Converged network security for dummies

  • 52 trang
  • file .pdf
Protect your mission-critical
vaya,
communications systems and Compliments of A treme Networks®
networks from harm er N et wo rk s & Ex
Junip
Ensure that security
Con verg e d
and data network safe
Is your converged voice, video,
spans the entire
enterprise network
Use Juniper Networks
Network S ecu rity
from threats, both internal and external? and Extreme Networks
comprehensive security
This Avaya custom edition of Converged Network Security For
solutions for converged
Dummies shows you how to protect the communications and networks
business application assets that you rely on to run your business.
Find out how Avaya Strategic Alliance partners Juniper Networks and Extend remote access
Extreme Networks provide multi-layered, industry-leading security to employees without
infrastructures — and how Avaya Security Services can help you compromising security
assess, deploy, and ultimately protect your networks. As
an IT manager or decision-maker, you’ll appreciate the way that
Develop converged
these converged network security solutions protect your corporate
assets and infrastructure not only from external threats but also from network security
threats within the ever-more-mobile business environment. policies with Avaya
Security Services
And once you’ve secured your converged network, check out Avaya’s
limited edition of VoIP Security For Dummies for more hints on how to
effectively secure your Avaya IP Telephony solutions. Available from
ition
www.avaya.com. Avaya Custom Ed Protect your IP
network from
threats and
Explanations in pl
” formation
“Get in, get out in
ain English @
⻬ Find listings of all our books
A Reference misuse
for the
Icons and other na
Top ten lists
vigational aids ⻬ Choose from many different
subject categories
⻬ Sign up for eTips at etips.
Rest of Us!®
and fun FREE eTips at dummies.com®
A dash of humor dummies.com
ISBN:978-0-470-12098-9
Avaya Part #: SVC3359
Not resaleable Peter H. Gregory, CISA, CISSP
What is the challenge with converged network security?
Finding the right partners to deliver a secure, reliable,
converged voice and data network infrastructure
— without limiting your flexibility to grow your business
and extend the reach of your network — is the key.
Converged network security isn’t something to be
added after the fact — the need to protect your
mission-critical communications systems and business
applications should be considered from the very start
of your converged network planning. At the same time,
it’s not enough to simply protect your network from
external threats. With more and more employees using
laptops and IP Softphones, converged network security
has to enable protection of these assets from within the
network as well — without limiting the ability of these
employees to work remotely when necessary.
Avaya has partnered with two of the market leaders for
converged networks, Juniper Networks and Extreme
Networks, to bring best-in-class security solutions
to converged voice and data networks. Avaya Global
Services provides expert advice on security design and
implementations for small businesses to world-wide
enterprises.
Explore the possibilities at
www.avaya.com.
01_120989 ffirs.qxp 1/19/07 9:04 PM Page i
Converged
Network Security
FOR
DUMmIES

AVAYA CUSTOM EDITION
by Peter H. Gregory, CISA, CISSP
01_120989 ffirs.qxp 1/19/07 9:04 PM Page ii
Converged Network Security For Dummies®, Avaya Custom Edition
Published by
Wiley Publishing, Inc.
111 River Street
Hoboken, NJ 07030-5774
www.wiley.com
Copyright © 2007 by Wiley Publishing, Inc., Indianapolis, Indiana
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any
form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise,
except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without the
prior written permission of the Publisher. Requests to the Publisher for permission should be
addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN
46256, (317) 572-3447, fax (317) 572-4355, or online at http://www.wiley.com/go/permissions.
Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for
the Rest of Us!, The Dummies Way, Dummies Daily, The Fun and Easy Way, Dummies.com, and
related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its
affiliates in the United States and other countries, and may not be used without written permission.
All other trademarks are the property of their respective owners. Wiley Publishing, Inc., is not asso-
ciated with any product or vendor mentioned in this book.
LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE
NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETE-
NESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES,
INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE.
NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS.
THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITU-
ATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT
ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PRO-
FESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL
PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE
FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS
REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER
INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE
INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT
MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN
THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRIT-
TEN AND WHEN IT IS READ.
For general information on our other products and services, please contact our Customer Care
Department within the U.S. at 800-762-2974, outside the U.S. at 317-572-3993, or fax 317-572-4002.
ISBN: 978-0-470-12098-9
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
01_120989 ffirs.qxp 1/19/07 9:04 PM Page iii
Publisher’s Acknowledgments
We’re proud of this book; please send us your comments through our online registra-
tion form located at www.dummies.com/register/. For information on a custom
Dummies book for your business or organization, or information about licensing the
For Dummies brand for products or services, contact BrandedRights&Licenses@
Wiley.com.
