above, it is important to remember the primary functions performed by IPMG: IP Media Gateways can host Public and Private TDM trunking interfaces (e.g. PRA boards) which are capable of only processing signaling protocols (ISDN, QSIG, etc.) and transferring Voice streams to and from the TDM backplanes of the IPMG. IP Media Gateways can host VoIP interface/resource boards that are solely able to process signaling protocols (H323, H245, H225, SIP, RAS, etc.) and transfer Voice streams to and from the LAN. Hard barrier between TDM and IP within the IPMG The Linux micro-kernels of Alcatel-Lucent IP Media Gateway VoIP boards offer a link between the circuit-switched and packet-switched realms. This means that a hard barrier exists between the TDM and IP halves of the IPMG which only voice media and call control signaling can go through, only in the form of payload, and not as an interactive element of the communication. There is no IP routing, IP forwarding, or ICMP redirect between the TDM and IP portions of the IPMG. For security reasons, remote IP console (telnet) sessions to GD boards of IP Media Gateways are only available from the Com Server. Vulnerability advisories Security is not only a set of features in a product but also a continuous corporate process to track vulnerabilities. Alcatel-Lucent is a founding and active member of CERT-IST) and mailing lists such as Bugtraq. A Corporate-level Incident Response Team is in charge of tracking vulnerabilities issued by the CERT community The Incident Response Team also ensures that proper actions have been taken at the product-line level to analyze, evaluate impact on products, fix vulnerabilities and to keep distributors and customers informed. For example, in 2006 approximately 546 alerts were brought to our R&D for the whole group of our enterprise products. Logging and Accounting All management operations performed by an administrator are stored in a dedicated log file. This ensures traceability and accountability required by many official rules (e.g. Sarbanes-Oxley in finance business). Thanks to an external RADIUS authentication, the administrator is identified by its corporate identity that will be carried out into the log file. All logs are timed with the Network Time Protocol (NTP) service. Information in the log files can therefore be cross-matched between several systems. It is also possible to activate an on the fly transmission of the log files to an external secured server. For more information about NTP, see Network time protocol 18/47 Alcatel-Lucent Enterprise Communication Solutions

19 2.3.3 Binaries signature check Embedded in the OmniPCX Enterprise product, is a mechanism that can be used on IP Media Gateways to control the integrity of binaries received from the TFTP server at initialization. When a new binary is produced by Alcatel-Lucent for the IP Media Gateway, it is signed with a specific Alcatel-Lucent private key. When the IP Media Gateway receives its binary through TFTP, it first checks the integrity of the file with the corresponding Alcatel-Lucent public key (mechanism based on SHA1 and ECC 384 bits). If this control fails, the new binary is ignored and the IP Media Gateway starts with the previous verified binary stored in its flash memory. 2.4 Voice mail application The OmniTouch 8440 MS solution provides several security features to ensure protection of both system and user data managed by the system. The voice mail system is based on a hardened Red Hat Enterprise 5.0 Linux OS. It can be configured with the high availability feature (N+1 mode). Administrators can backup/restore system and user data. Administration is secured by a specific protocol (HTTPS). A verified authentication of users can be configured with an external authentication server (RADIUS). The OmniTouch 8440 MS solution is compatible with the IP Touch Security feature to provide encryption of user communications to voice mailboxes. 2.5 OmniVista 4760 /OmniVista 8770 Both the OmniVista 4760 and the OmniVista 8770 are designed to address specific security issues for administration applications. Their architecture is based on a server/client model. The client is hosted on a PC to allow creation and modification of configuration settings. It connects to the server through secured IPSec channels Password policy enforcement Authentication of administrators and users (to access directory information for example) is required with a login and password. This is made more reliable by strictly conforming to standard security policies such as: Control on password minimum length, forbidding trivial passwords, remembering previous passwords, forcing the change of a password at first login Aging password (expiration time, minimum time, warning before expiration) Automatic blocking of a user account after several failed authentication attempts These features are available on the server of the OmniVista 4760 or the OmniVista 8770 and are made by the Sun One directory. Password verification can also be performed with an external RADIUS server Back up and disaster recovery process Critical Information such as system configuration, phone book, call accounting tickets, etc. are regularly saved in a database. This data can be archived automatically on a daily basis on the OmniVista 8770 platform, so as to: Enable automatic report generation on billing and network performance 19/47 Alcatel-Lucent Enterprise Communication Solutions

