Home

Avaya 4600 Series IP Telephones Application Note

1. AVAYA Avaya Solution amp Interoperability Test Lab Application Notes for Mirage Networks CounterPoint in an Avaya IP Telephony Infrastructure Issue 1 0 Abstract These Application Notes describe a configuration where the Mirage Networks CounterPoint network access control appliance protects the subnets where an Avaya Media Server an Avaya Media Gateway and Avaya IP Telephones reside against rapidly propagating threats During compliance testing the CounterPoint detected basic ping and port scans that often precede threats on the protected subnets and mitigated basic Denial of Service DoS attacks Information in these Application Notes has been obtained through compliance testing and additional technical discussions Testing was conducted via the DeveloperConnection Program at the Avaya Solution and Interoperability Test Lab RL Reviewed Solution amp Interoperability Test Lab Application Notes 1 of 17 SPOC 9 23 2005 2005 Avaya Inc All Rights Reserved MirageCP doc 1 Introduction These Application Notes describe a configuration where the Mirage Networks CounterPoint appliance is deployed in an Avaya IP telephony infrastructure CounterPoint is a network access control appliance that is designed to protect the internal corporate network against rapidly propagating threats that originate inside the network CounterPoint operates within the network interior and is complementary to perimeter security solutions Counte
2. 04 23 4F 9B BE Appliances HA OT ag 53 490227849 Read Write State Read Write E VLAN 100 Switches Paired With Policy B C 245 eth1 100 6 22 08 29 2005 21 22 Coordinated Universal Time RL Reviewed Solution amp Interoperability Test Lab Application Notes SPOC 9 23 2005 11 of 17 2005 Avaya Inc All Rights Reserved MirageCP doc 14 Select one of the interfaces and click on the Pair button m CounterPoint Manager C 245 172 16 252 122 User Role Admin File View Monitor Events Reports Yiew Config Edit Config Appliance Help Monitor Events Reports View Config Edit Config Appliance Edit Config Segments Access All Segments v All Appliances v Export Alerts i Segments Name Jeth2 100 L Deception F Named Items HA Native 372816440 State 2 Enabled mM Native 1061088857 J1 or OX Network Topology Segment VLAN 100 Appliance e 6 245 p MAC Address 00 04 23 4F 9B BE mM Native 2452929079 Ea Segments Segment Sets T A Native 950026549 EAk GTag 53 490227849 VLAN 100 Appliances Read Write State Read Write Switches Paired With Policy C 245 eth1 100 Disable Ti 22 08 29 2005 21 26 Coordinated Universal Time 15 Select the other interface from the pull down list and click on OK xl Available writers C 245 eth 100 Cancel RL Reviewed Solution amp Interoperabili
3. Segment Assistant Go to Address Space So 44 08 29 2005 19 54 Coordinated Universal Time RL Reviewed Solution amp Interoperability Test Lab Application Notes SPOC 9 23 2005 7 of 17 2005 Avaya Inc All Rights Reserved MirageCP doc Select the Cloak tab The default values may be used m CounterPoint Manager C 245 172 16 252 122 User Role Admin File View Monitor Events Reports View Config Edit Config Appliance Help Monitor Events Reports View Config Edit Contig Appliance Edit Config Segments 11 Or C OX Access All Segments v All Appliances Export Alerts Segments Name Segment IP mM Native 372816440 VLAN 100 2 2 mf Native 1061088857 Subnets Gateway Protected Range Deception Cloak Advanced Deception Named Items Network Topology ago egments H Native 2452929079 Cloak nal Native 950026549 Full Cloak Mode Ott OT agfos 490227643 Local Cloak Validation On VLAN 100 Switches a rele Allow Unprotected Cloak Segment Sets Appliances Policy Segment Assistant Go to Address Space 6 22 08 29 2005 19 54 Coordinated Universal Time RL Reviewed Solution amp Interoperability Test Lab Application Notes 8 of 17 SPOC 9 23 2005 2005 Avaya Inc All Rights Reserved MirageCP doc 10 Select the Advanced tab Set MAC Validation to On Note MAC validation is required in order to detect spoofing m Counter
