Secure Access Link. Table of Contents. Introduction. Background. avaya.com. Introduction... 1. Background... 1. Secure Access Link...



Similar documents
Opengear Technical Note

ADDING STRONGER AUTHENTICATION for VPN Access Control

Avaya Diagnostic Server

Two-Factor Authentication

Ensuring the security of your mobile business intelligence

Alcatel-Lucent Services

High speed Ethernet WAN: Is encryption compromising your network?

Avaya Aura System Manager

How do I secure and manage an out-of-band connection to network devices?

ADMINISTRATIVE POLICY # (2014) Remote Access. Policy Number: ADMINISTRATIVE POLICY # (2014) Remote Access

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

Using Entrust certificates with VPN

Managed Security Services for Data

What s New in Juniper Networks Secure Access (SA) SSL VPN Version 6.4

Cisco Virtual Office Express

Two-Factor Authentication over Mobile: Simplifying Security and Authentication

Payment Card Industry Data Security Standard

BMC s Security Strategy for ITSM in the SaaS Environment

Executive Summary and Purpose

Avaya Diagnostic Server

Security Considerations for DirectAccess Deployments. Whitepaper

Enhanced Enterprise SIP Communication Solutions

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication

Avaya Aura Session Manager

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS

Brocade Monitoring Services Security White Paper

Common Remote Service Platform (crsp) Security Concept

The IBM Solution Architecture for Energy and Utilities Framework

Table of Contents. 1 Overview 1-1 Introduction 1-1 Product Design 1-1 Appearance 1-2

Directed Circuits Meet Today s Security Challenges in Enterprise Remote Monitoring. A White Paper from the Experts in Business-Critical Continuity TM

Easily Connect, Control, Manage, and Monitor All of Your Devices with Nivis Cloud NOC

A brief on Two-Factor Authentication

Injazat s Managed Services Portfolio

Cisco IOS Voice XML Browser

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

SonicWALL PCI 1.1 Implementation Guide

Enterprise Key Management: A Strategic Approach ENTERPRISE KEY MANAGEMENT A SRATEGIC APPROACH. White Paper February

Best Practices for PCI DSS V3.0 Network Security Compliance

White Paper: Managing Security on Mobile Phones

Mobile Secure Desktop Maximum Scalability, Security and Availability for View with F5 Networks HOW-TO GUIDE

iphone in Business Security Overview

Cisco IOS Voice XML Browser

RSA SecurID Two-factor Authentication

Secure SCADA Network Technology and Methods

Securing the Service Desk in the Cloud

What s new in IP Office R2.0

Dell SonicWALL Secure Virtual Assist: Clientless remote support over SSL VPN

SSL VPN vs. IPSec VPN

ION Networks. White Paper

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Evaluating the Cisco ASA Adaptive Security Appliance VPN Subsystem Architecture

Deploying secure wireless network services The Avaya Identity Engines portfolio offers flexible, auditable management for secure wireless networks.

Cisco Virtual Office Flexibility and Productivity for the Remote Workforce

March

NERC CIP Whitepaper How Endian Solutions Can Help With Compliance

Security Overview Introduction Application Firewall Compatibility

Appendix C Pricing Index DIR Contract Number DIR-TSO-2724

Ensuring the Security of Your Company s Data & Identities. a best practices guide

Cisco ASA 5500 Series Adaptive Security Appliance 8.2 Software Release

ViSolve Open Source Solutions

Data Sheet: Endpoint Security Symantec Network Access Control Comprehensive Endpoint Enforcement

Securing Virtual Desktop Infrastructures with Strong Authentication

VPN_2: Deploying Cisco ASA VPN Solutions

Ensuring the security of your mobile business intelligence

Provide access control with innovative solutions from IBM.