20 Store up-to-date data enabling fast and smooth recovery in case of disaster Raid Array and optical disk storage can be used for this backup. Up to four release and configuration combinations can be stored to offer rapid roll back recovery from upgrade/modification failures Sending OmniVista 8770 can send alarms, reports or an accounting files monitoring notification to an server by specifying the name (or IP address) of the server to be used for this transmission. There is no need to grant the OmniVista 8770 services rights to use specific accounts for transmission PKI (public key infrastructure) On the OmniVista 8770, you can use the PKI solution provided by Alcatel-Lucent, It is an enterprise class PKI Certificate Authority built on JEE technology. This feature allows the customer to create his own certificates to be use to replace the certificates by-default embedded on our platforms such as IP Phones etc. In the Alcatel-Lucent environment we can use certificates to provide mutual authentications between end-devices and servers. In general a PKI can be used to issue certificates for different purposes such as: Strong authentication for users accessing your intranet/extranet/internet resources Secure communication with SSL servers and SSL clients Signing and encrypting Client VPN access with certificates in users VPN clients Single sign-on by using a single certificate to secure logon to web applications Creating signed documents And many more Alcatel-Lucent OmniTouch 8400 Instant Communications Suite Alcatel-Lucent OmniTouch 8400 Instant Communications Suite (ICS) is a suite of software applications to improve real-time communications across the enterprise. OmniTouch 8400 ICS provides unified messaging, audio/data and video conferencing, personal routing, instant messaging (IM), sophisticated softphone capabilities, universal directory access and presence information Authentication Single sign on through NTLM/Kerberos With Single Sign-On (SSO), a single user authentication and authorization allows access to all the systems for which this user has access permission. There is no need to enter multiple login/passwords. SSO reduces human error, a major component in system failures and is therefore highly desirable. NTLM (NT LAN Manager) is an authentication protocol used in various Microsoft network protocol implementations and supported by the NTLM Security Support Provider. This feature applies to Telephony/One Number/Messaging services. 20/47 Alcatel-Lucent Enterprise Communication Solutions

21 External RADIUS and LDAP authentication RADIUS implemented in OmniTouch 8400 ICS provides a strong central server authentication mechanism for users (and system administrators). For redundancy and high availability purpose, a secondary RADIUS server may be defined, should the primary RADIUS server fail. OmniTouch 8400 ICS can authenticate users based on an existing LDAP server with existing user accounts High availability The Operating system used for Alcatel-Lucent OmniTouch 8400 Instant Communications Suite servers is Red Hat Enterprise. This OS provides a native redundancy mechanism based on a cluster duplication and allows an "n+1" backup for OmniTouch 8400 ICS servers: "n+1 redundancy for the standard package (Telephony/One Number/Messaging services) An additional "n+1" redundancy capability for Teamwork service 2.7 IP terminals Business continuity A service continuity is offered on IP Touch EE in case of IP failure: IP Touch is able to maintain the active communication even if the connection with the Communication Server fails. The communication is maintained until either user or remote party hang s up When Com Server is lost, User is able to handle the audio: HP+/HP-, mute/un-mute, voice mode switch (Handset, Hands-free, Headset) An error message is displayed on the phone screen After call completion (hanging-up of called or callee), the IP Touch restarts and registers automatically to either a PCS (in NOE mode) or an AudioCodes SIP survival gateway (in SIP mode) Anti-ARP spoofing Alcatel-Lucent IP terminals can identify multiple (differing) ARP replies. These can indicate an attack. After detection, the IP Touch logs information about potential attacks (MAC address, IP addresses, time) and sends an incident to the Com Server. This information is passed from the Com Server to OmniVista 4760 or OmniVista 8770 platforms for administrator notification (through an SNMP TRAP). The phone set also starts a temporary (60 seconds) quarantine for the concerned IP address, meaning that any packet originating from this address is rejected by the set Anti-ARP cache poisoning Alcatel-Lucent IP terminals only update their internal ARP tables after they have initiated an ARP request. An Alcatel-Lucent IP terminal will reject any ARP reply that is not offered in direct response to an ARP request made by itself. Gratuitous ARP replies are ignored by Alcatel-Lucent IP terminals, thus eliminating this attack threat. 21/47 Alcatel-Lucent Enterprise Communication Solutions