4. Test Results section e Avaya IP Telephones on the protected subnets successfully establish and maintain calls during the basic scan and DoS attack activity e Avaya IP Telephones on the protected subnets successfully established and maintain calls when there is no scan or DoS attack activity 6 2 Test Results The test objectives of Section 6 1 were verified The CounterPoint C 245 was able to detect the basic ping and port scans and mitigate basic non spoofed DoS attacks generated by the attacker PC In DoS attacks where the source IP addresses were spoofed VLAN 53 and VLAN 100 IP addresses the CounterPoint C 245 could not cloak the source attacker PC because it did not know the MAC address of the source recall from Section 3 that the CounterPoint C 245 did not have visibility into VLAN 51 The CounterPoint C 245 also did not cloak the target because redirecting packets intended for the target and filtering based on the source IP address would also filter out legitimate packets from the spoofed source RL Reviewed Solution amp Interoperability Test Lab Application Notes 15 of 17 SPOC 9 23 2005 2005 Avaya Inc All Rights Reserved MirageCP doc 7 Verification Steps The following steps may be used to verify the configuration e From the attacker PC run ping scans on the protected subnets and verify that the CounterPoint C 245 correctly reports the scans e From the attacker PC run port scans on specific targets in the protect
5. 10 Additional References Product documentation for Avaya products may be found at http support avaya com Product information for Mirage Networks products may be found at http miragenetworks com p_index html RL Reviewed Solution amp Interoperability Test Lab Application Notes 16 of 17 SPOC 9 23 2005 2005 Avaya Inc All Rights Reserved MirageCP doc 2005 Avaya Inc All Rights Reserved Avaya and the Avaya Logo are trademarks of Avaya Inc All trademarks identified by and are registered trademarks or trademarks respectively of Avaya Inc All other trademarks are the property of their respective owners The information provided in these Application Notes is subject to change without notice The configurations technical data and recommendations provided in these Application Notes are believed to be accurate and dependable but are presented without express or implied warranty Users are responsible for their application of any products specified in these Application Notes Please e mail any questions or comments pertaining to these Application Notes along with the full title name and filename located in the lower right corner directly to the Avaya DeveloperConnection Program at devconnect avaya com RL Reviewed Solution amp Interoperability Test Lab Application Notes 17 of 17 SPOC 9 23 2005 2005 Avaya Inc All Rights Reserved MirageCP doc
6. 8 Repeat Step 2 17 as necessary to protect other VLANs In this configuration the steps were repeated for VLAN 53 4 Configure Cisco Catalyst 3560 This section describes the steps on the Cisco Catalyst 3560 for configuring the VLAN mirror the two ports connected to the Mirage Networks CounterPoint C 245 and the port connected to the Avaya P333T PWR The steps assumed that the VLANs and routing among VLANs have already been configured on the Catalyst 3560 From the Catalyst 3560 Command Line Interface CLI assign the protected VLANs 53 and 100 in the sample configuration to the two ports connected to the CounterPoint C 245 and configure the ports as trunk ports with 802 1q encapsulation Imcerckace Pastitherner Oy ah SWIT ONPE Erunk encapsularionm dor lg Since ALOCE ETUR a l Ta SN keto eae LON Switchport mode trunk Nor tp address normae VUE NENG AE rne SwlechpOrk trunk encapsulation dorg SNI NG A serine ea AG ak e Vikan 53 2b0I0 Switchport mode trunk no ip address Oe MiGs Ng SANE Configure a monitor session to mirror all VLAN traffic from the protected VLANs to the port in Step 1 connected to the Reader port on the CounterPoint C 245 monitor Sess AA I seuncees wake Ss IO penante ora Sesstonm Medestimarwvomw ambectace Maly 22 vencapsiulatrion replicare Assign VLAN 100 to the port connected to the Avaya P333T PWR and configure the port as a trunk port with 802 1q encapsulation interfa
