Secure Access Link. Table of Contents. Introduction. Background. avaya.com. Introduction Background Secure Access Link...

Transcription

1 Secure Access Link Table of Contents Introduction... 1 Background... 1 Secure Access Link... 2 Components... 3 Aggregated Traffic... 5 Flexible Authentication. and Authorization... 6 Complete Control over. Remote Access... 7 Channel Neutral Support and. Customer Self-Service... 7 Foundation for Value-Added. Support Applications... 8 Naturally Secure... 9 Conclusion...10 Introduction Avaya is embarking on a new, next-generation architecture that will significantly improve the way in which customers receive support of their communications networks. The new architecture eliminates the Avaya requirement for unfettered 24x7 access to customers network equipment. Customers can take advantage of channel-neutral support by enabling self-service, Avaya support, and/or authorized partner support of their networks at levels never achieved before. And, customers can be in complete control of when and how Avaya, or any other service partner, accesses their equipment. With this new service and support architecture, Avaya has significantly changed its underlying software, procedures, and paradigms to provide customers with more choices, more control and improved security. Background Historically, modems have been the primary means by which Avaya has remotely accessed customers products and networks. The use of modems allowed Avaya professionals to gain the same level of administrative access as if they were locally attached to the product terminal. Because modems allowed access from remote locations, Avaya was able to provide service to distant customer locations. With the widespread adoption of modems by customers, Avaya created supporting software that could automatically perform regular tasks instead of requiring a technician to login manually to each product. This concept has matured into what is known as Avaya EXPERT Systems SM Diagnostic Tools. As customers became more sensitive to controlling access to their networks, and as Avaya products became more network-dependent (e.g. IP-enabled with rich Web-based interfaces), Avaya introduced new support capabilities that provided greater bandwidth and did not require the use of modems. These IP-based solutions used IPSec virtual private networks (VPN) combined with white paper 1

2 customer-resident servers such as Avaya Secure Services Gateways (SSG) to provide remote support capabilities similar to those previously provided by modems, but with the added benefit of higher bandwidth and improved customer control. Avaya improved IP-based remote access with the introduction of advanced services. Again, these services were provided through the use of IPSec VPNs and a customer-resident management server, the Avaya Secure Intelligent Gateway (SIG), to deploy software providing advanced features such as patching and software release management. As part of developing advanced services, Avaya deployed secure, isolated Enterprise Service Platform (ESP) data centers to contain and control access to the Avaya Secure Intelligent Gateways and constrain access to any customer-sensitive data. Even though Avaya had migrated to providing service for IP-based solutions (while still supplying modem support, when necessary), more security enhancements were needed, especially in the areas of improved customer control; customer-controlled and auditable logging; and unique identification and authentication of technicians on the customer network using resilient, two-factor authentication. In addition, the IP-based solutions did not provide any notable ability for authorized partners to access customer networks via the business-to-business VPN or customerresident servers (Avaya SSG or Avaya SIG). Secure Access Link Next-Generation Remote Access Notwithstanding the remote-access improvements in the development of the advanced architectures, customers still wanted the ability to obtain support from their in-house staff or from preferred partners. In addition, customers wanted complete control over when Avaya and other service partners accessed their networks. And, customers wanted better logging and greater control over those accessing their networks both when they were accessed, and what was accessible. Avaya investigated alternatives that would provide the same level of support, yet still allow for support from Avaya EXPERT Systems Diagnostic Tools and other automated and transactional tools. The alternative had to be flexible enough to allow for growth and introduction of new support services, while still meeting the requirements set forth by customers. With extensive customer feedback and thorough investigation of numerous architectural options, the design for the next generation of remote access began to clearly emerge Avaya Secure Access Link (SAL). The dominant feature of Avaya SAL is that customers have complete control over all remote access to their networks. To provide this control, Avaya SAL enables customers to determine who will provide services to their products and to what degree. Customers may have services provided by Avaya, their own internal support groups, authorized Avaya partners, or any combination thereof. With Avaya SAL, customers have channel-neutral support in addition to control, auditable logging, and strong identification and authentication of any users who access their networks. 2

