Security and the Mitel Teleworker Solution



Similar documents
Security and the Mitel Networks Teleworker Solution (6010) Mitel Networks White Paper

MITEL SIP CoE. Technical. Configuration Notes. Configure MCD 6.X for use with babytel SIP trunks. SIP CoE

Technical Configuration Notes

MITEL SIP CoE. Technical. Configuration Notes. Configure MCD 4.1 for use with SKYPE SIP Trunking. SIP CoE

5330 IP Phone Quick Reference User Guide

3300 IP Communications Platform Release 7.1 License Information

FortiVoice. Version 7.00 VoIP Configuration Guide

MITEL SIP CoE Technical. Configuration Note. Configure MCD for use with Thinktel SIP Trunking Service. SIP CoE

MIVOICE BORDER GATEWAY PLATFORM

Technical Configuration Notes

VOIP NETWORK CONFIGURATION GUIDE RELEASE 6.10

MITEL SIP CoE. Technical. Configuration Notes. Configure the Mitel 3300 MCD 4.1 for use with Paetec Broadworks Softswitch. SIP CoE

VoIP Network Configuration Guide

MITEL communications system

TELEPHONE MAN OF AMERICA. Earning Your Business Every Step of the Way!

MITEL SIP CoE. Technical. Configuration Note. Configure MCD for use with Intelepeer Service provider SIP Trunking. SIP CoE

Technical Configuration Notes

Secure VoIP for optimal business communication

Version 0.1 June Xerox WorkCentre 7120 Fax over Internet Protocol (FoIP)

Recommended IP Telephony Architecture

Technical Configuration Notes

Installation and Maintenance Guide Release 1.0

Unified Communications Installation & Configuration Guide

Mitel SRC Integration Guide

M I T E L IP Desktop

Application Notes for Configuring Cablevision Optimum Voice SIP Trunking with Avaya IP Office - Issue 1.1

Best Practices for Securing IP Telephony

How To Program A Talkswitch Phone On A Cell Phone On An Ip Phone On Your Ip Phone (For A Sim Sim) On A Pc Or Ip Phone For A Sim Phone On Iphone Or Ipro (For An Ipro) On

Abstract. Avaya Solution & Interoperability Test Lab

Lab Configuring Access Policies and DMZ Settings

MyIC setup and configuration (with sample configuration for Alcatel Lucent test environment)

MITEL. NetSolutions. Flat Rate MPLS VPN

Small Business. solutions

Analog IP Gateway GXW410x Quick Installation Guide SW version

MITEL. Applications Suite

Configuring a Mediatrix 500 / 600 Enterprise SIP Trunk SBC June 28, 2011

TALKSWITCH VOIP NETWORK TROUBLESHOOTING GUIDE

Internet and Intranet Calling with Polycom PVX 8.0.1

SIP Domain/Proxy, Ring Detect Extension or/and Page Audio Extension, (The 8180 needs its own phone extension) Authentication ID, Password,

Securing SIP Trunks APPLICATION NOTE.

CPEi 800/825 Series. User Manual. * Please see the Introduction Section

Linksys Voice over IP Products Guide: SIP CPE for Massive Scale Deployment

M2M Series Routers. Port Forwarding / DMZ Setup

Teleworker User Guide

Barracuda Link Balancer Administrator s Guide

Best Practices for Controlling Skype within the Enterprise > White Paper

Configuring Bria 3 Mac for Virtual Contact Center

Virtual Solutions. Reliable voice performance in a virtualized environment

MITEL SIP CoE. Technical. Configuration Notes. Configure Ascom i62 phones for use with MiVoice Office. SIP CoE

Cisco 7940 How To. (c) Bicom Systems

Broadband Router ESG-103. User s Guide

Application Notes for Configuring a SonicWALL VPN with an Avaya IP Telephony Infrastructure - Issue 1.0

BroadCloud PBX Customer Minimum Requirements

Lab Configuring Access Policies and DMZ Settings

Quick Start Guide. WRV210 Wireless-G VPN Router with RangeBooster. Cisco Small Business

Audio and Web Conferencing

Application Notes for Avaya IP Office 7.0 Integration with Skype Connect R2.0 Issue 1.0

MITEL. Enterprise Management Solutions

To ensure you successfully install Timico VoIP for Business you must follow the steps in sequence:

MITEL IP Communications Platform

DameWare Server. Administrator Guide

6.40A AudioCodes Mediant 800 MSBG

NF1Adv VOIP Setup Guide (for Pennytel)

VoIP CONFIGURATION GUIDE FOR MULTI-LOCATION NETWORKS

Edgewater Routers User Guide

Cisco ASA 5500-X Series ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X

White Paper. Solutions to VoIP (Voice over IP) Recording Deployment

SIP Proxy Server. Administrator Installation and Configuration Guide. V2.31b. 09SIPXM.SY2.31b.EN3

SANGFOR SSL VPN. Quick Start Guide

How To Use Mitel Micollab

IP Telephony. User Guide. System SPA9000. Model No. Voice

How to Configure the NEC SV8100 for use with Integra Telecom SIP Solutions

Configuration Notes 283

Avaya IP Office. Converged Communications. Contact Centres Unified Communication Services

BroadCloud Adtran Total Access Quick Start Guide

Quick & Easy Set-Up of Packet8 Internet Phone Service

SIP Trunking with Allworx. Configuration Guide for Matrix SETU VoIP Gateways

Voice over IP Basics for IT Technicians

Configuration Guide for connecting the Eircom Advantage 4800/1500/1200 PBXs to the Eircom SIP Voice platform.

MN-700 Base Station Configuration Guide

Magnet Voice Windows PC Softphone Installation

Recommended QoS Configuration Settings for TP-LINK Archer C3200 Wireless Router

Ports Reference Guide for Cisco Virtualization Experience Media Engine for SUSE Linux Release 9.0

Edgewater Routers User Guide

Optimum Business SIP Trunk Set-up Guide

Total Recall Max SIP VoIP Call Recording Server

NF1Adv VOIP Setup Guide (for Generic VoIP Setup)

1 ABSTRACT 3 2 CORAL IP INFRASTRUCTURE 4

PortGo 6.0 for Wndows User Guide

SIP Server Installation (Mayah example)

P160S SIP Phone Quick User Guide

Flow Publisher v1.0 Getting Started Guide. Get started with WhatsUp Flow Publisher.

Application Note Configuring the Synapse SB67070 SIP Gateway for Broadvox GO! SIP Trunking

How to setup PPTP VPN connection with DI-804HV or DI-808HV using Windows PPTP client

Voice over IP (VoIP) Basics for IT Technicians

ISG50 Application Note Version 1.0 June, 2011

Voice Over IP and Firewalls

Elluminate Live! Access Guide. Page 1 of 7

MITEL SIP CoE. Technical. Configuration Notes. Configure MCD 4.1 SP1 for use with the Lyrix Speech Enabled Auto Attendant

Indepth Voice over IP and SIP Networking Course

Transcription:

Security and the Mitel Teleworker Solution White Paper July 2007

Copyright Copyright 2007 Mitel Networks Corporation. This document is unpublished and the following notice is affixed to protect Mitel Networks Corporation in the event of inadvertent publication: All rights reserved. No part of this document may be reproduced in any form, including photocopying or transmission electronically to any computer, without prior written consent of Mitel Networks Corporation. Trademarks Product names mentioned in this document may be trademarks or registered trademarks of their respective companies and are hereby acknowledged.

Table of Contents Introduction....................................... 1 Solution Architecture................................ 2 Voice Encryption................................... 4 Signaling Encryption..................................5 IP Phone Authorization................................5 Resources........................................ 6 Summary......................................... 6

Introduction The Mitel Teleworker Solution enables remote workers to connect securely and conveniently to the corporate voice and data network. This document provides an overview of the solution architecture and describes the protocols used to ensure the confidentiality of voice and data communications. DEMYSTIFYING ROI 1

