Security, Certificates, And System Manager - 808 - CConUC

1y ago
25 Views
2 Downloads
2.81 MB
50 Pages
Last View : 9d ago
Last Download : 3m ago
Upload by : Azalea Piercy
Transcription

Security, Certificates,andSystem Manager - 808Chris Clauss – ConvergeOneGet this presentation – http://bit.ly/iaugpres

Thanks for coming!Please ask questions!Let’s make this time together worthwhile!

Get this presentationhttp://bit.ly/iaugpres

What is or will be driving security inyour organization? Devices Remote WorkerInternet Connected DeviceBYODHosted Solutions Security Teams Are they asking for audits? Are they taking notice of U/C? Is management worried (news)? What needs to be secured? Voice conversations The systems themselvesEVERYTHING needs to be secured.

What we need to protectSecurity teams use the acronym “CIA” to identify 3 key areasConfidentiality Privacy of data. Insure that data is kept private during transport and at rest(for example a VOIP call on the wire or a voice message on the hard drive). Insure only those who must have access have access.Integrity Data must not be changed in transit, and stepsmust be taken to ensure that data cannot bealtered by unauthorized actors.Availability Maintaining and protecting systems to keep them up and running to processdata. Protect against actors that wish to harm or deny service.

Who do you need to protect against?Depending on the industry you are in, or thespecific company you work for Nation / States Corporate Competitors Hackers / Hacktivists Organized Crime – hacking forinformation / toll fraud / or plantedemployees in call center staff Opportunists Company InsidersAsk yourself - what can someone with badintentions do with my UC system?

We use encryption to protect data.Lock data – unlock with a key The sender encrypts the datawith a key. The receiver uses the key tounlock the data. This is symmetric encryption –both sides use the same key. Problem is key distribution.How can we share the keys ina secure fashion?

We use encryption to protect data.Public Key EncryptionSender Instead of sending a key, wesend a lock. Only therecipient has the key to unlockthe data. Based on mathematicformulas that create a keypair. One private and onepublic. Data encrypted with one keycan be decrypted withanother. Send uses public key toencrypt data, receiver usesprivate key to decrypt.Public KeyPrivate KeyRecipient

Encryption provides confidentiality,but does not provide authentication. To provide authentication,the sender can “sign” thedata with their ownprivate key. This is thesender’s IDENTITYcertificate. The receiver can decryptthe signature using thesender’s public key. Problem remains, how canwe be sure the sender iswho they say they are?ChrisChris

In an Avaya InfrastructureSystem Manager can be the “CA” System Manager canserve as the certificateauthority for Avayaservers. System Manager providessigned certificates forSession Manager, CM,SBC, etc. Customers can use apublic CA. In this caseSystem Managerbecomes a subordinateCA.ChrisChrisSystemManager C/A

Why do we need certificates? We use TLS to provide encrypted linksbetween servers. TLS encrypted links provide confidentialityprotecting the communications fromeavesdroppers. Certificates provide AUTHENTICATION. Theyprovide the mechanism to ensure that the twoparties communicating with one another areactually who they claim to me.

ExampleA web site that is claiming to be your secure will provide a certificate that matchesthe server name / domain name you are connecting to.https://www.avaya.comsame ashttps://135.11.53.87

Authentication is really important, but Authentication is really important for any sites that require logins, provide secureinformation, etc. Authentication may not be that important for UC systems were server to servercommunications are usually “hard wired” on fixed IPs or configured to onlycommunicate with internal servers. Good or bad, for TLS encryption to work, certificates are required.

A certificate includes the following The identity (subject) of the certificate – usually servername. Certificates are (almost always) signed by a third party. Each system that is negotiating the security will not trustthe certificate unless it also trusts the signer. The certificate also has a validity period – best practice atthis time is not more than 730 days (2years) The certificate will have a complexity – determined by a bitlength – best practice is 2048 bits at a minimum – 4096 bitsmore common.

Looking at a certificate

A certificate contains two important parts The identity portion – usually the name of the server. Identity can be defined in two places – the subject and theSAN Subject field (DN) - usually the FQDN of the server –server.company.com Subject Alternative Name (SAN) – the best practice location for theserver identity SAN may contain several entries including FQDN, short host name, IP. The signature portion – information on what certificateauthority signed the certificate The signature references the certificate authority. The signer is WHAT IS TRUSTED.