HOTPin Integration Guide: Microsoft Office 365 with Active Directory Federated Services

Cisco Secure Access Control Server 4.2 for Windows

Secure, Remote Access for IT Infrastructure Management

HP Intelligent Management Center Enterprise Software. Platform. Key features. Data sheet

How To Achieve Pca Compliance With Redhat Enterprise Linux

Authentication. Authentication in FortiOS. Single Sign-On (SSO)

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

Deploying iphone and ipad Security Overview

Baltimore UniCERT. the world s leading PKI. global e security

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

STRONGER AUTHENTICATION for CA SiteMinder

ipad in Business Security

Authentication Solutions. Versatile And Innovative Authentication Solutions To Secure And Enable Your Business

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

Achieving PCI-Compliance through Cyberoam

Building Your Complete Remote Access Infrastructure on Windows Server 2012

SSL VPN Technical Primer

VASCO: Compliant Digital Identity Protection for Healthcare

Case Study for Layer 3 Authentication and Encryption

TECHNOLOGY LEADER IN GLOBAL REAL-TIME TWO-FACTOR AUTHENTICATION

Kaseya IT Automation Framework

RuggedCom Solutions for

E-commerce: Competing the Advantages of a Mobile Enterprise

Ranch Networks for Hosted Data Centers

Avaya Contact Center Control Manager (ACCCM)

Information Technology Policy

USB etoken and USB Flash Features Support

LAB FORWARD. WITH PROService RMS TECHNOLOGY, ARCHITECTURE AND SECURITY INFORMATION FOR IT PROFESSIONALS

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

Transcription:

Secure Access Link Table of Contents Introduction... 1 Background... 1 Secure Access Link... 2 Components... 3 Aggregated Traffic... 5 Flexible Authentication. and Authorization... 6 Complete Control over. Remote Access... 7 Channel Neutral Support and. Customer Self-Service... 7 Foundation for Value-Added. Support Applications... 8 Naturally Secure... 9 Conclusion...10 Introduction Avaya is embarking on a new, next-generation architecture that will significantly improve the way in which customers receive support of their communications networks. The new architecture eliminates the Avaya requirement for unfettered 24x7 access to customers network equipment. Customers can take advantage of channel-neutral support by enabling self-service, Avaya support, and/or authorized partner support of their networks at levels never achieved before. And, customers can be in complete control of when and how Avaya, or any other service partner, accesses their equipment. With this new service and support architecture, Avaya has significantly changed its underlying software, procedures, and paradigms to provide customers with more choices, more control and improved security. Background Historically, modems have been the primary means by which Avaya has remotely accessed customers products and networks. The use of modems allowed Avaya professionals to gain the same level of administrative access as if they were locally attached to the product terminal. Because modems allowed access from remote locations, Avaya was able to provide service to distant customer locations. With the widespread adoption of modems by customers, Avaya created supporting software that could automatically perform regular tasks instead of requiring a technician to login manually to each product. This concept has matured into what is known as Avaya EXPERT Systems SM Diagnostic Tools. As customers became more sensitive to controlling access to their networks, and as Avaya products became more network-dependent (e.g. IP-enabled with rich Web-based interfaces), Avaya introduced new support capabilities that provided greater bandwidth and did not require the use of modems. These IP-based solutions used IPSec virtual private networks (VPN) combined with white paper 1

customer-resident servers such as Avaya Secure Services Gateways (SSG) to provide remote support capabilities similar to those previously provided by modems, but with the added benefit of higher bandwidth and improved customer control. Avaya improved IP-based remote access with the introduction of advanced services. Again, these services were provided through the use of IPSec VPNs and a customer-resident management server, the Avaya Secure Intelligent Gateway (SIG), to deploy software providing advanced features such as patching and software release management. As part of developing advanced services, Avaya deployed secure, isolated Enterprise Service Platform (ESP) data centers to contain and control access to the Avaya Secure Intelligent Gateways and constrain access to any customer-sensitive data. Even though Avaya had migrated to providing service for IP-based solutions (while still supplying modem support, when necessary), more security enhancements were needed, especially in the areas of improved customer control; customer-controlled and auditable logging; and unique identification and authentication of technicians on the customer network using resilient, two-factor authentication. In addition, the IP-based solutions did not provide any notable ability for authorized partners to access customer networks via the business-to-business VPN or customerresident servers (Avaya SSG or Avaya SIG). Secure Access Link Next-Generation Remote Access Notwithstanding the remote-access improvements in the development of the advanced architectures, customers still wanted the ability to obtain support from their in-house staff or from preferred partners. In addition, customers wanted complete control over when Avaya and other service partners accessed their networks. And, customers wanted better logging and greater control over those accessing their networks both when they were accessed, and what was accessible. Avaya investigated alternatives that would provide the same level of support, yet still allow for support from Avaya EXPERT Systems Diagnostic Tools and other automated and transactional tools. The alternative had to be flexible enough to allow for growth and introduction of new support services, while still meeting the requirements set forth by customers. With extensive customer feedback and thorough investigation of numerous architectural options, the design for the next generation of remote access began to clearly emerge Avaya Secure Access Link (SAL). The dominant feature of Avaya SAL is that customers have complete control over all remote access to their networks. To provide this control, Avaya SAL enables customers to determine who will provide services to their products and to what degree. Customers may have services provided by Avaya, their own internal support groups, authorized Avaya partners, or any combination thereof. With Avaya SAL, customers have channel-neutral support in addition to control, auditable logging, and strong identification and authentication of any users who access their networks. 2

