04 - CS1000 - Security

Meridian/CS1000 Security
Module #16
Nortel CS1000 Release 6.0 Partner SE Workshop

Channel Partner SE Workshop Series
BUSINESS MADE SIMPLE
1 Nortel Proprietary Nortel CS1000 R6.0 Channel Partner SE Workshop

Module Overview
• Security Process Overview • Intra-system Signaling Security

(ISSS)
• Meridian/CS1000 Security
• Switch Room Security • Secure File Transfer Protocol
(SFTP)
• Network security
• System Access Security • Secure Shell (SSH)
• Password Security • Port Access Restrictions
• Database Security • 802.1X
• Linux Hardening
• CS1000 Security
• Media security • OAM Security Logs
• Signaling Security • Engineering
• DTLS
• SIP TLS

Security is a PROCESS, not a Project
Configure Enforce
Verify
Effective security is a result of a process that requires continuous verification,

updated configuration and enforcement.
What Level of Security Is Right?
Business case: It’s about risk mitigation and protection
High
Cost of threat Cost of protection
Cost
Appropriate security
spend
Low Level of security High
Annual loss expectancy formula
Revenue x outage x probability = annual loss expectancy

Nortel’s Security Mission
Secure communications, information and applications
anywhere, anytime
• How do we do this? Layered Defense

• Based on a Layered Defense
approach
• Open solutions that rely on
strategic partnerships and
adherence to standards
• Minimizing TCO by focusing on
simplicity, efficiency, and
proactive response
• Understanding that strong
security involves not only
technology, but also people and
processes — the Unified Security
Framework
Privacy…..Reliability…..Protection against theft

Basic Security Defenses
Protecting your Information & Communications
1 DON’T TALK TO STRANGERS

Authentication: 802.1x, EAP, RADIUS
2 HARDEN O/S, APPLICATIONS, USERS

Embedded / “Hardened” Systems, Unified Security Framework
3 ENFORCE THE RULES

Central Policy Server, TunnelGuard, Antivirus, Personal F/W
4 ROLE-BASED ACCESS
VLAN Assignment, Class-of-Service/Class-of-Restriction, Access
5 ENCRYPT TRAFFIC ACROSS UNTRUSTED TERRAIN

IPSec, SSL, TLS, SRTP Virtual Private Network Encrypted Tunnels
6 CONTROL “BAD” TRAFFIC

DoS Prevention, Filtering, Inspection, Policy
7 DON’T KILL APPLICATION PERFORMANCE

Security shouldn’t kill productivity! Switched Firewall Technology
Meridian/CS1000
Addressing Key Security Issues
Secure System Access and Secure Multimedia

Communication
?
? ?
?
? ?
Solution components
• Endpoint security • Component security
• Management security • Secure communications

Meridian/CS1000
Overview
• Meridian and CS1000 systems differ in security offerings

• Meridian
• Self Contained System with TDM Devices
• Key Areas of Protection
• Physical Access
• Management Access
• Database
• CS1000
• Distributed System
• Key Areas of Protection
• Physical Access
• Database
• Component (DOS Attacks and Inter-component signaling)
• IP Communications

Meridian Security
Areas for Consideration
Physical Access
Passwords
Modem Access
Command Line
Programming System Access via Serial or Ethernet
Real-time Interface
Programming via Command Line Overlays
Meridian Option Serial Port Modem

`
11C Chassis
Serial Port
Third Party System Access via Serial or Ethernet

LAN/WAN
Meridian Option
Solutions and functions vary by third party
11C Cabinet
ELAN
Telephony
Manager System Access via Serial or Ethernet
Off-line Interface
Programming via Graphical User Interface
Meridian Option Access to all system programming
51C/61C/81C Allows scheduling of changes
Billing
Graphical Reports

Switch Room Security
• Switch room access should be is secure,

• Unauthorized users can take actions such as:
• Turning off printer and CDR processors
• Removing cards from the system, which renders the system inoperable.
• Follow these security procedures to minimize this risk:
• Limit access to the switch room to authorized personnel only
• Require distributor and telephone company personnel to sign in and
out and provide identification, if necessary.
• Control, document, and audit major changes to system
configuration.
• Require personnel to sign out parts and equipment.
• Store printouts of system configurations and databases in a secure,
locked area.
• Do not post passwords or Trunk Access Codes in the switch room.
• Keep the switch room and telephone equipment closets locked.