3 With SAL, all of customers service partners, including Avaya, will need customer approval to initiate connections to customers networks. In addition, Avaya SAL provides no inherent mechanism to allow Avaya or any service partner to remotely access customers products without the TCP/IP connection first being initiated from customers networks. To help customers remain compliant with Payment Card Industry (PCI) and other industry regulations, all Avaya users are uniquely identified and authenticated. Avaya SAL provides clear, auditable logging of any access attempt, either by a technician or automated tool. Next-Generation Architecture The emerging Avaya SAL architecture is scalable and flexible. Although initial releases will require customers to deploy and manage a small server for remote access, Avaya s long-term vision is to integrate the SAL solution into Avaya products as a software-only solution so that customers will not be required to deploy hardware. However, optional hardware may be deployed by customers who want to realize the benefits of some of SAL s most advanced features and management capabilities. In any case, if customers deploy servers as parts of their solutions, they will always control the highest level of administrative access to those servers (i.e. owning root ). Based on their needs, customers can choose the SAL components appropriate for inclusion in their networks. This allows customers to make balanced decisions about how they want to achieve access control in addition to the three A s of security authentication, authorization, and accounting (AAA). By providing flexible deployment options, Avaya gives a tailored solution to every customer whether a large enterprise, small or mid-sized business. Components Following are descriptions of the major components of the new Avaya SAL architecture. These components are also depicted in Figures 1-3 (pages 6-9) illustrating the SAL architecture-based scenarios for flexible alarming, secure remote access and comprehensive policy management applications. Embedded Agent The Embedded Agent is co-resident software automatically included on Avaya products. (Initial releases of Avaya SAL will support only Embedded Agent within Secure Access Gateways. However, later versions of Avaya products will automatically include co-resident Agents as part of the software releases.) Embedded Agent is intended to facilitate the transmission of alarms to the service provider (e.g. the Avaya support center, the customer network operations center, or authorized partner support center), polls the service providers via HTTPS for remote-access connection requests, and authenticates any connection request to the product. Authentication of Avaya remote access requests is performed through examination and validation of the Public Key Infrastructure (PKI) certificate of the technician or tool that initiated the request. Authentication can be augmented through implementation of a RADIUS-based, one-time password. It is important to note that the Agent is the only required customer component of this new architecture. 3

4 Secure Access Gateway Server This Secure Access Gateway Server is optional software intended to be loaded on a customer-provided and -managed server. Avaya provides SAL Gateway Server software to customers at no additional cost they simply download it. Its primary purpose is to host an Agent for products that do not support the use of a co-resident Agent on the product (i.e. legacy or third-party products). It is important to note that the Gateway Server is the only required customer-component of this new architecture. The Gateway Server can receive alarms (e.g. SNMP, INADS, etc.) from Avaya products, reformat them, and forward them onto the Secure Access Core Concentrator Servers in addition to customer-managed Network Management System (NMS) systems. Similar to the Agent, the Gateway Server polls the service providers for connection requests and supports the same authentication option as Agents. Secure Access Concentrator Remote Server The Secure Access Concentrator Remote Server, resident at the Avaya support center and/or authorized partner s support center, may be optionally deployed on a customer-provided and -managed server as part of a federated deployment. The software is designed to work on a separate server as the Gateway Server. The Remote Server is the point of connection management and communication aggregation, when accessing SAL Agents from the customer s network. Technicians who are local and wish to access products must be authenticated by the Concentrator Remote Server and wait in queue for Agents to poll for connection requests. This approach provides a single authentication and access point for servicing products. The Remote Server will be able to integrate with a customer-provided AAA server (e.g. RADIUS, LDAP, etc.) in addition to being able to authenticate the certificates of Avaya users and automated tools. If a Concentrator Remote Server is deployed on the customer network. It is the single point within the customer s network that polls the service partner for connection requests (instead of the Agent or Gateway, which are configured to poll the Concentrator Remote Server). Concentrator Remote Servers are deployed within Avaya data centers and may be deployed on the customer s network, an authorized partner s network, or a combination of both networks. This provides a federated hierarchy so that the customer may receive multiple tiers of support. Secure Access Concentrator Core Server The Secure Access Concentrator Core Server is equivalent to the Remote Server with the exception that the Core Server receives alarms delivered by the Agents or the Gateway Server. If a Concentrator Core Server is deployed on the customer network, it is the single point where alarms may be sent and forwarded onto the Avaya support center and/or authorized partner s support center. Concentrator Core Servers are deployed within Avaya data centers and may be deployed on the customer s network, an authorized partner s network, or a combination of both networks. This provides a federated hierarchy so that the customer may receive multiple tiers of support. 4