With SAL, all of customers service partners, including Avaya, will need customer approval to initiate connections to customers networks. In addition, Avaya SAL provides no inherent mechanism to allow Avaya or any service partner to remotely access customers products without the TCP/IP connection first being initiated from customers networks. To help customers remain compliant with Payment Card Industry (PCI) and other industry regulations, all Avaya users are uniquely identified and authenticated. Avaya SAL provides clear, auditable logging of any access attempt, either by a technician or automated tool. Next-Generation Architecture The emerging Avaya SAL architecture is scalable and flexible. Although initial releases will require customers to deploy and manage a small server for remote access, Avaya s long-term vision is to integrate the SAL solution into Avaya products as a software-only solution so that customers will not be required to deploy hardware. However, optional hardware may be deployed by customers who want to realize the benefits of some of SAL s most advanced features and management capabilities. In any case, if customers deploy servers as parts of their solutions, they will always control the highest level of administrative access to those servers (i.e. owning root ). Based on their needs, customers can choose the SAL components appropriate for inclusion in their networks. This allows customers to make balanced decisions about how they want to achieve access control in addition to the three A s of security authentication, authorization, and accounting (AAA). By providing flexible deployment options, Avaya gives a tailored solution to every customer whether a large enterprise, small or mid-sized business. Components Following are descriptions of the major components of the new Avaya SAL architecture. These components are also depicted in Figures 1-3 (pages 6-9) illustrating the SAL architecture-based scenarios for flexible alarming, secure remote access and comprehensive policy management applications. Embedded Agent The Embedded Agent is co-resident software automatically included on Avaya products. (Initial releases of Avaya SAL will support only Embedded Agent within Secure Access Gateways. However, later versions of Avaya products will automatically include co-resident Agents as part of the software releases.) Embedded Agent is intended to facilitate the transmission of alarms to the service provider (e.g. the Avaya support center, the customer network operations center, or authorized partner support center), polls the service providers via HTTPS for remote-access connection requests, and authenticates any connection request to the product. Authentication of Avaya remote access requests is performed through examination and validation of the Public Key Infrastructure (PKI) certificate of the technician or tool that initiated the request. Authentication can be augmented through implementation of a RADIUS-based, one-time password. It is important to note that the Agent is the only required customer component of this new architecture. 3

Secure Access Gateway Server This Secure Access Gateway Server is optional software intended to be loaded on a customer-provided and -managed server. Avaya provides SAL Gateway Server software to customers at no additional cost they simply download it. Its primary purpose is to host an Agent for products that do not support the use of a co-resident Agent on the product (i.e. legacy or third-party products). It is important to note that the Gateway Server is the only required customer-component of this new architecture. The Gateway Server can receive alarms (e.g. SNMP, INADS, etc.) from Avaya products, reformat them, and forward them onto the Secure Access Core Concentrator Servers in addition to customer-managed Network Management System (NMS) systems. Similar to the Agent, the Gateway Server polls the service providers for connection requests and supports the same authentication option as Agents. Secure Access Concentrator Remote Server The Secure Access Concentrator Remote Server, resident at the Avaya support center and/or authorized partner s support center, may be optionally deployed on a customer-provided and -managed server as part of a federated deployment. The software is designed to work on a separate server as the Gateway Server. The Remote Server is the point of connection management and communication aggregation, when accessing SAL Agents from the customer s network. Technicians who are local and wish to access products must be authenticated by the Concentrator Remote Server and wait in queue for Agents to poll for connection requests. This approach provides a single authentication and access point for servicing products. The Remote Server will be able to integrate with a customer-provided AAA server (e.g. RADIUS, LDAP, etc.) in addition to being able to authenticate the certificates of Avaya users and automated tools. If a Concentrator Remote Server is deployed on the customer network. It is the single point within the customer s network that polls the service partner for connection requests (instead of the Agent or Gateway, which are configured to poll the Concentrator Remote Server). Concentrator Remote Servers are deployed within Avaya data centers and may be deployed on the customer s network, an authorized partner s network, or a combination of both networks. This provides a federated hierarchy so that the customer may receive multiple tiers of support. Secure Access Concentrator Core Server The Secure Access Concentrator Core Server is equivalent to the Remote Server with the exception that the Core Server receives alarms delivered by the Agents or the Gateway Server. If a Concentrator Core Server is deployed on the customer network, it is the single point where alarms may be sent and forwarded onto the Avaya support center and/or authorized partner s support center. Concentrator Core Servers are deployed within Avaya data centers and may be deployed on the customer s network, an authorized partner s network, or a combination of both networks. This provides a federated hierarchy so that the customer may receive multiple tiers of support. 4