Solution Architecture The Teleworker Solution is one in a series of applications developed for the Mitel Managed Application Server and is designed to take advantage of that platform s simplicity, security and reliability. The specific purpose of the Teleworker Solution is to support remote connections to any network employing Mitel s proprietary MiNET signaling protocol for Voice over IP (VoIP).In practice, this means any network using the Mitel 3300 IP Communications Platform (ICP) and the Mitel SX-200 IP Communications Platform (ICP). The Teleworker Solution consists of two elements. The first is an application (or software blade ) that is downloaded to the Managed Application Server from the Mitel Applications Management Center (AMC). Once installed and configured, the application allows the Managed Application Server to function as a proxy for remote phones requiring access to the corporate voice network. The solution offers several features that are designed both to improve voice quality over the Internet and to reduce bandwidth requirements between the corporate office and remote locations. The second element of the solution is the remote phone. Current phones supported by the Teleworker Solution include the Mitel 5212, 5224, 5330, 5340 IP Phones, Mitel Navigator and Mitel Your Assistant Softphone. The following diagram illustrates the two supported deployment options: SX-200 ICP 3300 MXe Controller Side View To Legacy Systems Via Q.SIG DPNSS, PRI Corporate Network Managed Application Server Internet Operates as Teleworker Solution gateway by: a) integrating with existing firewall or b) providing combined Teleworker Solution gateway / firewall solution. Home Router / NAT / Firewall Home / Remote Office 5224 IP Phone 2 SECURITY AND THE MITEL TELEWORKER SOLUTION

In the first, the Teleworker Solution gateway is configured to function as the corporate firewall and gateway. This is a typical scenario in a very small business setting and allows the customer to take advantage of the built-in firewalling capabilities of the Managed Applications Server. The second option is intended for situations where there is an existing corporate firewall. If this is the case, the Teleworker Solution gateway can be installed in the De-Militarized Zone (DMZ) of the corporate firewall. As illustrated on the previous page, the recommended configuration at the remote location is to plug the Internet connection into a standard cable/dsl router capable of providing Network Address Translation (NAT) and Dynamic Host Configuration Protocol (DHCP). The phone is then connected to the router and the teleworker s PC is connected to the second port on the back of the phone. Note that when the PC accesses the Internet via the phone, the phone does not interfere in any way with the data stream. The PC also does not have any ability to connect to the corporate network over the Teleworker phone connection (i.e. the PC cannot ride the phone s connection into the corporate network. The phone does, however, provide prioritization of the voice packets over data coming from the second, ensuring better voice quality with minimal or no impact to the data connection. Installation of the Teleworker Solution is simple and is typically accomplished in less than 30 minutes. The technician begins by loading the Managed Application Server software, which includes the Linux operating system, onto a standard Intel-compatible computer. Installation is fully automatic and requires no Linux knowledge. Finally, the installer accesses the server s web-based management interface (the server manager ), enters the application record ID number (the application record ID is provided as part of the ordering process) and downloads the Teleworker Solution software blade. The administrator then configures the Teleworker Solution settings according to the product documentation. To configure the IP phone, the administrator powers up the phone, holds down the 7 key and, when prompted, enters the Internet-routable IP address of the Teleworker Solution gateway. This information is stored by the phone in NVRAM (Non-Volatile Random Access Memory). The administrator must also authorize the specific phone to be allowed to connect to the Teleworker Solution server. This authorization process is defined in more detail below. SECURITY AND THE MITEL TELEWORKER SOLUTION 3

At this point, the phone can be taken off-site and plugged into any broadband Internet connection via a cable/dsl router, as described above. When powered up, the phone will first obtain a local IP address from the DHCP server on the remote network and then download its software from the Teleworker Solution gateway at the corporate office. The software load is stored in an encrypted form on the teleworker server. The software is downloaded to the phone where it is decrypted and an integrity check is performed to verify that it was not modified in transit. When the download completes (generally in less than a minute), the phone again connects to the Teleworker Solution gateway and the server in turn connects to the Mitel ICP address that was entered on the blade web panel. Under normal circumstances, this entire process is automatic and requires no special configuration at the remote location, within 2 minutes, dial tone is achieved. Voice Encryption To ensure the confidentiality of communications, all voice packets passed between the remote IP phone and the Teleworker Solution gateway are encrypted using the Secure Real-time Transport Protocol (SRTP), a security profile for RTP which has emerged as the de facto industry standard for securing voice streams over IP. Secure RTP adds confidentiality, message authentication and replay protection to that protocol. Specifically, Secure RTP defines a set of default cryptographic transforms and allows new transforms to be introduced in the future. The security benefits of Secure RTP include: Confidentiality of the RTP payloads, as well as protection against replayed packets Low bandwidth cost, i.e., a framework preserving RTP header compression efficiency, and limited packet expansion Low computational cost High tolerance to packet loss and re-ordering, and robustness to transmission bit errors in the encrypted payload 4 SECURITY AND THE MITEL TELEWORKER SOLUTION

