Security and the Mitel Networks Teleworker Solution (6010) Mitel Networks White Paper



Similar documents
Security and the Mitel Teleworker Solution

Virtual Private Networks

Internet and Intranet Calling with Polycom PVX 8.0.1

Recommended IP Telephony Architecture

Internet Security. Internet Security Voice over IP. Introduction. ETSF10 Internet Protocols ETSF10 Internet Protocols 2011

MIVOICE BORDER GATEWAY PLATFORM

Application Note: Onsight Device VPN Configuration V1.1

MITEL SIP CoE. Technical. Configuration Notes. Configure MCD 6.X for use with babytel SIP trunks. SIP CoE

Technical Configuration Notes

Secure VoIP for optimal business communication

MITEL SIP CoE. Technical. Configuration Notes. Configure MCD 4.1 for use with SKYPE SIP Trunking. SIP CoE

Barracuda Link Balancer

Cisco Which VPN Solution is Right for You?

About Firewall Protection

MN-700 Base Station Configuration Guide

How to configure VPN function on TP-LINK Routers

VPN Solution Guide Peplink Balance Series. Peplink Balance. VPN Solution Guide Copyright 2015 Peplink

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

How to Setup PPTP VPN Between a Windows PPTP Client and the DIR-130.

Application Notes for Configuring a SonicWALL VPN with an Avaya IP Telephony Infrastructure - Issue 1.0

Indepth Voice over IP and SIP Networking Course

UIP1868P User Interface Guide

Technical Configuration Notes

ISG50 Application Note Version 1.0 June, 2011

How to setup PPTP VPN connection with DI-804HV or DI-808HV using Windows PPTP client

Cisco Virtual Office Express

If you have questions or find errors in the guide, please, contact us under the following address:

Receiving the IP packets Decoding of the packets Digital-to-analog conversion which reproduces the original voice stream

VPN. VPN For BIPAC 741/743GE

Version 0.1 June Xerox WorkCentre 7120 Fax over Internet Protocol (FoIP)

VPN. Date: 4/15/2004 By: Heena Patel

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

This chapter describes how to set up and manage VPN service in Mac OS X Server.

Chapter 4 Virtual Private Networking

District of Columbia Courts Attachment 1 Video Conference Bridge Infrastructure Equipment Performance Specification

VPN s and Mobile Apps for Security Camera Systems: EyeSpyF-Xpert

MITEL SIP CoE Technical. Configuration Note. Configure MCD for use with Thinktel SIP Trunking Service. SIP CoE

Astaro Security Gateway V8. Remote Access via L2TP over IPSec Configuring ASG and Client

Virtual Private Networks: IPSec vs. SSL

1 ABSTRACT 3 2 CORAL IP INFRASTRUCTURE 4

ZyXEL V100 Support Notes. ZyXEL V100. (V100 Softphone 1 Runtime License) Support Notes

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Table of Contents. Cisco Cisco VPN Client FAQ

TLS and SRTP for Skype Connect. Technical Datasheet

Mitel SRC Integration Guide

Sophos UTM. Remote Access via PPTP. Configuring UTM and Client

VPN Configuration Guide DrayTek Vigor / VigorPro

Deploying Secure Enterprise Wide IP Videoconferencing Across Virtual Private Networks

VPN Configuration Guide SonicWALL with SonicWALL Simple Client Provisioning

Secured Voice over VPN Tunnel and QoS. Feature Paper

How to configure VPN function on TP-LINK Routers

IP Security. IPSec, PPTP, OpenVPN. Pawel Cieplinski, AkademiaWIFI.pl. MUM Wroclaw

VPN Configuration Guide SonicWALL with SonicWALL Simple Client Provisioning

GPRS / 3G Services: VPN solutions supported

Application Notes for Configuring Cablevision Optimum Voice SIP Trunking with Avaya IP Office - Issue 1.1

Case Study for Layer 3 Authentication and Encryption

Using Remote Desktop Software with the LAN-Cell

SIP Trunking Configuration with

Applications that Benefit from IPv6

SSL VPN Technical Primer

IP Telephony Deployment Models

Cisco RV082 Dual WAN VPN Router Cisco Small Business Routers

Version : 2.0 Date : 2006/6/12

Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure

Installation and Maintenance Guide Release 1.0

The BANDIT Products in Virtual Private Networks

Understanding VPN Technology Choices

How To Configure A Kiwi Ip Address On A Gbk (Networking) To Be A Static Ip Address (Network) On A Ip Address From A Ipad (Netware) On An Ipad Or Ipad 2 (

How To: Diagnose Poor VoIP Calls through diagnostics.