Physical Security beyond the Switch Room
• Unsecured facilities can be accessed – a • Ensure that the Telephone company,,

test telset may be used to place and Telephone system records are
unauthorized calls. accurate.
• Important to secure: • Eliminate all out-of-service cross-
• Telephone company access point connects Switch Connections
• Main Distribution Frame (MDF) • Encase and lock building entry terminals
• Individual Distribution Frame and secure manholes.
locations • Avoid posting cable documentation in
• Avoid locating Intermediate Distribution the IDF.
Frames (IDF) in janitorial, electrical, and • Keep cable plant documentation in at
supply closets. Limit access when least two separate secure locations.
collocation is unavoidable.
• Verify terminal connections against
• Document existing outside and inside cable plant and system records, and
cable plans and update these records as resolve all differences.
service changes are made.
• Maintain and document all moves and
changes.

System Access Security
• Modem and Terminal Access

• Remote system access for administration can be used
through a modem
• Changes and troubleshooting to system hardware and
software
• This feature must be configured to discourage
unauthorized users from using it to access the system
remotely—preventing:
• Unauthorized Alteration to the System Configuration
• The Stealing of Services
• The degradation of system performance.

System Access Security
• Methods for Securing Remote Access include:

• Port counters on the TTY and PRT ports to limit unauthorized
access
• If a user enters invalid characters, the port is disabled
• automatically re-enabled after 4 minutes
• maximum of three times in 30 minutes
• If disabled four times in 30 minutes, you must re-enable it manually
• Secure Modems
• Add another level of security to system access
• Password entered first at Modem Level , then at System Level
• Dial Back Modems
• Limits Remote Access users as Modems call back to user
• VPN Access
• VPN access uses the System ELAN to access the system
• Provides secure access to those authenticated on customer network
• Provides Two Layers of security, Network Logon, System Logon

System Access Security (VPN Example)
TM
CC

Password Security
• Users can use administration overlays to configure the

customer database and conduct day-to-day routine system
administration functions.
• User accounts on the system fall into one of two
categories:
• System default user accounts
• Customized user accounts
• User accounts and privileges are managed using overlays
or Element Manager (CS1000 only)

Password Security
Unified Communication Manager provides Central Password

Authentication for CS1000. This will be discussed later in this module.
Password Security – Global Password Control
• Password Stored – Using SHA-256 one way Hash

• Failed Log In Threshold – number of times a user can fail
to log on before the port is locked
• Port Lockout Time – after failed log in controls the length
of time the port is locked after the Failed Log In Threshold
value is reached.
• Password Complexity – check tests user passwords to
verify that they are difficult to guess

Password Security – Global Password Control (CTD)
• Audit trail - for password usage prevents the reuse of a password.

• Last Log In Identification keeps track of the last user who logged on.
• Inactivity timeout - ends a logon session after a period of inactivity.
• Force Password Change (FPC) - prevents users from continuing to
use the system default passwords.
• Warning message. A default password security warning message
appears when users log on to a system where any of the system user
names has a default password (PWD1, PWD2, PDT1, PDT2, and
LAPW).
• Warning message if a system password changed from a non-default
value back to a default value
• A Log message to record the event of the warning message.
• Force a user who logs in using a default password
• Change does not apply to the IP Phone Installers passwords because IP
Phone Installers passwords are assigned by a system administrator, and the
system does not provide default values.
Password Security – Logon Banner
• The system provides a customizable banner that appears when a user logs on
to the system.
• The customizable banner is intended for use by customers with security
policies that require network equipment to display a specific message to users
when they log on.
• You can use this feature to display up to 20 lines of custom text, with up to 80
characters on each line.

Database Security
• Meridian/CS1000 systems provide a wide range of system

configurations parameters to monitor/control system usage
and limit system misuse for fraudulent reasons:
• Details are provided in the “Telephony Services Access
Control Management: NTP
• It is imperative Administrators understand all system
control mechanisms
• Ensure only permissions where required are enabled
• Periodic audits for deviations of original configurations
• Use of system controls will vary based on specific
business requirements

Database Security – Examples of System Controls
• Trunk Group Access Restrictions • Call Forward to Trunk Access

(TARG/TGAR) Code
• System and Network Speed Call • Remote Call Forward
Class of Service
• Call Forward Originating (CFO) or
• Authorization Codes and Forced Forwarded (CFF) Class of Service
Charge Accounts
• Supplemental Digit
• Enhanced and Controlled Class Recognition/Restriction
of Service
• Network Class of Service (NCOS)
• Electronic Lock and Facility Restriction Level
(FRL)
• Code Restriction Blocks
• Time of Day Schedule
• New Flexible Code Restriction
• Direct Inward System Access
• Called Party Disconnect Control
• Call Detail Recording
• User Selectable Call Redirection
• Traffic Reporting
• Call Forward Internal/External

CS1000 Security

CS1000 Security
Overview
• CS1000 provides the ability for system distribution and extensive

use of IP Network Technologies
• Security for CS1000 systems therefore provides a wide range of
Security functions that can provide protection in the following
areas
• Database Security
• Component (DOS Attacks and Inter-component signaling)
• IP communications