5 Secure Access Policy Server As customers expand the use of this architecture, they may have multiple Agents (on products) and Gateway Servers to support hundreds or thousands of products. By using the Secure Access Policy Server software (deployed on the customer network using a customer-provided and -managed server), the customer can centrally manage policies that are enforced by Agents and Gateway Servers that control access to Avaya products deployed within their network. When a customer purchases an Avaya maintenance agreement with remote access capabilities, Avaya provides the SAL Policy Server software at no additional cost. Secure Access Global Access Server The Secure Access Global Access Server (GAS) is deployed within the Avaya data centers along with the Secure Access Concentrator Core and Remote Servers. These GAS servers are used as the conduit of remote access connection between the technician s desktop and the Agent on the customer s network. GAS completes the secure, high-performance link for each session created by the technician to a customer product. GAS servers are regionally distributed to help ensure minimal network delay between the technician and Agent and provide a layer of high-reliability and redundancy in the event that regional Internet traffic is disrupted. Aggregated Traffic For the most security-conscious customers, the Secure Access Concentrator Remote Servers (deployed on customer networks), provide an additional benefit of routing all SAL alarms and polls through a single choke-point on the networks. Although customers may also manage traffic without deploying a Concentrator Core or Remote Server, and through the use of routers or Web proxies, the Concentrator Core and Remote Servers provide alternatives. Even without the Secure Access Remote Server, the inherent SAL architecture and functionality of Agents and Gateways provide a level of assurance to customers that their service partners are given access only to specified products, and will not get unfettered access to the their entire networks. 5

6 Alarms may be forwarded upstream from a customer s Concentrator Remote Server to a partner s Concentrator Remote Server and then to Avaya. Figure 1 Avaya Secure Access Link Flexible Alarming Flexible Authentication and Authorization Avaya Secure Access Link inherently supports two-factor authentication (2FA) of technicians through user-assigned certificates as the form of identification and strong authentication. Avaya has standard VeriSign-issued certificates combined with federal approved (FIPS-140-2) USB Smart Cards (i.e. etokens) to identify and authenticate Avaya technicians. The 2FA method provides unique, strong, auditable identification and authentication of each user, without burdening the customer with the overhead of administering an account for each Avaya technician (possibly thousands of technicians globally) supporting that network. The user-assigned certificates are inherently integrated with the logging mechanisms of the Secure Access Link solution. Whenever a technician accesses the customer s network, identifying information from his or her certificate is stored in the customer logging servers (e.g. when Agents or Gateway Servers are configured to export logging information). In addition to certificate-based authentication, the customer is able to configure a Secure Access Concentrator Remote Server, Gateway, and Agent to authenticate users to a local, customer-provided AAA server. This capability allows the customer to use its RADIUS or LDAP servers as the basis of authentication of users to its products through this architecture, and also allows the customer to utilize other forms of 2FA, such as SafeWord onetime-password (OTP) tokens. Local RADIUS or LDAP authentication can be used in addition to or in lieu of the certificate-authentication support inherent in Secure Access Link. Access policies, centrally managed by the optional Policy Server, will allow customers to define access maintenance windows, manage access and assign roles to the individuals based on who they are, how they authenticate, or when they are accessing the network. 6

7 Complete Control over Remote Access In addition to the ability to integrate local AAA servers to this architecture for authentication or control of access, SAL will also provide the customer the control to individually authorize each remote access request. When using this optional feature, the customer must approve each and every connection request. Channel Neutral Support and Customer Self-Service Even though it is described throughout this white paper, it is worth re-emphasizing that customers will be able to select their preferred service partners that will provide service and support. It could be Avaya, an authorized Avaya partner, or customers in-house staff. Furthermore, customers can select a combination of support from all three sources. Agents poll the Avaya or partner s Concentrator Remote using HTTPS for connection requests from technicians or automated systems. Connection requests are authenticated and permitted per customer-defined policy. Once connection requests are approved, a secure end-to-end session is created via high-capacity Global Access Servers. Figure 2a Avaya Secure Access Link - Secure Remote Access 7

