Chapter 8: Avaya Communication Manager | Hacking Exposed VoIP: Voice Over IP Security Secrets & Solutions

I just installed an Avaya system, and from what I can tell, they take security very seriously, and there is a lot I can do to secure my system. Unfortunately, I have a very complex system, with quite a few sites, and I am not sure what I should focus on.
Telecomm manager deploying an Avaya VoIP System

Overview

Avaya, www.avaya.com, is one of the largest vendors of legacy circuit-switched and VoIP equipment for large and small enterprises. Avaya has a broad VoIP offering, including multiple systems designed for small and large enterprises , and their enterprise-class offering, the Communication Manager, has many different configurations, as needed by different- sized enterprises and sites within those enterprises. Avaya also offers many adjunct systems, including voicemail, contact centers, Automatic Call Distribution (ACD), and various voice management systems. DevConnect, their vibrant third-party community, lets vendors build supporting systems and applications. It would take a library of books to cover all of these systems. For the purposes of this book, we are focusing on the core Avaya Communication Manager system, Avaya's enterprise-class offering and the hub of an Avaya VoIP deployment.

We performed our tests on a Communication Managerbased system designed for a small enterprise or a small site within a larger enterprise. The results are relevant to larger systems, although we did not test certain components in a larger system, including the C-LAN and Media Processing (MedPro) cards that are present and visible to the network in larger Communication Manager systems.

Vendor Comment

Avaya security experts reviewed and provided feedback on this chapter. They provided valuable input that made this chapter more complete and useful. Avaya offered the following comment, which we have included here verbatim.

"Avaya takes security very seriously: We've bridged an industry-leading depth of knowledge acquired in securing traditional voice systems into the VoIP world. Our R&D teams proactively support voice security strategy, planning and development, plus rapid response for active threat management. We build the highest level of security possible into our solutions that is both manageable and cost-effective for the customer, believing that security should be embedded and not an option or add-on at additional expense to the customer. For example, we were the first voice vendor to embed media encryption in our solutions and the only one to date to provide it on all IP phone models. We are also working with a host of VoIP security startups on new ideas and approaches to integrate the latest VoIP security technologies into our solutions.

To directly support our customers, in 2002 Avaya launched the industry's first converged voice/data security consulting practice. We make extensive information and support available to help them understand the risks and the means to secure systems. To date, we know of no security incidents reported by customers who have followed our recommendations for securing their systems.

It is true for any IP-based application that new threats evolve continually. It is incumbent on the industry to minimize the impact to businesses and consumers by addressing standards and protocols ensuring security for users of VoIP systems ^[*] . Without standards and requirements, new suppliers and vendors rushing to the VoIP market will more often opt for flashy features to help differentiate their products rather than incorporating security features that protect the business or consumer.

At the end of the day, we believe that Collier's and Endler's research will help increase industry awareness of these issues. Avaya welcomes the opportunity to publicly discuss challenges that we believe all enterprise customers will need to face in order to secure their voice communications."

^[*] As an example, encryption key management standards for interoperable media encryption only just became standardized within the IETF after years of debateand even then the topic is far from closed, with multiple competing standards in play and wide mindset gaps between carriers , enterprises, and enterprise equipment vendors.