Guideline for setting up a functional VPN

MITEL SIP CoE. Technical. Configuration Notes. Configure the Mitel 3300 MCD 4.1 for use with Paetec Broadworks Softswitch. SIP CoE

MITEL SIP CoE. Technical. Configuration Notes. Configure Ascom i62 phones for use with MiVoice Office. SIP CoE

Guidance Regarding Skype and Other P2P VoIP Solutions

Encapsulating Voice in IP Packets

FortiVoice. Version 7.00 VoIP Configuration Guide

Network Access Security. Lesson 10

PLA4201 v2. User s Guide. Quick Start Guide. 500 Mbps Mini Powerline Ethernet Adapter. Version 1.00 Edition 1, 01/2013

Virtual Private Network and Remote Access Setup

Using Remote Desktop Software with the LAN-Cell 3

ZyWALL 5. Internet Security Appliance. Quick Start Guide Version 3.62 (XD.0) May 2004

AudioCodes. MP-20x Telephone Adapter. Frequently Asked Questions (FAQs)

AC Wireless Dual Band ADSL2+ Modem Router. Highlights

Quick & Easy Set-Up of Packet8 Internet Phone Service

Application Notes for Avaya IP Office 7.0 Integration with Skype Connect R2.0 Issue 1.0

OvisLink 8000VPN VPN Guide WL/IP-8000VPN. Version 0.6

Application Notes. Introduction. Contents. Managing IP Centrex & Hosted PBX Services. Series. VoIP Performance Management. Overview.

Objectives. Remote Connection Options. Teleworking. Connecting Teleworkers to the Corporate WAN. Providing Teleworker Services

Lab Configuring Access Policies and DMZ Settings

XRT-401C XRT-402C XRT-204C

Voice Over IP and Firewalls

MP-202 Telephone Adapter User's Manual

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

TALKSWITCH VOIP NETWORK TROUBLESHOOTING GUIDE

Quality of Service Analysis of site to site for IPSec VPNs for realtime multimedia traffic.

Broadband Router ALL1294B

Configuring a Mediatrix 500 / 600 Enterprise SIP Trunk SBC June 28, 2011

Gigabit Multi-Homing VPN Security Router

Using PCoIP Zero Clients with PCoIP Host Cards

Yealink VCS Network Deployment Solution

Transcription:

Security and the Mitel Networks Teleworker Solution (6010) Mitel Networks White Paper Release 2 October 2003

Copyright Copyright 2003 Mitel Networks Corporation. This document is unpublished and the following notice is affixed to protect Mitel Networks Corporation in the event of inadvertent publication: All rights reserved. No part of this document may be reproduced in any form, including photocopying or transmission electronically to any computer, without prior written consent of Mitel Networks Corporation. Trademarks Product names mentioned in this document may be trademarks or registered trademarks of their respective companies and are hereby acknowledged.

Table of Contents INTRODUCTION... 1 SOLUTION ARCHITECTURE... 2 VOICE NETWORKING... 5 RTP... 5 SECURE RTP... 5 CAST-128... 6 REMOTE SET CONNECTION RESTRICTION... 6 RESOURCES... 7 DATA SECURITY... 8 BACKGROUND ON IPSEC/L2TP... 9 BACKGROUND ON PPTP... 9 RESOURCES... 10 TROUBLESHOOTING... 10 CONCLUSION... 10 Mitel Networks Page i 24/11/03

Introduction The Mitel Networks Teleworker Solution (6010) enables remote workers to connect securely and conveniently to the corporate voice and data network. This document provides an overview of the solution architecture and describes the protocols used to ensure the confidentiality of voice and data communications. Mitel Networks Page 1 24/11/03

Solution Architecture The Teleworker Solution (6010) is one in a series of Mitel Networks mobility applications focused on meeting the needs of a growing global teleworking market. The Teleworker Solution (6010) supports remote connections to any network using the Mitel Networks 3100, 3300 or SX-200 Integrated Communications Platforms (ICP), as well as the IP Node of the current SX-200 system. Release 2.0 of the Teleworker solution now supports up to 500 remote users. Previously the solution supported a maximum of 100 users. The Teleworker Solution (6010) consists of two elements. The first is a server that is located on the edge of the corporate network either directly connected to the Internet or located in a De-Militarized Zone (DMZ) behind an existing corporate firewall. This server is a standard commodity PC server running Mitel Networks 6000 Managed Application Server (MAS) operating system with the Teleworker Solution (6010) software blade installed. Once installed and configured, this server functions as a proxy for remote phones requiring access to the corporate voice network. The solution offers several features that are designed both to maximize voice quality over the Internet and to reduce bandwidth requirements between the corporate office and remote locations. The second element of the solution is the remote set. This is a standard, dual-port Mitel Networks 5220 IP Phone that is configured to operate in teleworker mode. The following diagram illustrates the two supported deployment options: 3100 ICP SX-200 ICP Corporate Network 6000 MAS w/6010 Internet (1) Operates as teleworker gateway by integrating with existing firewall Home Router/ NAT/Firewall Home/Remote Office (2) Provides combined teleworker gateway/firewall solution. 3300 ICP To Legacy Systems Via Q.SIG DPNSS, PRI (SX-200 ICP and 3300 ICP only) Mitel Networks Page 2 24/11/03