Secure Access Policy Server As customers expand the use of this architecture, they may have multiple Agents (on products) and Gateway Servers to support hundreds or thousands of products. By using the Secure Access Policy Server software (deployed on the customer network using a customer-provided and -managed server), the customer can centrally manage policies that are enforced by Agents and Gateway Servers that control access to Avaya products deployed within their network. When a customer purchases an Avaya maintenance agreement with remote access capabilities, Avaya provides the SAL Policy Server software at no additional cost. Secure Access Global Access Server The Secure Access Global Access Server (GAS) is deployed within the Avaya data centers along with the Secure Access Concentrator Core and Remote Servers. These GAS servers are used as the conduit of remote access connection between the technician s desktop and the Agent on the customer s network. GAS completes the secure, high-performance link for each session created by the technician to a customer product. GAS servers are regionally distributed to help ensure minimal network delay between the technician and Agent and provide a layer of high-reliability and redundancy in the event that regional Internet traffic is disrupted. Aggregated Traffic For the most security-conscious customers, the Secure Access Concentrator Remote Servers (deployed on customer networks), provide an additional benefit of routing all SAL alarms and polls through a single choke-point on the networks. Although customers may also manage traffic without deploying a Concentrator Core or Remote Server, and through the use of routers or Web proxies, the Concentrator Core and Remote Servers provide alternatives. Even without the Secure Access Remote Server, the inherent SAL architecture and functionality of Agents and Gateways provide a level of assurance to customers that their service partners are given access only to specified products, and will not get unfettered access to the their entire networks. 5

Alarms may be forwarded upstream from a customer s Concentrator Remote Server to a partner s Concentrator Remote Server and then to Avaya. Figure 1 Avaya Secure Access Link Flexible Alarming Flexible Authentication and Authorization Avaya Secure Access Link inherently supports two-factor authentication (2FA) of technicians through user-assigned certificates as the form of identification and strong authentication. Avaya has standard VeriSign-issued certificates combined with federal approved (FIPS-140-2) USB Smart Cards (i.e. etokens) to identify and authenticate Avaya technicians. The 2FA method provides unique, strong, auditable identification and authentication of each user, without burdening the customer with the overhead of administering an account for each Avaya technician (possibly thousands of technicians globally) supporting that network. The user-assigned certificates are inherently integrated with the logging mechanisms of the Secure Access Link solution. Whenever a technician accesses the customer s network, identifying information from his or her certificate is stored in the customer logging servers (e.g. when Agents or Gateway Servers are configured to export logging information). In addition to certificate-based authentication, the customer is able to configure a Secure Access Concentrator Remote Server, Gateway, and Agent to authenticate users to a local, customer-provided AAA server. This capability allows the customer to use its RADIUS or LDAP servers as the basis of authentication of users to its products through this architecture, and also allows the customer to utilize other forms of 2FA, such as SafeWord onetime-password (OTP) tokens. Local RADIUS or LDAP authentication can be used in addition to or in lieu of the certificate-authentication support inherent in Secure Access Link. Access policies, centrally managed by the optional Policy Server, will allow customers to define access maintenance windows, manage access and assign roles to the individuals based on who they are, how they authenticate, or when they are accessing the network. 6