CS1000 Security Framework
Radius LDAP
Encryption SSL
Authentication
(i.e. AD)
Optional Network Authentication
UCM UCM
Backup Security Server Primary Security Server
UCM
Linux Master Firewall Control

SIP Proxy / NRS Directory
Services SIP Proxy / NRS
Primary
Secondary
SIP Line GW
Certificate
System A
Authority
802.1x Authentication
Secure File Transfer Protocol

Linux Nodal
Datagram Transport Layer Security
SSL / TLS
Services Public Private
SIP Line GW
Secure Shell (SSH)

Certificate
System B Certificate
System B
ISSS / IPsec
Call Server Key
(SFTP)
System
Management
A Linux Nodal
SIP TLS
(DTLS)
IPsec Services
Password &
Role Based
Media Gateway Management
Call Server
SRTP
Centralized
Security and OAM
Port Access
Restrictions
Logs
SRTP
SRTP
Linux Nodal Services

rd TPS
3 Party SIP
SIP GW
Clients
H323
Element Manager
Media Gateway
UCM
CS1000 Media Security
• Secure Real-time Transport Protocol (SRTP)

• IETF Standard for Securing media exchanges through the
use of Secure Real-time Transport Protocol (SRTP) on IP
media paths
• CS1000 Clients support two methods of SRTP
• SRTP using pre-shared key (PSK) does not require Call
Server support, and therefore is useful for telephony
environments where the installed Call Server software does
not offer SRTP support
• SRTP using UNIStim Keys (USK) exchanges keys through
UNIStim, using a secure channel.
• To use this feature, SRTP (USK) must be supported on each IP
Phone in a call, and must be supported by the Call Server.

CS1000 Media Security
Secure Real-time Transport Protocol (SRTP)
• Provides a system-wide configuration setting that controls whether or

not the CS1000 system is capable of providing Media Security.
• Provides Media Security Class of Service on each IP Phone:
• MSSD
• Best Effort
• Always
• Never
• Provides System-wide Class of Service parameter for IP Phones,
called Media Security System Default (MSSD).
• Changing the MSSD parameter, updates any IP Phones that have a Class
of Service value of MSSD to use the new MSSD parameter.
• IP Phones that have a Class of Service other than MSSD are not affected
when the system MSSD parameter is updated
• Provides SRTP call Reporting
• Traffic Report on SRTP call completions

Media Security Examples
TDM TDM TDM TDM

TDM Leg
Not Encrypted
SRTP SRTP
SIP Trunking
SRTP
SRTP
SRTP
IP Unistim SIP Client
SIP Client
IP Unistim Client
Client SRTP
SRTP SRTP
IP Unistim IP Unistim SIP Client SIP Client
27 Client Client Nortel Proprietary Nortel CS1000 R6.0 Channel Partner SE Workshop
CS1000 Media Security Reporting

CS1000 Client Signaling Security
• CS1000 supports two types of IP clients:

• UNIStim
• Nortel Proprietary Protocol used in IP Clients
• In CS1000 Delivers extensive feature sets and functions to clients
• Session Initiated Protocol
• Industry Standard protocol for trunking and SIP Clients
• CS1000 supports encryption of both signaling protocols:
• Datagram Transport Layer Security DTLS
• UNIStim Signaling
• SIP Transport Layer Security (SIP TLS)
• SIP Clients and SIP Trunks

CS1000 Security
Datagram Transport Layer Security (DTLS)
• Industry standard DTLS protocol is used to encrypt UNIStim signaling from an IP Client
to the Line Terminal Proxy server (LTPS)
• Both DTLS-capable and DTLS-incapable systems/phones are supported on the same
network
• Each Line Terminal Proxy Server ( LTPS) may have its own certificate
• No need to install additional hardware

CS1000 Security
Datagram Transport Layer Security (DTLS)
• Various configuration options of UNIStim with DTLS can

be combined to form three security levels:
• Basic
• Most of CS1k systems on the network are upgraded to 6.0 and
configured for DTLS, but there may be systems or clients which
do not support DTLS
• Advanced
• All systems in the network are DTLS-enabled and set to "DTLS
Best Effort". Maybe some Clients that do not support DTLS
• Complete
• All systems and clients in the network are DTLS-enabled and set
to "DTLS only"

CS1000 and SIP Security
SIP Transport Layer Security (SIP TLS)
• SIP TLS (Transport Layer Security) is used to protect SIP signaling

traffic so as to provide:
• message confidentiality (prevention of information disclosure)
and
• Message integrity (prevention of message alteration) in
transit, as well as client-server authentication (verification of
identity)
• This security functionality applies to SIP trunking and SIP Clients
• CS1000 Supports TLS as described by RFC 3261
• TLS is supported over the TCP transport only and not over UDP,
since it requires the use of a connection-oriented transport protocol
underneath