In the first, the Teleworker Solution (6010) server is configured to function as the corporate firewall and gateway. This is a typical scenario in a small business setting that allows the customer to take advantage of the built-in firewalling capabilities of the 6000 MAS. (For more information on these capabilities, please refer to the document titled Security and the Mitel Networks 6000 Managed Application Server. ) The second option is intended for situations where there is an existing corporate firewall. If this is the case, the Teleworker Solution (6010) server can be installed in the corporate de-militarized zone (DMZ) behind an existing corporate firewall. The flexibility of providing a firewall on/off option, means the teleworker can both operate in small businesses that want to incorporate the firewall option at reasonable costs, and operate in much larger organizations that already have an existing firewall solution. As illustrated on the previous page, the recommended configuration at the remote location is to plug the Internet connection into a standard cable/dsl router capable of providing Network Address Translation (NAT) and DHCP. The phone is then connected to the router and the teleworker s PC is connected to the second port on the back of the phone. Note that when the PC accesses the Internet via the phone, the phone does not interfere in any way with the data stream. The phone does, however, provide prioritization of the voice packets, ensuring better voice quality with minimal or no impact to the data connection. The strength of this feature is recognized when an individual is conversing over the phone while uploading files. Installation of the Teleworker Solution (6010) at the corporate site is simple and is typically accomplished in less than 45 minutes (for end-users, installation typically takes less than 5 minutes and requires no training). At the Corporate site, a technician begins by loading the 6000 MAS software, which is Mitel Networks security-hardened version of the Linux operating system, on a standard Intel-compatible computer. Installation is fully automatic and requires no Linux knowledge. Next, the technician logs into the Mitel Networks Applications Management Center (AMC), registers the server, and downloads the Teleworker Solution (6010) software blade. To configure the Teleworker Solution (6010) software, the technician clicks on Teleworker Solution (6010) in the server manager, enables the solution (by default all services are shipped disabled), configures the appropriate addresses for the ICP(s) and authorizes which sets can connect. Mitel Networks Page 3 24/11/03

To configure the IP Phone, the administrator powers up the set, holds down the 7 key and, when prompted, enters the Internet-routable IP address of the Teleworker Solution (6010) server. This information is stored by the phone in NVRAM (Non-Volatile Random Access Memory). Once configured, the phone can be taken off-site and plugged into any broadband Internet connection via a cable/dsl router, as described above. When powered up, the phone will first obtain a local IP address from the cable/dsl router and then download its software from the Teleworker Solution (6010) server at the corporate office. When the download completes (generally in less than a minute), the phone again connects to the Teleworker Solution (6010) server and the server in turn connects to the Mitel Networks ICP whose address was entered on the blade web panel. This entire process is automatic and requires no special configuration at the remote location. Release 2.0 of the Teleworker Solution (6010) provides an additional feature whereby only a single Teleworker Solution (6010) server is required when multiple ICPs are configured in a given network. Previously, each ICP required a dedicated Teleworker Solution (6010) server; however, in release 2.0 each individual remote IP phone can be mapped to any visible ICP within the corporate network. Note that the ICPs do not all have to be of the same type (i.e. a corporate WAN with a 3300 ICP, a 3100 ICP and/or an SX-200 ICP could have a single Teleworker Solution (6010) server acting as the gateway for all ICPs). Because a single Teleworker Solution (6010) can operate off multiple ICPs, release 2.0 also now supports the network resiliency of Release 4.0 of the 3300 ICP whereby, in the event of the failure of the primary 3300 ICP, the Teleworker Solution (6010) will automatically fail over all connected sets to a secondary 3300 ICP. Mitel Networks Page 4 24/11/03