Complete Control over Remote Access In addition to the ability to integrate local AAA servers to this architecture for authentication or control of access, SAL will also provide the customer the control to individually authorize each remote access request. When using this optional feature, the customer must approve each and every connection request. Channel Neutral Support and Customer Self-Service Even though it is described throughout this white paper, it is worth re-emphasizing that customers will be able to select their preferred service partners that will provide service and support. It could be Avaya, an authorized Avaya partner, or customers in-house staff. Furthermore, customers can select a combination of support from all three sources. Agents poll the Avaya or partner s Concentrator Remote using HTTPS for connection requests from technicians or automated systems. Connection requests are authenticated and permitted per customer-defined policy. Once connection requests are approved, a secure end-to-end session is created via high-capacity Global Access Servers. Figure 2a Avaya Secure Access Link - Secure Remote Access 7

Agents poll the Avaya or partner s Concentrator Remote Server using HTTPS for connection requests from technicians or automated systems. Connection requests are authenticated and permitted per customer-defined policy. Once connection requests are approved, a secure end-to-end session is created. Figure 2b Avaya Secure Access Link Secure Remote Access with Onsite Concentrator Remote Server Foundation for Value-Added Support Applications The ability to leverage tools is paramount to the efficient delivery of support. Using tools to parse system logs, take inventory, or consistently apply detailed changes across multiple systems are just a few examples of the benefits of automated tools. The architecture presented in this white paper is also intended to further the development of automated tools. The Avaya Secure Access Link project has resulted in an extensive redesign of the tools that have been developed over the past 25 years. As part of the redesign, Avaya is laying the foundation for a framework for future tools development that can be leveraged not only by Avaya, but by customers and their partners as well. The framework is intended to allow the integration of tools in future releases so that the tools may be used locally or remotely. Regardless of access point, tools will require authentication of the user or initiating automated system. For example, before Avaya EXPERT Systems Diagnostic Tools could access a product, it would be required to identify and authenticate itself to the Concentrator Remote Server, Gateway, or Agent at the same level of security as that of an individual. As additional automated or transactional tools are developed, they will also be uniquely identified and authenticated prior to accessing a product or customer network even if that tool is being used locally. 8

Naturally Secure Although it has not been specifically detailed within this white paper, the SAL architecture will adopt all aspects of security that are fundamental to a system of this nature and would be expected of advanced technology of this kind. These include support for customer-controlled and auditable logging using standard methods (e.g. SYSLOG); compatibility with standard AAA servers (e.g. RADIUS and LDAP); use of secure protocols (e.g. TLS, SSH, HTTPS); alignment of federal guidelines with respect to cryptographic algorithms and key usage (e.g. NIST Special Publications and Federal Information Processing Standards); application and operating system hardening that complies with generally-accepted practices, unique identification and strong authentication of each user, implicit or explicit customer-control of all remote access, and Avaya data center operational processes and procedures, which can be audited against industry standards ( e.g. ISO17799/27002, PCI, etc.). An optional Secure Access Policy Server may be deployed to centrally define and manage the access and control policies enforced by each of the Agents resident in the Gateways. Agents (within Gateways) poll the Policy Server for updated policies. Figure 3 Avaya Secure Access Link Comprehensive Policy Management 9

Conclusion Avaya is embarking on a significant advancement of its remote access architecture to provide greater security and control to customers, while still affording them best-in-class support. This endeavor is resulting in a fundamental change in the way Avaya supports customers by eliminating unfettered 24x7 access to customers networks. Under the architecture of Avaya Secure Access Link, customers have complete control over remote access, all communication is initiated from the customers networks, channel-neutral support is inherent, users are uniquely identified and authenticated, and customers are provided with the auditable logging necessary to meet today s stringent regulatory requirements. Avaya Global Services is among the first providers of professional, support and operations services to deliver this level of secure remote access to organizations. Learn more about Avaya Secure Access Link and how it can help you and organization. Contact your Avaya Account Manager, authorized Avaya partner or visit www.avaya.com. About Avaya Avaya is a global leader in enterprise communications systems. The company provides unified communications, contact centers, and related services directly and through its channel partners to leading businesses and organizations around the world. Enterprises of all sizes depend on Avaya for state-of-the-art communications that improve efficiency, collaboration, customer service and competitiveness. For more information please visit www.avaya.com. 2009 Avaya Inc. All Rights Reserved. Avaya and the Avaya Logo are trademarks of Avaya Inc. and may be registered in certain jurisdictions. All trademarks identified by, TM or SM are registered marks, trademarks, and service marks, respectively, of Avaya Inc All other trademarks are the property of their respective owners. 05/09 SVC4274 avaya.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information