7. Point Manager C 245 172 16 252 122 User Role Admin File View Monitor Events Reports View Config Edit Config Appliance Help Monitor Events Reports View Config Edit Contig Appliance Edit Contig Segments nd 1A 4 gt E O x Access All Segments v All Appliances Export Alerts Segments Name Segment IP Deception L T VLAN 100 P 2 3 Named Items Mp Native 372816440 mM Native 1061088857 Subnets Gateway Protected Range Deception Cloak Advanced mM Native 2452929079 Transit Segment Of Network Topology Segment Sets mM Native 950026549 MAC Validation mM GT ao 53 490227849 Appliances ARP Time Out Switches Ext Hardware Mitigation Policy Ext Dynamic Mirror Segment Assistant Go to Address Space o amp 22 08 29 2005 19 55 Coordinated Universal Time RL Reviewed Solution amp Interoperability Test Lab Application Notes 9 of 17 SPOC 9 23 2005 2005 Avaya Inc All Rights Reserved MirageCP doc 11 Click on the Edit Segment IP icon m CounterPoint Manager C 245 172 16 252 122 User Role Admin File View Monitor Events Reports View Config Edit Config Appliance Help Edit Contig Segments Be 4 gt O O x Access All Segments v All Appliances a Export E Alerts Segments Name Segment IP mM Native 372816440 VLAN 100 D GA Native 1061088857 Subnets Gateway Protected Range Deception Cloak Advanced Deception Named It
8. ULAN 100 i Select the Subnets tab and click on the icon 5 Enter the subnet information for this VLAN and check the Add Protected Range checkbox to protect the entire subnet Click on OR New Subnet e Subnet IF Address 92 45 1700 0 Mask IF Address 255 255 255 0 C M Add Protected Range 192 45 100 Cancel To protect specific ranges within the subnet uncheck the Add Protected Range checkbox and configure the ranges in the Protected Subnets tab not described in these Application Notes Select the Gateway tab and click on the icon RL Reviewed Solution amp Interoperability Test Lab Application Notes 6 of 17 SPOC 9 23 2005 2005 Avaya Inc All Rights Reserved MirageCP doc 7 Enter the default gateway of the subnet and click on OK New Gateway IP Address 22 45 1001 Monitor Events Reports View Config Edit Contig Appliance Edit Config Segments 11 Mp IT Ox Access All Segments All Appliances v Export Segments Name Deception 9 Alerts Segment IP L S VLAN 100 A E ka Named Items HQ Native 372816440 mM Native 1061088857 Subnets Gateway Protected Range Deception Cloak Advanced Network Topology ago egment mM Native 2452929079 Dera ede jon gt egments ETNEA EA Native 950026549 Decoys Excludes Apani eg QT ag 53 490227849 cP 4 VLAN 100 7 Policy
9. ce FastEthernet0 23 SA Cleo me WC ICU GS incisors Ice e a e ae lier Switchport trunk allowed vlan 100 Swiwehpore mode trunk no ip address Onicha h RL Reviewed Solution amp Interoperability Test Lab Application Notes 14 of 17 SPOC 9 23 2005 2005 Avaya Inc All Rights Reserved MirageCP doc 5 Configure Avaya P333T PWR From the Avaya P333T PWR CLI assign VLAN 100 to all ports including the port connected to the Cisco Catalyst 3560 and configure the port as an 802 1q trunk port Slee joo vileu er AI Ser Un KI 4 doulG 6 Interoperability Compliance Testing The interoperability compliance testing focused on verifying that the Mirage Networks CounterPoint C 245 detected basic ping and port scans and mitigated basic Denial of Service DoS attacks 6 1 General Test Approach The general approach was to launch ping scans on the protected VLANs and port scans and basic DoS attacks on the C LAN and Media Processor boards on the Avaya G650 Media Gateway as well as the Avaya IP Telephones The main objectives were to verify that e The CounterPoint C 245 correctly detects basic ping TCP SYN and UDP scans on protected subnets e The CounterPoint C 245 correctly detects basic DoS attacks such as ping TCP SYN FIN and UDP floods against the C LAN and Media Processor boards on the Avaya G650 Media Gateway and the Avaya IP Telephones e The CounterPoint C 245 cloaks mitigates the basic DoS attacks where possible see
10. ed subnets and verify that the CounterPoint C 245 correctly reports the scans e From the attacker PC send basic ping and port floods to specific targets in the protected subnets Verify that one or more CounterPoint rules are triggered and the CounterPoint C 245 correctly reports the attack If Cloaked is reported as the response s for the triggered rule s verify that the ARP tables of the source target and or Catalyst 3650 have been changed such that the attack communication streams are redirected to the CounterPoint C 245 If Tracked 1s reported as the response s for the triggered rule s then perform a manual cloak operation and verify the ARP tables as per above 8 Support For technical support on the Mirage Networks CounterPoint C 245 consult the support pages at http miragenetworks com support html or contact Mirage Networks customer support at e Phone 866 869 6767 e E mail support miragenetworks com 9 Conclusion These Application Notes described a configuration where the Mirage Networks CounterPoint network access control appliance protects the subnets where an Avaya Media Server an Avaya Media Gateway and Avaya IP Telephones reside against rapidly propagating threats During compliance testing the CounterPoint detected basic ping and port scans that often precede threats on the protected subnets and mitigated basic Denial of Service DoS attacks against the aforementioned Avaya IP telephony endpoints