Secure RTP is ideal for protecting VoIP traffic because it can be used in conjunction with header compression and has no effect on IP Quality of Service (QoS). These attributes provide significant advantages, especially for voice traffic using low bit rate voice codecs such as G.729. Signaling Encryption In order to protect the confidentiality and integrity of the MiNET signaling, the MiNET connection between the remote IP phone and the Teleworker Solution server is fully encrypted using industry standard TLS/SSL encryption. IP Phone Authorization In addition to protecting the confidentiality of the voice stream and the MiNET signaling, the Teleworker Solution is designed to prevent unauthorized remote phone users from gaining access to corporate voice resources. This is accomplished by restricting access to specified IP Phones based on a unique identifier sent by the phone to the Teleworker Solution server in a MiNET control message. That unique identifier is the MAC (Media Access Control) address of the phone. The first time an IP Phone attempts to send a registration message to the Teleworker Solution gateway, its MAC address is automatically logged and entered into a table that is displayed on the solution s web interface. By default, the phone is disabled and therefore will not be able to connect to the ICP. To allow access, the administrator must set the phone s entry to enabled by placing a check mark in the box next to the MAC address and clicking the Update button. It is also possible to enable specific phones by manually adding their MAC addresses to the table. Each phone s MAC address is printed on a label on the back of the set. If a large number of phones need to be installed, the administrator can enter an Installer Password in the configuration panel of the Teleworker Solution gateway. If such a password is set, the phone will prompt for it upon its initial connection to the Teleworker Solution gateway. The installer then enters the password using the phone keypad and the Teleworker Solution gateway then enables that phone s MAC address for future connections. For convenience, the table also allows a description to be entered for each phone. If the entry is added through the automatic registration process, the default description is the IP address of the phone. NOTE: It is important to note here that this MAC address is sent between the remote IP phone and the teleworker server over the encrypted MiNET call control connection. This is very different from sending the MAC address over, for instance, a typical local Ethernet LAN where the MAC address can be easily spoofed. SECURITY AND THE MITEL TELEWORKER SOLUTION 5

Resources Secure Real-time Transport Protocol http://www.ietf.org/internet-drafts/draft-ietf-avt-srtp-05.txt Summary The Mitel Teleworker Solution provides a simple way to securely deploy remote teleworkers wherever an IP address and sufficient bandwidth can be found. The solution uses industry-standard protocols such as Secure RTP and TLS/SSL to ensure the confidentiality and integrity of all voice and signaling communication. 6 SECURITY AND THE MITEL TELEWORKER SOLUTION

Companies don t make decisions, people do. That is why Mitel is leading the way toward a new and more personalized approach to communications for enterprise and small business. Our innovative solutions, applications and desktop appliances enable you to access, process and control your communications and information naturally, simply and efficiently. Our solutions allow you to collaborate over distance and time and to interact with your customers, colleagues and partners as never before. By combining the power of voice, data and video over converged high speed networks, Mitel provides you with flexible and personalized tools that let you leverage the latest advances for personal and organizational advantage. Americas Headquarters Corporate Headquarters Tel: +1 613-592-2122 Fax: +1 613-592-4784 Europe, Middle East and Africa Headquarters Tel: +44 (0) 1291 430000 Fax: +44 (0) 1291 430400 Asia Pacific Headquarters Tel: +852 2508 9780 Fax: +852 2508 9232 www.mitel.com For more information on our worldwide office locations, visit our website at www.mitel.com/offices THIS DOCUMENT IS PROVIDED TO YOU FOR INFORMATIONAL PURPOSES ONLY. The information furnished in this document, believed by Mitel to be accurate as of the date of its publication, is subject to change without notice. Mitel assumes no responsibility for any errors or omissions in this document and shall have no obligation to you as a result of having made this document available to you or based upon the information it contains. M MITEL (design) is a registered trademark of Mitel Networks Corporation. All other products and services are the registered trademarks of their respective holders. Copyright 2007, Mitel Networks Corporation. All Rights Reserved. GD 31 PN 51005786RD-EN

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information