Voice Networking To ensure the confidentiality of communications, all voice packets passed between the remote IP phone and the Teleworker Solution (6010) server are encrypted using the Secure Real-time Transport Protocol, a security profile for RTP. RTP The Real-Time Transport Protocol (RTP) is an Internet protocol standard that specifies a way for programs to manage the real-time transmission of multimedia data such as voice or video. Originally specified in an Internet Engineering Task Force (IETF) Request for Comments (RFC1889), RTP is commonly used in Internet telephony applications. RTP does not in itself guarantee real-time delivery of multimedia data, since this is dependent on network characteristics. It does, however, provide tools to help manage the data to achieve the best possible quality sound. (For example, an application can be configured to drop voice packets that are seriously delayed since audio dropouts tend to be less disruptive to human perception than echo or delay.) Secure RTP Secure RTP is a security profile for RTP that adds confidentiality, message authentication and replay protection to that protocol. Specifically, Secure RTP defines a set of default cryptographic transforms and allows new transforms to be introduced in the future. The security benefits of Secure RTP include: confidentiality of the RTP payloads, as well as protection against replayed packets. low bandwidth cost, i.e., a framework preserving RTP header compression efficiency, and limited packet expansion low computational cost, high tolerance to packet loss and re-ordering, and robustness to transmission bit errors in the encrypted payload. Secure RTP is ideal for protecting Voice-over-IP traffic because it can be used in conjunction with header compression and has no effect on IP Quality of Service (QoS). These attributes provide significant advantages, especially for voice traffic using low-bit rate voice codecs such as G.729. Mitel Networks Page 5 24/11/03

CAST-128 Secure RTP allows for the fast encryption of a voice stream using one of a number of encryption algorithms. The specific algorithm used by the Mitel Networks Teleworker Solution (6010) to encrypt both the voice stream and MiNET signaling is the CAST- 128 algorithm, documented in RFC2144. Belonging to the class of encryption algorithms known as Feistel ciphers, CAST-128 is operationally similar to the Data Encryption Standard (DES) but uses a newer, larger key size. In a Feistel cipher, the input is broken into two blocks of equal size, generally called left and right, which are then repeatedly cycled through the algorithm. At each cycle, a hash function is applied to the right block and a randomly generated key, and the result of the hash is XOR-ed into the left block (using the Boolean algebra function Exclusive- OR). The blocks are then swapped. The XOR-ed result becomes the new right block and the unaltered right block becomes the left block. The process is then repeated a number of times (rounds). Exclusive-OR encryption requires that both the encryptor and the decryptor have access to the encryption key, but the encryption algorithm, while extremely simple, is also extremely secure. The CAST-128 encryption algorithm is designed to use a key size that can vary from 40 bits to a maximum of 128 bits. The longer the encryption key, the more difficult it is to decrypt the file. (Every bit added to the length of the key doubles the number of tries that would be required to break the encryption through brute force.) The Teleworker Solution (6010) uses the most secure method of CAST- 128 encryption, with 16 rounds and a 128-bit key (also known as CAST5-128). Using a computer capable of one million calculations per second, it would take roughly 12 days to crack a 40-bit encrypted message by brute force but 1025 years to crack a message encrypted with a 128-bit key. Remote Set Connection Restriction In addition to protecting the confidentiality of the voice stream and the MiNET signaling, the Teleworker Solution (6010) is designed to prevent unauthorized remote phone users from gaining access to corporate voice resources. This is accomplished by restricting access to specified Mitel Networks 5220 IP Phones, based on a unique identifier sent by the phone to the Teleworker Solution (6010) server in an encrypted MiNET control message. That unique identifier is the MAC (Media Access Control) address of the phone. Note again that while the MAC address is used as the identifier, it is sent to the Teleworker Solution (6010) server in the encrypted MiNET stream and cannot be simply spoofed. Mitel Networks Page 6 24/11/03

The first time a 5220 IP Phone attempts to send a registration message to the Teleworker Solution (6010), its MAC address is automatically logged and entered into a table that is displayed on the solution s web interface. By default, the phone is disabled and therefore will not be able to connect to the ICP. To allow access, the administrator must set the phone s entry to enabled by placing a check mark in the box next to the MAC address and clicking the Update button. It is also possible to enable specific phones by manually adding their MAC addresses to the table. Each phone s MAC address is printed on a label on the back of the set. To ease the installation of a large number of sets, an option now exists for an installer to enter a single password on the set after the set initially connects to the Teleworker Solution (6010). The correct password will add the MAC address of the set to the table of allowed MAC addresses. This is a shortcut provided so that each MAC address does not need to be entered/approved individually, which could be quite tedious in large installations. For convenience, the table also allows a description to be entered for each phone. If the entry is added through the automatic registration process, the default description is the IP address of the phone. Resources Secure Real-time Transport Protocol http://www.ietf.org/internet-drafts/draft-ietf-avt-srtp-05.txt RFC 2144: The CAST-128 Encryption Algorithm http://www.ietf.org/rfc/rfc2144.txt Mitel Networks Page 7 24/11/03

