Avaya SBCE Vulnerability Best Practices
The 3 characteristics to combat malicious attacks
The deployment of remote workers has increased the exposure of the Avaya SBCE as a target to break into the customer’s network.
In this post “Avaya SBCE Vulnerability Best Practices” I walk you through some of the things to watch for and what to do to hardened the SBCE system to better prevent malicious attacks.
As remote work becomes popular and we install more devices in the Cloud we are more exposed to all kinds of malicious activities, from Denial of Service or DoS and DDoS, Toll Fraud, and Man in the Middle attacks. Not to mention the Log4J and Spring4Shell vulnerabilities.
SBCE comes with a Threat Protection Policy, Access Control, Toll Fraud prevention, both DoS and DDoS, MitM (Man in the Middle attack), deep packet inspection at the Application Layer 7 and Signatures.
Here 3 Avaya SBCE Characteristics to combat the vulnerabilities:
- SBCE Data Flow
- Understanding the SBCE Security Layer
- SBCE Hardening
SBCE Data Flow
The Avaya Session Border Controller for Enterprise SBCE can be used to allow Registration and Signaling, both of which need a comprehensive understanding of which elements are to be configured and to be part of the SBCE configuration. Providing registration and signaling services to both Endpoints and SIP Trunks.
Signaling – When implementing SIP Trunks it is strongly recommended to have the SIP Service Provider install their own SIP Routers at the customer’s premises to add another layer of security. One way to add vulnerability to your SIP Trunk design is to have them connected via the open web.
Registration – The Remote Worker feature allows remote users to connect to their Office and obtain telecommunication services via the SBCE.
Understanding the SBCE Security Layer
Consist on three components, SIP Security, Linux IPTables and the PCF Module.
The SBCE Linux based OS comes with both IPTABLES (Firewall) and the PCF Module which is another Built-in firewall that sits side by side. And the SIP Security Module that resides at the Application Layer 7.
Let’s start by reviewing the PCF and IPTABLES:
The PCF Module blocks traffic and allowing Avaya pre-configured ports to maximize how the system processes packets. It also comes with a preset of Firewall Chains that include a group of security rules. Some of these Chains are listed in the image below
The PCF Module Extended Firewall configuration files resides under the “/usr/local/ipcs/icu/scripts” directory under the Shell Script named “310_fwrules_add.sh”. You can also see it as part of the Software Package Inventory under the “ipcs-version”
I assume that the Firewall rule was named “310_fwrules*” to reflect the SBCE Model or type as listed here:
The “IPTABLES” blocks traffic on both OSI Layers 3 and 4 and it is mostly used to control the rate limit of the UDP traffic, Whitelist or Blacklist IP addresses and protects and detects known vector attacks.
Avaya does not support the management of the Firewall Rules.
Last but not least the SIP Security Layer which allows you to view and control DoS Policies, Scrubber Rules, Encryption and it secures Remote Access. These rules can be found and applied under the “Services/SIP Servers / Advanced Configuration”.
SBCE Hardening
Now that you are familiar with the different SBCE Security Layers lets talk about things you can do to hardened the system, starting with:
- Apply strong password and user account policies to meet your enterprise security guidelines. This can be applied through the user’s Communication Profile through System Manager. I suggest using LDAP to have them use their Domain accounts. If that is not implemented then have them update their password every 90 days.
- Ensure to keep the SBCE Certificates up to date.
- For those SBCEs using SIP Trunk Registration Passwords try to work something with your Service Provider where you keep these passwords updated every so often. And it is possible stay away from Service Providers that do not offer to bring their own equipment onprem.
- Have the SBCE Sysadmin account password expiration set to at least 90 days.
- Allow SBCE Management access over the M1 interface to a group of IP Addresses or VLAN.
To review the identified CVEs head over to the Log4J and Spring4Shell links below.
Please note: I reserve the right to delete comments that are offensive or off-topic.