Security Domain External
CS1000 Security CA
Manual Import
SIP TLS Birdseye
UCM Primary UCM Backup
Security Security
Server Server
SIP Proxy/NRS Alternate SIP Proxy/NRS
Certificate
SIP GW Distribution SIP GW
SIPL GW SIPL GW
TDM IP Network TDM

SIP TLS SIP TLS
•SIP Trunk calls
•SIP Client Calls
•SIP Thrid Party calls
SIP Client Third Party

Applications
Example:
Microsoft
OCS2007

CS1000, SIP TLS and Security Domains
• SIP TLS can function within a single or multiple Security Domain configuration
• Single Domain Discussed on Previous Slide
• Single Security Server
• Multiple Domain
• Shown Below

Securing Intra-System Communications
Intra System Signaling Security (ISSS)
• Managed from the Unified Communications Management

Primary Security Server
• ISSS employs IPSec for Intra System Signaling Security
(ISSS) management interface
• provides security services, including confidentiality,
authentication, and anti-replay to application layer protocols
• Communication Server 1000 provides simplified,
automated IPSec policy configuration and avoids the
complex configuration requirements inherent in many
other implementations of IPSec

CS1000 ISSS Elements
• ISSS elements are classified into the following two

categories:
• UCM Targets
• Automatically belong to the Unified Communications
Management security domain without the need to add them using
the Unified Communications Management ISSS management
interface
• Example: A Call Server
• Manual Targets
• Must be manually configured using the Unified Communications
Management ISSS management interface before ISSS can be
enabled
• Example: CallPilot

CS1000 ISSS and Modes of Operation
• ISSS/IPSec only secures IP traffic on the ELAN

• At Full security level, the AML protocol is protected on the TLAN of Linux-
based elements for manual targets
• Two Modes of Operation
• Optimal (ELAN Traffic)
• IPSec is required for pbxLink and Xmsg between this host and its known IPSec
targets
• For unknown IPSec targets, traffic using the pbxLink and Xmsg protocols is
denied.
• Full
• For known IPSec targets, all ELAN protocols except HTTPS, LDAPS, RADIUS,
BOOTP, SSH/SFTP, SSL/TLS, and DTLS, are protected by IPSec.
• For unknown IPSec targets, all protocols are denied IPSec, except HTTPS,
LDAPS, RADIUS, BOOTP, SSH/SFTP, SSL/TLS, and DTLS.
• If Full security is configured on the CS1000 system, all external devices such as CallPilot
and TM must have IPSec configured in order to communicate with the CS1000 system.
• These auxiliary devices can communicate without IPSec if they are configured as ISSS
Disabled in UCM.

CS1000 ISSS Example
Main Site UCM Primary

Security
Nodal Element Manager (UCM) Server
Managed
Via
CallPilot
UCM
MC32S
CPPM CS
MG1000B Site
MGC
IPSec
CPPM CoRes
Call Server
MC32S
Linux Applications
Digital LC IPSec
CPPM CoRes
ANALC
CPPM CS MGC
MGC

CS1000 and Intra-System File Transfer Methods
• CS1000 uses two methods of data transfer between a

server and client:
• File Transfer Protocol (FTP)
• Standard File Transfer Protocol
• inherently insecure
• sends all data unencrypted including passwords
• SSH File Transfer Protocol (sometime called as Secure File
Transfer Protocol or SFTP)
• Standard Secure File Transfer Protocol
• Provides a more secured file transfer method over FTP.
• SFTP allows data (such as file and/or command) transferred
between a server and client over an encrypted secure transport
and so is neither readable nor easily tampered.

CS1000 and Secure File Transfer Protocol
• When a device joins the Unified Communications

Management security domain, mutual trust is established
between the device and the UCM Primary Security Server
• Once mutual trust has been established for the first time,
the Unified Communications Management Primary
Security Server can send SSH remote commands or
Secure FTP (SFTP) transfers to the device using RSA
public key-based authentication.
• Note: An element can only automatically join the security
domain if SFTP has been enabled on the system.

Implementing FTP/SFTP in CS1000

CS1000 Security with Secure Shell (SSH)
• SSH provides a secure method to log on to a system remotely and

perform system management operations.
• Using role definitions, you can grant specific users the ability to use
SSH to connect to all parts of the system, or only to the parts you
specify.
• This can include access:
• SL-1 on the Call Server
• CPSID user name and ptyxx user names,
• Access to the Call Server PDT shells
• Voice Gateway Media Card shell
• IPL shell
• Signaling Server OAM shell
• SSH provides several authentication methods. Nortel recommends
that you use the password authentication method.