Example of trust Simple example – Passport A passport is a certificate. It proves that you arewho you say you are. When you enter a country, you must provide thepassport The customs official does not trust you, but theytrust your passport Why do they trust your passport? The passport is issued by a respected authority. The passport contains customer security features toprevent fraud.

Here is a “real world” certificate Certificate hasAn identityAn IssuerA Validity PeriodComplexity

So who signs certificates? Self signed – example a personal check signed by you. Certificates signed by a certificate authority Private Certificate Authorities – example is a company IDcard signed by HR. System Manager Windows Server Certificate Authority openSSL on Linux Public / 3rd party Certificate Authorities – example is apassport issued by a government. GoDaddy Verisign Digicert

Self signed certificates A certificate that is generated by the serverfor itself. The identity of the certificate and the signerare the same. Some organizations consider any self signedcertificate a security risk.

Private / Public Certificates The certificate is generated by a different server For private Certificate Authorities – may be System Manager ora Windows Server. Systems must import the private certificateauthority “root” certificate before they will trust the identitycertificate. For public Certificate Authorities – external company likeVerisign or GoDaddy. Most operating systems trust many ofthese by default. Public Certificate Authorities charge for generating certificates

Certificates can have a hierarchy. Certificates can be signed by an “intermediate” certificate authority. If I trust the intermediate CA, and I trust the higher level CA, then Itrust the certificate. Intermediate CA is used to enhance security and for ease ofmanagement of certificate requests.

Example certificate with an intermediate CA

Why does my computer trust “united.com”

System Manager self signed CA

System Manager self signed CAPros Works out of box Automatically issues and deploys andredeploys certificates for managedelements (SMGR / SM) Aura environment stands aloneCons PKI is independent of other PKI No enterprise branding Must distribute PKI to endpoints Simplest management for Aura certificatesSECURITY

Enterprise Private CA / public CA

Enterprise Private CA / public CAPros Provide enterprise asserted trust Certificates may already be distributed to clientdevices.Cons Must manually establish PKI trust chain to Auramanaged devices. Must create Certificate signing request andimport identity certificates No automatic issue or re-issue of certificates. Relatively straightforward deployment. Notrequire for all devices. (Can generate identitycerts only for required)SECURITY

SMGR as subordinate CA

SMGR as subordinate CAPros Provides enterprise certs. Certificates may already be distributed toclient devices. Automatically issues and deploys andredeploys certificates for managed elements(SMGR / SM)Cons Enterprise must allow sub-CA Trust chain must be distributed to all Auraelements Difficult to implement.SECURITY

SMGR for Aura / Customer CA

SMGR for Aura / Customer CAPros Provides enterprise certs where needed. Allows SMGR to provide certs for Aura Certificates may already be distributedto client devices. Automatically issues and deploys andredeploys certificates for managedelements (SMGR / SM) Aura managed certs for most “internal”servers.Cons Two PKI authoritiesSECURITY

Configuring Avaya CM / Session Manager forsecure communications To configure the solution,we needto do the following Validate capabilitiesIssue certificatesConfigure securesignalingConfigure secure mediaWe will focus on using SMGRfor certs – ping me after forconfiguring CM / ASM tosecure talk path.

Verify system capacity for TLS (R7.1 )Minimum TLS version support was added in Aura R7.1. Important becausecompliance generally requires minimum TLS version 1.2

Generate server certificate using SMGR Before Enabling the TLS for H323 on any stations, install TLS certificates. H323 endpoints will download the cert from the Utility server at boot. Login go the System Manager web page and go to Services / Security / AuthorityNote – your company may not allow SMGR to be the Certificate AuthorityDownload SMGR root certificate to distribute to servers and endpoints.

Register CM in the SMGR RegistrationAuthority Register the CM in the SMGR Registration Authority Use CM FQDN

Register CM in the SMGR RegistrationAuthorityUsername –Password – need it laterCN – usually the DNS nameNext few fields are optionalSAN is very importantAdd DNS name, short DNS nameand optionally IP address.CA is usually tmdefaultca for SMGRUse P12 file to generate cert withprivate key. No CSR required.SMGR can also sign CSR. SelectUser Generated.