22 2.7.4 Protection against DHCP server intrusion When the DHCP client starts up, it sends a DHCP discover frame to find a DHCP server. If the IP Touch set is configured in Alcatel Dynamic (DHCP option), the DHCP server must provide an offer containing the specific vendor option alcatel.a4400.0" (offer provided by an Alcatel-Lucent DHCP server). This vendor option allows the IP Touch set to select the true customer DHCP server (Com server) and to ignore the DHCP intrusion server (not knowing this vendor ID) Anti-MAC spoofing This is an additional control on the Com Server. At the end of IP Touch set initialization, the Com Server requests its MAC address in a specific message. When returned by the set, it is compared to the MAC address previously given by the IP Touch in its startnoe message. If MAC addresses do not match, a reset order is sent by the Com Server to the set TFTP request check During its initialization, the first action performed by an IP Touch set is to send a TFTP request (to an internal TFTP server) that contains the MAC address of the set. The Com Server level checks that a signaling link is not already established with a set with this MAC Address. If this is the case, an attack could be undergoing, where the hacker tries to spoof the identity of an existing set (based on its MAC Address). The Com Server reacts by rejecting the rogue TFTP request Connect message filtering At initialization, an IP Touch set receives a Connect message from the Com Server initiating a control link between the two elements. It is critical to ensure at this time that it is the Com Server that has sent this message, to avoid possible Man-In-The-Middle attacks where the phone set could be controlled by a rogue server. To protect the IP Touch set, the source IP address of the Connect message is compared to the actual Com Server IP address received previously in the configuration file. If IP addresses do not match, then Connect message is refused Verification of binaries IP Touch phones use the TFTP protocol to download new binaries at initialization. Prior to being used, binaries are checked by the set based on their CRC checksum. If the verification fails, the IP Phones maintain existing binaries. Another level of binary check is provided and based on the Alcatel-Lucent public/private key feature. IP Touch binaries are digitally signed at production time with a specific Alcatel-Lucent private key. Based on the corresponding public key, the IP Touch set is able to check the integrity of files before starting to use them (this is the default behavior with Extended Edition telephone sets) MMI protections The Man Machine Interface Control is a mechanism to restrict access to the configuration of IP Touch terminals. Passwords are managed by the Com Server to restrict entry into the local configuration menu with a password (6 to 12 character). The global password is the same for all terminals. All local terminal menus and data are protected in a "secure" zone of their flash memory. The only method of disabling this protection is to reset the phone locally to default factory settings. 22/47 Alcatel-Lucent Enterprise Communication Solutions

23 PC port and traffic isolation IP Touch telephones have two Ethernet ports, one of which can be attached to a PC. The Embedded Switch controls this "PC" port. The Com Server has the ability to disable secondary switch port of IP Touch terminals (global and/or phone by phone setting). Three different behaviors can be configured independently for each IP Touch set: a. PC port security not activated (default): the integrated switch of the IP Touch passes transparently all traffic from/to the PC port b. Block PC port: the traffic from/to the PC is blocked (RX and TX bits of the PC port are disabled) c. Filter VLAN: the IP Touch replaces any 802.1q tag to VLAN ID 0 for frames coming from the PC to the LAN, and remove 802.1q tags for frames coming from the LAN to the PC. The goal is to protect the voice network against possible intrusions from the PC port, by preventing the PC from sending traffic in the voice VLAN X The aim of the 802.1x Port-based Network Access Control, also named dot1x, is the ability to deploy LAN based infrastructure, where users or devices first need to log in prior to any activity. dot1x manages access rights to the Local Area Network (LAN) wired or wireless (WLAN). It implements an effective framework to authenticate and control user traffic to a protected network. dot1x ties a protocol called EAP (Extensible Authentication Protocol) to the LAN media and supports multiple authentication methods. The MD5-challenge authentication protocol is supported by Alcatel-Lucent 8 series and Alcatel-Lucent IP Touch 8 series phone Extended Edition sets. The TLS authentication protocol is available on Alcatel-Lucent IP Touch 4028/4038/4068 with 16MB of RAM, Alcatel-Lucent IP Touch 4008/4018, and Alcatel-Lucent IP Touch 8 series phone Extended Edition sets. TLS is activated by default provided the set supports it and a certificate is present in the Phone. If a customer certificate exists and has been activated through a pass phrase, this certificate is used. If not, the Alcatel-Lucent certificate is used. Both TLS and MD5 can be activated on a set. The server determines which authentication method is used for EAP exchanges. Login, password and certificate are specific to the set rather than the set user. Authentication (or reauthentication) requires no user intervention, such as password input. Note: IP Touch Behavior if disconnected from the PC Port: An IP Touch set monitors 802.1x messages between the authenticating switch and supplicants (i.e. the system to be authenticated, e.g. an IP Touch set) connected to its PC port. A terminal can manage up to 5 supplicant MAC addresses. When the PC port of a terminal is disconnected, the terminal sends an EAPOL-Logoff message on behalf of the supplicants connected to its PC port to the authenticator, so that the authenticator sets its MAC address to an unauthorized status and terminates the 802.1x session. This prevents unauthorized access to a device plugged on the PC port of a terminal, gaining access to the LAN by spoofing the MAC address of the authenticated device which was previously plugged on this PC port. 23/47 Alcatel-Lucent Enterprise Communication Solutions