11. eive tagged frames and into VLAN 100 due to the configuration of an 802 1q trunk between the Catalyst C3650 and Avaya P333T PWR see Sections 4 and 5 Contact Mirage Networks for guidance and instruction on CounterPoint rules configuration Launch the CounterPoint Manager application and log in with the appropriate credentials Select the Edit Config tab and expand the Network Topology tree to the Segments level Select a QTag VLAN and click on the Edit Name icon m CounterPoint Manager C 245 172 16 252 122 User Role Admin File View Monitor Events Reports Yiew Config Edit Config Appliance Help Monitor Events Reports View Config Edit Config Appliance Edit Config Segments v 1 dp C oOx Access All Segments v All Appliances v Export Alerts Segments Name Segment IP mM Native 372816440 aT aq t00 814187734 D A mM Native 1061088857 Subnets Gateway Protected Range DecefEdit Name Advanced gt 4 Native 2452929079 cP co ag 100 81418773 Appliances Deception Named Items Network Topology Switches GT ag 53 490227849 Policy Segment Assistant Go to Address Space o 22 08 29 2005 19 46 Coordinated Universal Time RL Reviewed Solution amp Interoperability Test Lab Application Notes 5 of 17 SPOC 9 23 2005 2005 Avaya Inc All Rights Reserved MirageCP doc 3 Assign a descriptive name and click on OK
12. ems Network Topology mM Native 2452929079 Transit Segment Off mf Native 950026549 MAC Validation On X EAk OT ao 53 490227849 ARP Time Dut a0 Segment Sets Appliances oS witches clark baw Ext Hardware Mitigation Off Policy Ext Dynamic Mirror Off Segment Assistant Go to Address Space CG amp e 08 29 2005 20 04 Coordinated Universal Time Help 12 Assign an IP Address to the CounterPoint C 245 on this VLAN and click on OR xi IP Address i 32 45 100 160 RL Reviewed Solution lt Interoperability Test Lab Application Notes 10 of 17 SPOC 9 23 2005 2005 Avaya Inc All Rights Reserved MirageCP doc 13 Expand the VLAN tree and select one of the two interfaces These two VLAN interfaces reside on the two ports connected to the Catalyst 3560 Click on Enable Repeat this step for the other interface m CounterPoint Manager C 245 172 16 252 122 User Role Admin File View Monitor Events Reports Yiew Config Edit Config Appliance Help Monitor Events Reports View Config Edit Contig Appliance Edit Config Segments 4 11 Mp 0C Ox Access All Segments v All Appliances v Export Alerts Segments Name Jeth2 100 eC Deception F Named Items mM Native 372816440 State 3 Disabled swai Today EHA Native 1061088857 Segment A VLAN 100 gt Fm Native 2452929079 Appliance e 6 245 b 5 Segment Sets mM Native 950026549 MAC Address 00
13. ided ae eet Equipment Soei __ Software Firmware Avaya S8710 Media Server S8710 Media Server 3 0 lt lt Se 1 3 Avaya G650 Media Gateway TN2312BP IP Server Interface TN799DP C LAN Interface TN2302AP IP Media Processor Avaya 4600 Series IP Telephones Stackable Switch T an Red Hat nae ES 3 RL Reviewed SPOC 9 23 2005 1 8 2 4602SW 2 2 3 4610S W 2 2 3 4620SW 2 5 4625S W 2 0 2 4630S W 4 0 17 Solution amp Interoperability Test Lab Application Notes 2005 Avaya Inc All Rights Reserved 4 of 17 MirageCP doc 3 Configure Mirage Networks CounterPoint C 245 This section describes the steps for configuring the Mirage Networks CounterPoint C 245 to protect the subnets VLANs 53 and 100 in the sample configuration where the S8710 Media Server G650 Media Gateway and IP telephones reside The subnet VLAN 51 where the attacker PC resides cannot be protected due to the VLAN mirror function of the Cisco Catalyst 3560 Specifically when the Catalyst 3560 receives untagged frames from VLAN 51 endpoints including the attacker PC the Catalyst 3560 copies the untagged frames to the mirror port without applying the VLAN 51 tag Without the VLAN tag the CounterPoint C 245 cannot determine what subnet the frames belong to and thus has no visibility into VLAN 51 and cannot protect the subnet The CounterPoint C 245 does have visibility into VLAN 53 because the IP telephones transmit rec