Create the CM certificate Create the signed server identity certificate that will be imported into theCM using the EJBCA Administration screen.

Create the CM certificate Create the signed server identity certificate that will be imported into theCM using the EJBCA Administration screen.

Upload the certificates to the CM Download the net CM certificate and then upload both files to the CM.

Install SMGR trusted certificate Install the SMGR certificate that was uploaded into the trusted certificatestore.

Install CM server certificate Install the CM server certificate that was signed by the SMGR.

What if I am not using SMGRYou will create a certificate request from your application

What if I am not using SMGRInformation on the “CSR” will be displayed

What if I am not using SMGRScroll down and copy the request to a text file or paste it into the browser onyour CA web site

We can view the contents of the l

And do this for Every system in the Avaya Aura Solution. You will need to generateserver identity certificates for: CM servers / ESS / LSPCM GatewaysCM Media ServersSession Manager ServersAES ServersMessaging SystemsAny system that will process callsignaling or RTP media.

Examples of TLS links used by cm

Recommendations Get ahead of these issues. Understand your companies security policy. Make sure certificates have proper SAN andexpirations – 2 years or less for end user facingcertificates. Have a dialog with security teams. Don’t let certificates expire! Your systems stopworking. Understand your corporate policy forsecurity, encryption, and certificates.

What’s the best wayfor you to get help with scans?Find the best partner – here at the show!Please fill out your session survey! Session 808Please tweet about the presentation if you liked it - @clauss- Come ask us questions- www.convergeone.com- Thanks for attending!Chris Clausscclauss@convergeone.comGet this presentation – http://bit.ly/iaugpres

In an Avaya Infrastructure System Manager can be the "CA" System Manager can serve as the certificate authority for Avaya servers. System Manager provides signed certificates for Session Manager, CM, SBC, etc. Customers can use a public CA. In this case System Manager becomes a subordinate CA. System Manager C/A Chris Chris

Related Documents:

27 Components of a Certification System Request and issue certificates (different categories) with verification of identity Storage of certificates Publishing/distribution of certificates (LDAP, HTTP) Pre-installation of root certificates in a trusted environment Support by OS platforms, applications and services Maintenance of database of issued certificates (no private

HP Security Manager (Security Manager) is a security compliance solution for a fleet of HP products. It enables administrators to create a security policy to reduce network risks and monitor security for a fleet of printers. The key benefits of using Security Manager are the following: Easily and quickly create device security policies.

Request an End-Entity (Local) Certificate from a CA. Install an End-Entity Certificate. Installing CA Certificates (Trust Anchors and Intermediate CA Certificates) 1.Log into SonicWALL Network Security Appliance portal. Navigate to System Certificates. 2. Select Imported certificates and requestsfrom the View Style radio buttons. 3.

CA CT Log Browser Issues Certificates Provides publicly auditable, append-only Log of certificates Also provides proof of inclusion . via OCSP 180 188 3 Certificates (Total) 10.62M 9.66M 549.98K Certificates with SCT Ext. 799.9K 834.5K 193.9K. SCT Statistics - Passive California Munich Sydney

Material certificates to BS EN 10204 3.1 B,C NACE MR-01-75 conformity certificate Welding qualifications to ASME IX, EN BS 288/287 GA drawings Certificates of conformity Weight certificates NDT certificates and procedures Quality plans Full data dossiers Installation and operating manuals etc.

CME Certificates and Attendance Verification Certificates Certificates awarding AMA PRA Category 1 Credit or certificates documenting attendance will be distributed to participants when an individual departs the conference. To obtain a CME certificate, physicians must submit a completed evaluation questionnaire and a CME Verification Form.

3.2 Import CAC Intermediate Certificates Table 5 lists the steps to import the required DoD intermediate certificates and validate the CAC certificates. Table 5: Import CAC Intermediate Certificates Step No. Action 1. Open the Utilities folder and double-click Keychain Access.

Literary Studies. London: Longman, 1993. INTRODUCTION While most of you have already had experience of essay writing, it is important to realise that essay writing at University level may be different from the practices you have so far encountered. The aim of this tutorial is to discuss what is required of an English Literature essay at University level, including: 1. information on the .