8 Agents poll the Avaya or partner s Concentrator Remote Server using HTTPS for connection requests from technicians or automated systems. Connection requests are authenticated and permitted per customer-defined policy. Once connection requests are approved, a secure end-to-end session is created. Figure 2b Avaya Secure Access Link Secure Remote Access with Onsite Concentrator Remote Server Foundation for Value-Added Support Applications The ability to leverage tools is paramount to the efficient delivery of support. Using tools to parse system logs, take inventory, or consistently apply detailed changes across multiple systems are just a few examples of the benefits of automated tools. The architecture presented in this white paper is also intended to further the development of automated tools. The Avaya Secure Access Link project has resulted in an extensive redesign of the tools that have been developed over the past 25 years. As part of the redesign, Avaya is laying the foundation for a framework for future tools development that can be leveraged not only by Avaya, but by customers and their partners as well. The framework is intended to allow the integration of tools in future releases so that the tools may be used locally or remotely. Regardless of access point, tools will require authentication of the user or initiating automated system. For example, before Avaya EXPERT Systems Diagnostic Tools could access a product, it would be required to identify and authenticate itself to the Concentrator Remote Server, Gateway, or Agent at the same level of security as that of an individual. As additional automated or transactional tools are developed, they will also be uniquely identified and authenticated prior to accessing a product or customer network even if that tool is being used locally. 8

9 Naturally Secure Although it has not been specifically detailed within this white paper, the SAL architecture will adopt all aspects of security that are fundamental to a system of this nature and would be expected of advanced technology of this kind. These include support for customer-controlled and auditable logging using standard methods (e.g. SYSLOG); compatibility with standard AAA servers (e.g. RADIUS and LDAP); use of secure protocols (e.g. TLS, SSH, HTTPS); alignment of federal guidelines with respect to cryptographic algorithms and key usage (e.g. NIST Special Publications and Federal Information Processing Standards); application and operating system hardening that complies with generally-accepted practices, unique identification and strong authentication of each user, implicit or explicit customer-control of all remote access, and Avaya data center operational processes and procedures, which can be audited against industry standards ( e.g. ISO17799/27002, PCI, etc.). An optional Secure Access Policy Server may be deployed to centrally define and manage the access and control policies enforced by each of the Agents resident in the Gateways. Agents (within Gateways) poll the Policy Server for updated policies. Figure 3 Avaya Secure Access Link Comprehensive Policy Management 9

10 Conclusion Avaya is embarking on a significant advancement of its remote access architecture to provide greater security and control to customers, while still affording them best-in-class support. This endeavor is resulting in a fundamental change in the way Avaya supports customers by eliminating unfettered 24x7 access to customers networks. Under the architecture of Avaya Secure Access Link, customers have complete control over remote access, all communication is initiated from the customers networks, channel-neutral support is inherent, users are uniquely identified and authenticated, and customers are provided with the auditable logging necessary to meet today s stringent regulatory requirements. Avaya Global Services is among the first providers of professional, support and operations services to deliver this level of secure remote access to organizations. Learn more about Avaya Secure Access Link and how it can help you and organization. Contact your Avaya Account Manager, authorized Avaya partner or visit About Avaya Avaya is a global leader in enterprise communications systems. The company provides unified communications, contact centers, and related services directly and through its channel partners to leading businesses and organizations around the world. Enterprises of all sizes depend on Avaya for state-of-the-art communications that improve efficiency, collaboration, customer service and competitiveness. For more information please visit Avaya Inc. All Rights Reserved. Avaya and the Avaya Logo are trademarks of Avaya Inc. and may be registered in certain jurisdictions. All trademarks identified by, TM or SM are registered marks, trademarks, and service marks, respectively, of Avaya Inc All other trademarks are the property of their respective owners. 05/09 SVC4274 avaya.com