14. rPoint uses pre defined and configurable rules in monitoring the network for potential threats Once a threat is identified CounterPoint mitigates the threat by cloaking where CounterPoint logically inserts itself in the path between the attacker and the target Specifically CounterPoint redirects the attacker communications streams to itself by changing the ARP tables in the attacker and or target device CounterPoint can then selectively filter out malicious packets and forward the rest to the target CounterPoint can also be configured to send alerts via e mail SMTP SNMP and Syslog when threats are identified Figure 1 illustrates a sample configuration consisting of an Avaya S8710 Media Server an Avaya G650 Media Gateway Avaya IP Telephones an Avaya P333T PWR Power over Ethernet Stackable Switch a Cisco Catalyst 3560 Series switch an Attacker PC and a Mirage Networks CounterPoint C 245 Avaya Communication Manager runs on the S8710 Media Server though the solution described herein is also extensible to other Avaya Media Servers and Media Gateways The 8710 Media Server and G650 Media Gateway reside on VLAN 100 and are connected to the P333T PWR which in turn connects to the Catalyst 3560 via an 802 1q trunk The IP Telephones reside on VLAN 53 and the Attacker PC resides on VLAN 51 The CounterPoint C 245 connects to two ports on the Catalyst 3560 The VLANs to be protected VLANs 53 and 100 are also assigned to the t
15. ty Test Lab Application Notes 12 of 17 SPOC 9 23 2005 2005 Avaya Inc All Rights Reserved MirageCP doc 16 Click on the Configure Changes icon on the bottom left of the CounterPoint Manager main window m CounterPoint Manager C 245 172 16 252 122 User Role Admin File View Monitor Events Reports View Config Edit Config Appliance Help Monitor Events Reports View Config Edit Contig Appliance Edit Config Segments y Be 4 gt E DM x Access All Segments v All Appliances vj Export E Alerts Segments Name Jeth2 100 eC mM Native 372816440 State DI Enabled amp Network Topology mM Native 1061088857 Segment VLAN 100 moegments H Native 2452929073 Appliance e 6 245 p A Native 950026549 Deception Named Items Segment Sets MAC Address 00 04 23 4F 9B BE AT agi53 490227849 Appliances Read Write State Read Only a E VLAN 100 nee uji Paired with SIS eth1 100 DI D eA aay Policy DDB C 245 eth1 100 Disable Pair Unpair ee 9 Coordinated Universal Time figure Changes 17 Click on Save and then Close m Yiew Save Changes i i X Refresh ia a eee gP Network Interface 0 245 Network Interface 0 245 gP Segments 1298058992 Rollback Saye to file Close RL Reviewed Solution amp Interoperability Test Lab Application Notes 13 of 17 SPOC 9 23 2005 2005 Avaya Inc All Rights Reserved MirageCP doc 1
16. wo ports VLAN 51 could not be protected for reasons discussed in Section 3 The protected VLANs are mirrored to one of the two Catalyst 3560 ports the Reader port allowing the CounterPoint C 245 to monitor unicast and broadcast traffic on the protected VLANs The other port the Writer port allows the CounterPoint C 245 to transmit ARP messages onto the protected VLANs and perform cloaking RL Reviewed Solution amp Interoperability Test Lab Application Notes 2 of 17 SPOC 9 23 2005 2005 Avaya Inc All Rights Reserved MirageCP doc Avaya S8710 Avaya G650 Media Server Media Gateway VLAN 100 192 45 100 0 24 aa al ah in la Cn ele mu Fle oe e ole Avaya P333T PWR Power over Ethernet Stackable Switch Port 1 24 VLAN 100 802 1q Trunk VLAN Mirror Port 0 22 VLANs 53 100 Port 0 23 VLAN 51 192 45 51 0 24 Cisco Catalyst 3560 Switch VLAN Trunk Port 0 21 VLANs 53 100 VLAN 53 192 45 53 0 24 Writer Reader Port Port Attacker PC Avaya 4600 Series Mirage Networks IP Telephones CounterPoint C 245 Figure 1 Sample configuration RL Reviewed Solution amp Interoperability Test Lab Application Notes SPOC 9 23 2005 3 of 17 2005 Avaya Inc All Rights Reserved MirageCP doc 2 Eguipment and Software Validated The following eguipment and software firmware were used for the sample configuration prov

Avaya 4600 Series IP Telephones Application Note

Contents

Download Pdf Manuals

Related Search

Related Contents