CS1000 SSH Example
UCM Backup
Security
Main Site UCM Primary Server
Security
Nodal Element Manager (UCM) Server
CallPilot
MC32S
CPPM CS MG1000B Site

MGC
SSH
CPPM CoRes
Call Server
MC32S
Linux Applications
Digital LC
CPPM CoRes
ANALC
CPPM CS MGC
MGC

Access Restrictions
Overview
• Providing ability on VxWorks devices to restrict

access on port basis; Linux OS built-in access
restriction mechanism (i.e., IP table filtering) for port CS1000
filtering.
• Content
• Built in mechanism to restrict system access to Access
CS1000 system components
Restrictions
• Protect CS1000 components from non-desirable
communications, through the ability to restrict
access to these components.
• Restrict access to specific ports on the CS1000 Enterprise LAN
components, that are allowed access to the
system components.
• Example: Reject Ports not in use
• Value
• Allows capability to shut down access to
unwanted, insecure protocols, including from
restricted entities
• Provide integrated protection from Denial of Access Restrictions to
Service Attacks
• Eliminates the need to install and maintain a restrict unintended access
separate entity to provide server protection and prevent attacks

Port Access Restrictions in CS1000 Security
• The CS1000 provides two mechanisms for preventing port

based attacks on system components
• Port Based Access Restrictions
• VxWorks-based system components
• Applies to ELAN and TLAN
• Provides three functional levels:
• Off, Default and Custom
• Linux Master Firewall Control (MFC)
• Equivalent of the port access restrictions feature for VxWorks
platforms
• Applies to both ELAN and TLAN ports
• Linux applications operate behind a network firewall
• Starts on system boot, which invokes the Linux iptables facility to load
the firewall configuration

Access Restrictions
Adjusting Port Permissions
• Ports can be shutdown as required

• Example IPsec has been disabled below

Additional Port Access Restrictions in
CS1000
• The port access restrictions only filter inbound traffic for

TCP and UDP port-based protocols.
• The port access rules:
• Completely protect the ELAN interface for:
• Call Server
• MGC
• MC32S
• Part of the TLAN interface for:
• MGC and MC32S (non-call related traffic on the TLAN for MGC
and MC32S is blocked).
• Note: The Co-resident Call Server and Signaling Server
runs on Linux and is protected by the Linux firewall. MGC
and MC32S cards utilize Port access restrictions

CS1000 Port Access Restrictions
Example
UCM Backup
UCM Primary Security
Main Site Security Server
Server
Signal Server Applications
CallPilot
MC32S
Linux
CPPM CS
MFC MG1000B Site
MGC
MC32S
Digital LC CPPM CoRes
Port CPPM CoRes Call Server
ANALC
Access Linux Applications
CPPM CS Restrictions MGC
MGC

CS1000 Security and 802.1x EAPoL
• Extensible Authentication Protocol over LAN (EAPoL) is a port-based

network access control protocol
• Authentication at the edge of the network in order to obtain network
access based on the IEEE 802.1X standard
• Supports multiple authentication methods:
• EAP-PEAP
• EAP-MD5
• EAP-TLS
• Represents a technology framework that facilitates the adoption of
Authentication, Authorization, and Accounting (AAA) schemes:
• Example: Remote Authentication Dial In User Service (RADIUS)
• RADIUS is defined in RFC 2865

CS1000 Telephony Implementation of 802.1x
• Supplicant
• IP Client or Device requiring
Access to the Network
• Authenticator
• Entry point where
Supplicant connects
(typically Layer 2/3 Device)
• Proxy between Supplicant
and Authentication Server
• Authentication Server
• Performs Authentication of
the Supplicant

Additional CS1000 Linux Security Hardening
• Linux security hardening applies hardening items to close

system vulnerabilities.
• Linux hardening provides flexibility in meeting various
Security Policies and is divided into two categories
• Basic hardening
• Hardening items that do not affect the performance of Nortel
applications—turned on by default and they are not configurable.
• Enhanced hardening
• Enhanced hardening items include all hardening items that can
affect the performance of Nortel applications, or hardening items
that require configuration.

CS1000 Enhance Linux Hardening Options

CS1000 Security 3rd Party
OAM and Security Logs Operation Support System
(OSS) Syslog servers
Unified Communication Manager
Primary Security Server
Network Level Logs Forwarded

OAM Activity
Centralized
Security and OAM
Logs Logs Forwarded
Local Level
OAM Activity
Other CS1000
Systems
Local Local
Application Security and OAM
Logs Logs
Linux OAM Applications Linux OAM Applications