Data Security The Teleworker Solution (6010) offers several options for customers requiring a secure data connection between the remote site and the corporate office. If the customer has an existing Virtual Private Network (VPN) using IPSEC or any other encryption protocol, the Teleworker Solution (6010) can co-exist with that service. These VPN solutions may involve on-premise equipment (such as "VPN appliances") or use software installed on a desktop or laptop. In either scenario, the Teleworker Solution (6010) provides a secure voice connection while the existing equipment continues to secure the data connection. For customers that do not have an existing VPN solution, the Teleworker Solution (6010) supports two options: 1. For offices that wish only to enable access for specific remote desktop or laptop PCs, the Teleworker Solution (6010) includes full native support for either the IPSEC/L2TP VPN client included with Windows 2000 or Window XP or the high-encryption version of the Virtual Private Networking software included with every version of Microsoft Windows since Windows 98. This latter software is based on the Point-to-Point Tunneling Protocol (PPTP) which was developed by a consortium of vendors led by Microsoft. 2. Alternatively, the Teleworker Solution (6010) at the corporate office can be linked to a system at the remote office running the Mitel Networks 6042 Managed VPN software in a secure site-to-site IPSEC VPN. This extends the corporate network into each of the remote offices and allows for the full access of network resources by systems in the remote offices. The Mitel Networks IPSEC VPN offering includes the use of 3DES encryption and manages the exchange of IPSEC keys through the interaction of each Teleworker Solution (6010) and 6000 MAS server with the Mitel Networks Applications Management Center (AMC). The AMC acts as a trusted broker and provides a reliable mechanism for the secure exchange of IPSEC keys between servers. Mitel Networks Page 8 24/11/03

Background on IPSEC/L2TP Through the base 6000 MAS operating system, the Teleworker Solution (6010) supports the use of the IPSEC/Layer 2 Tunnelling Protocol now available in Windows 2000 and Windows XP. In our implementation, an X.509 certificate is generated for each Windows client on the server itself. This certificate is downloaded to the Windows PC and installed. When the IPSEC/L2TP connection is initiated, the user is still prompted for their user name and password, but without the certificate installed they will not be allowed to connect. Background on PPTP In its earliest implementation, PPTP used an authentication protocol called MS-CHAP which was found to be insecure. Microsoft corrected the deficiencies and released a new authentication protocol called MS-CHAPV2. MS-CHAPV2 operates as an encrypted mutual authentication handshake. No passwords, in either clear text or encrypted form, are passed during authentication setup. In addition to these measures, the Teleworker Solution (6010) requires both 128-bit and stateless encryption for PPTP. Address known security issues with the original PPTP protocol release, included: Clear text/encrypted password exchange during authentication Clear text passwords on the server 40-bit encryption Encryption state carried between packets In summary, therefore, the Teleworker Solution (6010) will not allow connections from PPTP clients that do not support all of: MS-CHAPV2 Encrypted passwords on the server 128-bit encryption Stateless encryption There have been no reported issues with the security of PPTP when configured in this fashion. Mitel Networks Page 9 24/11/03

Resources Point-to-Point Tunneling Protocol FAQ http://www.microsoft.com/ntserver/productinfo/faqs/pptpfaq.asp RFC 2637 - Point-to-Point Tunneling Protocol (PPTP) http://www.ietf.org/rfc/rfc2637.txt Security Architecture for the Internet Protocol (IPSEC) http://www.ietf.org/rfc/rfc2401.txt Troubleshooting Given that any installation problems generally turn out to be related to either firewall configuration or Internet Service Provider connections, a Windows-based desktop application called the Teleworker Network Analyzer (TNA) has been added to the Teleworker Solution (6010) to enable end users to conduct a simple analysis of their network connection in order to easily identify the source of troubles affecting their teleworker functionality. The benefit of this tool is that it reduces the dependency on network IT resources for simple problems that can easily be corrected by the end-user. Conclusion Mitel Networks Release 2.0 of the Teleworker Solution (6010) has made teleworking even easier for both the network technician and the end-user. Mitel Networks latest advancements has made calls on the IP network as easy as placing calls over a traditional PSTN. The Mitel Networks Teleworker Solution (6010) has taken the internet savvy requirement out of IPTelephony and instead, made it easy for real, ordinary citizens to do. This is another example of a Mitel Networks solution that delivers less complexity to enable more functionality in telephony and data solutions. Mitel Networks Page 10 24/11/03 6767

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information