Last week we covered off how old phone systems with ISDN and analogue trunks are a dying breed and why the decision by Microsoft to kill XP made it harder than ever to support those systems. This week we’ll look at how Globaltalk have implemented the Avaya SSL VPN solution to maintain your Avaya IP Office system remotely and securely.
First, let’s get the boring Wikipedia definitions out the way and then we can put everything together and in context.
“A virtual private network (VPN) extends a private network across a public network, such as the Internet. It enables a computer to send and receive data across shared or public networks as if it is directly connected to the private network, while benefiting from the functionality, security and management policies of the private network. A VPN is created by establishing a virtual point-to-point connection through the use of dedicated connections, virtual tunneling protocols, or traffic encryptions”
“Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communication security over the Internet. They use X.509 certificates and hence asymmetric cryptography to authenticate the counterparty with whom they are communicating, and to exchange a symmetric key. This session key is then used to encrypt data flowing between the parties. This allows for data/message confidentiality, and message authentication codes for message integrity and as a by-product, message authentication. Several versions of the protocols are in widespread use in applications such as web browsing, electronic mail, Internet faxing,instant messaging, and voice-over-IP (VoIP). An important property in this context is forward secrecy, so the short-term session key cannot be derived from the long-term asymmetric secret key.”
What all of this means then is that a computer can connect to another network and act as if it is located in the same building as all the other computers on that network. Typically remote workers take advantage of this technology to allow them to work from home or out on the road as if they were in the office. The SSL component means that all the data that passes between the remote computer and the corporate network is encrypted so that anyone trying to “listen in” receives garbled messages that are extremely difficult to decrypt. As you can see from the image below, the Wireshark capture on the left does not use SSL and you can pretty clearly see my password. The capture on the right, well, that’s not so easy.
How does all this relate to your Avaya IP Office security?
Traditionally, phone system maintainers have relied on dial up modems to connect to and make changes to a system. This is inherently insecure since someone only needs to know your phone number to establish a connection and then only a password protects you. If passwords aren’t changed when your system is installed, then there isn’t much protecting you from potential intruders.
Alternatively, the customer’s IT department/contractor would create a VPN connection and distribute a username and password to the maintainer (in a plain text email!). While this is more secure and gives you control over who can access your network, it can mean unrestricted access to that network. Generally, phone system maintainers have better things to do than go poking around your network looking for sensitive information. After all, they do have other customers that need their attention! However, if you do have sensitive data then this is another opening in your network that needs to be monitored.
One possible solution is to remove the phone system from your network and turn the data channel off of your ISDN. Secure, yes. Easy to maintain, no. In fact, if something does go wrong, the time to resolve can go from minutes to hours since your maintainer now has no ability to assess the situation remotely and will need to send a technician to site. Naturally, this is a much more expensive exercise.
The best solution then is to go with a maintainer like GlobalTalk who takes your security seriously. With our in-house Avaya SSL VPN server, we can make sure your system is secure from unwanted visitors. Unlike the solutions above, the Avaya IP Office phones home when it is told to.
This means that no one can dial up to the system and gain access whenever they want. It means that the connection is only enabled if you want it to be and finally, it means that only one external party – GlobalTalk – can access your system. When needed, the connection is enabled by entering a code in to a handset and once the job is complete you can turn it off again. Of course, we also have some creative ways of enabling the connection without your intervention. The choice is yours.
Our access to the rest of your network is also restricted. This is because we are not connecting to your network. Your Avaya IP Office system is connecting to our network. We can only access your IP Office and if you have them, we configure NAPT to access your Voicemail Pro, One-X and CCR servers or other Avaya hardware components. Of course, all the data that is traversing the public Internet is encrypted to prevent anyone that might be snooping learning anything about your configuration.
We have a plan in place to roll this out retrospectively to our existing service agreement customers. The next time you’re talking to your maintainer, you should ask them what their plan is to secure your data now and into the future. Anything less than the security measures in this article and you’re at risk.