Audit Log CS1000 System
Audit Log
• LTPS • Operational events - query for status and enabling or disabling resources
• SIP Line Gateway • Configuration events - feature or functional provisioning and modifications
• SIP Signaling Gateway • Maintenance events -upgrades, backups, restores and patching
• NRS Routing bundle Security Log
• NCS, H323, SPS and SIP • Security policy changes
Redirect Server • Logon success and failures
• Management bundle • Certificate changes
• Linux base log • User account creation and illegal (failed) login events
• CP PM Co-resident Signaling Server • OAM security event where network administrator privilege (or flag) is
• Any other Nortel specific application log enabled or required
Security Summary
Overview
• In summary the Meridian/CS1000 Security components require

planning with any opportunity:
• Determine Security Deployment Requirements
• Assess use of:
• Physical access control
• Administration access control
• Authentication
• Role Based Privileges
• Encryption
• SSL, SRTP, SIP,SSH,TLS, SFTP
• Port Based Access
• Assess Implementation
• Ensure all controls are in place
• Create Audit Process
• Use system tools for auditing Security functions to identify an potential
violations

Security Summary
Reference Documentation
• The following documentation provides a good basis for

understanding Security functions and deployments
• Nortel Communication Server 1000
• Telephony Services Access Control Management NN43001-602
• Communication Server 1000 Fault Management — SNMP
NN43001-719
• Security Management Fundamentals NN43001-604
• Unified Communications Management Common Services
Fundamentals NN43001-116
• IP Phones Fundamentals NN43001-368
• Linux Platform Base and Applications Installation and
Commissioning NN43001-315

Questions
• From a Security perspective UCM can be summarized as

creating What?
• A Security Framework
• When logging into any component where does
Authentication occur?
• Authentication occurs to the UCM Security Framework
(Primary or Alternate Security Server).
• What are the two methods of user name and password
creation in UCM?
• Local UCM Password Database
• External Directory integration

Questions
• If the Primary or Secondary Security Server is un

reachable how does logon to any network element occur?
• Users can login to the element or member UCM server using
an Emergency account
• Where is IPSEC used in the Security Domain?
• It can be enabled for ISSS (encrypting ELAN communication)
• UNIStim Security is now provided within the security
framework without the use of a firewall. What protocol is
used? What UNIStim Firmware version is required?
• DTLS
• UNIStim 4

Questions
• UCM acts as the Security framework Certificate Authority.

Name two functions that UCM provides certificates for.
• SIP TLS
• SSL
• For a secure database transfer between a Call Server and
Alternate Call Server what protocol is used?
• SFTP
• CS1000 uses two distinct methods to reduce DOS attacks
against VxWorks and Linux servers. Name Them
• VxWorks Port Based Access Restrictions
• Linux Master Firewall Control (MFC)

Questions
• UCM is optional in a CS1000 Deployment True or False

• False it must be installed to provide system Management and
security functions
• When deploying multiple instances of UCM Common
Services (UCM-CS), what server must be deployed first?
• Primary Security Server

Engineering Security in CS1000 R6.0
• Release 6.0 Enhancement Summary

• Additional Information

Engineering
Release 6 Security Enhancements
• SSH File Transfer Protocol - (sometime called as Secure File

Transfer Protocol or SFTP) is introduced to provide more secured file
transfer method over FTP.
• SFTP allows data (such as file and/or command) transferred
between a server and client over an encrypted secure transport and
so is neither readable nor easily tampered.
• For implementation of SFTP program, Mocana developed
SSH/SFTP is adapted for VxWorks based platforms and RedHat
Linux built in openSSH/SFTP for Linux based.
• Security Domain Manager (SDM) for VxWorks
• Provides a method for CS1000 VxWorks based devices to join and
leave the Primary Security Domain.
• A CS1000 device establishes a mutual trust with the primary security
server.
• A device uses the primary security server as the RADIUS server to get
authentication and access control decisions for its CLI access.

Central Authentication Support
• The UCM Primary Security Server acts as a Radius server

providing authentication for radius clients.
• In release 5.5, the central authentication was the responsibility of
the Call Server component in the CS1000 network.
• In release 6.0, the UCM framework provides a centralized GUI
based interface for individual account administration for the CS1000
network.
• Once the mutual trust is setup, the centralized UCM authentication
is turned on.
• Emergency user accounts are available (“nortel by default”) on all the
VxWorks devices in circumstances when the UCM Security Server is
not operational.
• Created within UCM – not authenticated externally
• Subset of accounts

User ID/Password and SSH Key Management
• Enhanced User ID / Password

• Hardcoded application user id and passwords can be
changed by the system administrator.
• UCM provide a GUI option to initiate a password change.
• UCM passes a secret (new password) to all of the registered
elements.
• Enhanced SSH Key Management
• In Release 6.0, pending key and pending key activation is no
longer supported.
• Generation is almost an instantaneous task in CS1000 Release
6.0.
• Pending/activate key– was a two step approach and took up to 20
min. to generate a SSH key.

Port Access Restrictions & ISSS Enhancements
• Port Access Restrictions

• The CS1000 R6.0 Port Access Restrictions (also known as port
blocking facility) feature prevents port-based attacks to secure a
platform with minimum CPU impact.
• Pre-configured default port blocking rules are installed during software
installation time and control of port blocking is done through these rules.
Destination port filtered on incoming packets.
• ISSS Enhancement
• Intra System Signaling Security (ISSS) synchronization feature has
an improved user interface.
• ISSS is included as part of the UCM installation and is user
configurable on the Primary Security server.
• Centralized method of managing up to 1000 devices within its security
domain
• IPSec settings for CS1000 Release 6.0 devices will be automatically
configured by this feature.

UNIStim Encryption and LINUX Hardening
• Datagram Transport Layer Security (DTLS)

• Industry standard DTLS protocol is used to encrypt UNIStim
signaling from an IP Client to the Line Terminal Proxy server
(LTPS)
• UNIStim 4.0 required
• Enhanced LINUX Hardening
• The CS1000 Linux Security Hardening feature is intended to
extend existing the Base OS hardening and to address
security non-conformances identified by the US Department
of Defense Security Technical Implementation Guides
(especially by the UNIX DoD STIG).
• The closed non-conformances will increase the common
security of the CS1000 platform based on OS Linux (RHEL
5.1).

Release 6 SRTP Enhancements
• Benefits of Enhancement
• Increase our chance of being authenticated by others by sending
the full certificate chain.
• Tighten up our security by improving the process to validate
certificates:
• Verifying that the certificate has not been revoked by checking of
Certificate Revocation List (CRL)
• Verifying that the FQDN and IP of the connection are consistent
• Three areas of sRTP implementation are changed by this feature:
• Method of best-effort sRTP negotiation
• Crypto keying materials used in SIP re-invites for call holding-and-
resuming
• Use of Master Key Identifier (MKI)

OAM and Security Logging Enhancements
• Centralized Log for all Web-based admin activity - Initial phase is intended to
cover all CS1000 Linux WEB based management interfaces
• Consolidation of OAM Admin and Security Logs - New logs one for Admin
activity one for just security events. Consolidated at the system and network
levels
• Log forwarding mechanism – At the system and network level, a secure data
forwarding mechanism is planned to be introduced as part of log consolidation
• Secure log access control infrastructure – Both of the new logs will have
access restrictions tied to them, with the security event log having tighter
access controls.
• Common logging format and structure -
• Log content parsing utilities – The common logging will allow us to introduce
some utilities for searching and sorting through the OAM and Security data in
the log files.
• Improved 3rd party interoperation – The forwarding mechanism is intended to
introduce functionality that does not exist in the CS1000 today

CS1000 R6.0 Engineering
DTLS Hardware Dependencies
• The DTLS software runs on the following hardware

platforms:
• Signaling Servers
• CP-PM SS
• HP DL320 G4
• IBM X306M
• IBM X3350
• Dell R300
• IP Phone DTLS-capable firmware is planned to run on the

following Nortel IP Phones:
• 1200 series (1210, 1220, 1230)
• 1100 series (1110, 1120E, 1140E, 1150E)
• DTLS support in IP clients is planned in UNIStim 4.0

SSH Usage Guidance
• Nortel recommends that you use SSH whenever possible, and disable
insecure shells (rlogin, and telnet) on the Communication Server 1000
system, except as needed. Both Secure Shell and insecure shells are
enabled by default.
• If you must enable insecure shells, Nortel recommends using them
only when required, and using SSH whenever possible.

Enhanced IP Telephony Security with 802.1x EAP
Mode Support
• Three 802.1x EAP Modes are supported for IP Telephone

Network Authentication
• EAP-PEAP
• EAP-TLS
• EAP-MD5
EAP Mode
Parameter Field Length
Disabled MD5 PEAP TLS
ID1 4 – 20 X X X
ID2 0 - 20 O O
Password 4 – 12 X X
CA Server 0 - 80 O O O X
Domain Name 0 – 50 O O O X
Hostname 0 - 32 O O O X
X – Field is enabled
O – Field is enabled but is not required for the current EAP Mode
– Blank indicates that the field will be disabled in the phone network configuration
Engineering CS1000 R6.0
Certificate-based Access Control (802.1x) EAP-MD5/PEAP/TLS
• Authentication (RADIUS) servers supported:

• Cisco Access Control Server (ACS)
• Microsoft Internet Authentication Server (IAS)
• Juniper (Funk) Steel Belted Radius Server
• Some Authenticators (L2/L3 Switch) supported:
• Nortel ERS 5000 Series
• Nortel ERS 8300
• Nortel ES 460/470
• Cisco Catalyst 65xx/45xx
• PC Port Authentication:
• With EAP enabled, the L2 Switch must support Multiple Host
Multiple Authentication (MHMA) and the PC must also be EAP
capable or it will not be possible to connect a PC to the PC Port.
• If MHMA is not supported, connecting a PC to the PC port may
cause the L2 port to become disabled and block the phone from the
network.

Engineering CS1000 R6.0
Certificate-based Access Control (802.1x) EAP-MD5/PEAP/TLS
The following combinations of EAP methods and Authentication Servers are supported
EAP Method FreeRADIUS Funk Steel-Belted Microsoft IAS Cisco Secure ACS
Radius
EAP-MD5 X X X X
EAP-TLS X X X X
EAP-PEAPv0/MD5 X X
• Note that not all combinations of CA servers and Authentication Servers will work. For example, to
use Microsoft IAS with EAP-TLS, you must use the Microsoft CA Server for certificate
management.

Engineering
Phone Authentication Methods

End of Module—Questions
Please take a moment to complete your workshop

survey. Your comments are greatly appreciated.

04 - CS1000 - Security

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

04 - CS1000 - Security

Uploaded by

Copyright:

Available Formats

Meridian/CS1000 Security

Nortel CS1000 Release 6.0 Partner SE Workshop

BUSINESS MADE SIMPLE

1 Nortel Proprietary Nortel CS1000 R6.0 Channel Partner SE Workshop

• Security Process Overview • Intra-system Signaling Security

2 Nortel Proprietary Nortel CS1000 R6.0 Channel Partner SE Workshop

Effective security is a result of a process that requires continuous verification,

Low Level of security High

Annual loss expectancy formula

Revenue x outage x probability = annual loss expectancy

4 Nortel Proprietary Nortel CS1000 R6.0 Channel Partner SE Workshop

• How do we do this? Layered Defense

Privacy…..Reliability…..Protection against theft

1 DON’T TALK TO STRANGERS

2 HARDEN O/S, APPLICATIONS, USERS

3 ENFORCE THE RULES

5 ENCRYPT TRAFFIC ACROSS UNTRUSTED TERRAIN

6 CONTROL “BAD” TRAFFIC

7 DON’T KILL APPLICATION PERFORMANCE

Secure System Access and Secure Multimedia

7 Nortel Proprietary Nortel CS1000 R6.0 Channel Partner SE Workshop

• Meridian and CS1000 systems differ in security offerings

8 Nortel Proprietary Nortel CS1000 R6.0 Channel Partner SE Workshop

Meridian Option Serial Port Modem

Third Party System Access via Serial or Ethernet

9 Nortel Proprietary Nortel CS1000 R6.0 Channel Partner SE Workshop

• Switch room access should be is secure,

10 Nortel Proprietary Nortel CS1000 R6.0 Channel Partner SE Workshop

• Unsecured facilities can be accessed – a • Ensure that the Telephone company,,

11 Nortel Proprietary Nortel CS1000 R6.0 Channel Partner SE Workshop

• Modem and Terminal Access

12 Nortel Proprietary Nortel CS1000 R6.0 Channel Partner SE Workshop

• Methods for Securing Remote Access include:

13 Nortel Proprietary Nortel CS1000 R6.0 Channel Partner SE Workshop

14 Nortel Proprietary Nortel CS1000 R6.0 Channel Partner SE Workshop

• Users can use administration overlays to configure the

15 Nortel Proprietary Nortel CS1000 R6.0 Channel Partner SE Workshop

Unified Communication Manager provides Central Password

• Password Stored – Using SHA-256 one way Hash

17 Nortel Proprietary Nortel CS1000 R6.0 Channel Partner SE Workshop

• Audit trail - for password usage prevents the reuse of a password.

19 Nortel Proprietary Nortel CS1000 R6.0 Channel Partner SE Workshop

• Meridian/CS1000 systems provide a wide range of system

20 Nortel Proprietary Nortel CS1000 R6.0 Channel Partner SE Workshop

• Trunk Group Access Restrictions • Call Forward to Trunk Access

21 Nortel Proprietary Nortel CS1000 R6.0 Channel Partner SE Workshop

BUSINESS MADE SIMPLE

22 Nortel Proprietary Nortel CS1000 R6.0 Channel Partner SE Workshop

• CS1000 provides the ability for system distribution and extensive

23 Nortel Proprietary Nortel CS1000 R6.0 Channel Partner SE Workshop

Optional Network Authentication

Linux Master Firewall Control

Secure File Transfer Protocol

Secure Shell (SSH)

Linux Nodal Services

• Secure Real-time Transport Protocol (SRTP)

25 Nortel Proprietary Nortel CS1000 R6.0 Channel Partner SE Workshop

• Provides a system-wide configuration setting that controls whether or

26 Nortel Proprietary Nortel CS1000 R6.0 Channel Partner SE Workshop

TDM TDM TDM TDM

28 Nortel Proprietary Nortel CS1000 R6.0 Channel Partner SE Workshop

• CS1000 supports two types of IP clients:

29 Nortel Proprietary Nortel CS1000 R6.0 Channel Partner SE Workshop