Some of the people who helped bring this book to market include the following:
Acquisitions, Editorial, and Composition Services
Media Development Project Coordinator: Kristie Rees
Project Editor: Jan Sims Layout and Graphics: Erin Zeltner
Business Development Representative: Proofreaders: Laura Albert,
Jacqueline Smith Brian H. Walls
Editorial Manager: Rev Mengle Special Help: Jon Alperin
Publishing and Editorial for Technology Dummies
Richard Swadley, Vice President and Executive Group Publisher
Andy Cummings, Vice President and Publisher
Mary Bednarek, Executive Acquisitions Director
Mary C. Corder, Editorial Director
Publishing for Consumer Dummies
Diane Graves Steele, Vice President and Publisher
Joyce Pepple, Acquisitions Director
Composition Services
Gerry Fahey, Vice President of Production Services
Debbie Stailey, Director of Composition Services
Avaya Acknowledgments
This book would not have been complete without the assistance and expertise of Craig
Adams and Tim Bardzil of Extreme Networks, and Shrikant Latkar of Juniper Networks.
01_120989 ffirs.qxp 1/19/07 9:04 PM Page iv
02_120989 ftoc.qxp 1/19/07 9:04 PM Page v
Contents at a Glance
Introduction .......................................................1
Chapter 1: The Importance of Securing
Converged Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Arrival of Converged Networks.................................................6
Protection of Converged Networks and Devices ....................6
VoIP-related complexities and challenges .....................7
Evolving protection techniques
to answer new threats..................................................8
Understanding threats in today’s
business environment ................................................10
Partnering for Better Protection .............................................12
Chapter 2: Jumping Juniper Networks:
Improving Converged Network
Security for All . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Juniper Networks’ Security Solutions ....................................14
Firewalls and IPSec VPN ................................................14
Intrusion detection and prevention (IDP) ...................15
SSL VPN secure remote access .....................................15
Network Access Control ................................................16
Unified management.......................................................16
Security Deployment Scenarios ..............................................17
Security for office-based users .....................................17
Security for Road Warriors............................................23
Security for Teleworkers................................................24
Deploying Juniper Networks Solutions ..................................25
Chapter 3: Extreme Improvements
for Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Network Access Control ..........................................................27
Authenticating users or devices ...................................28
Discovering your needs automagically........................30
Host integrity checking..................................................31
Network Segmentation .............................................................32
Virtual LANs ....................................................................32
Wire-speed encryption...................................................33
Access control lists ........................................................33
02_120989 ftoc.qxp 1/19/07 9:04 PM Page vi
Threat Mitigation ......................................................................33
IP and MAC security .......................................................34
Virtualized Security Resources.....................................34
Deploying Extreme Networks’ Solutions................................35
Chapter 4: Plans, Policies, and
Avaya Security Services. . . . . . . . . . . . . . . . . . . . . . . . 37
Understanding Avaya Security Consulting Services ............37
Why You Need Avaya’s Security Consulting Services ..........38
New services introduce new vulnerabilities ...............38
Expertise ..........................................................................39
Regulation........................................................................39
Even old technology is still important.........................40
03_120989 intro.qxp 1/19/07 9:05 PM Page 1
Introduction
C ompetitive businesses today need competitive
security — and it’s a team effort. What is your role in
your organization? Are you responsible for network architec-
ture, policy, security, and strategy? Then this book can help
you understand how to secure your converged network.
If you’re a network practitioner, this book introduces you to
the security technologies and practices you will likely be set-
ting up and performing in a converged network environment.
If you’re in management, you can gain an appreciation for
what others in the organization need to think about in order to
ensure the security and success of your converged network.
Don’t forget to check out the Avaya Limited Edition of VoIP
Security For Dummies for additional insight into how Avaya IP
telephony relies and builds upon the security environment of
the underlying converged network. You can request a copy
from Avaya’s Web site at www.avaya.com.
Understanding Network
Security Inside-Out
Getting a grip on security in today’s converged network
environment can seem like a daunting and abstract exercise.
But the steps you take are actually similar to those for basic
home security: When you think of providing security and pro-
tection for your family and possessions, first you typically
create a layer of security that surrounds your house and
family — you put locks on doors and windows, set alarms to
notify you of intruders, and perhaps even contract with a
security firm to respond in case intruders manage to get in.
And when your family is traveling outside the home, you may
provide them with mobile phones so that they can stay in
touch with other family members in case of emergencies.
03_120989 intro.qxp 1/19/07 9:05 PM Page 2
2 Converged Network Security For Dummies, Avaya Custom Edition
In many ways, this level of externally oriented security is
what Avaya’s partnership with Juniper Networks brings to the
table — Network Access Control, firewalls, intrusion detection
and prevention systems, and Virtual Private Networks (VPNs)
all create a level of security that protects the converged net-
work of enterprises from external threats.
But if you have young children, you may also think of child-
proofing inside the house — putting locks on cabinets to keep
children away from chemicals and other dangerous items,
covering electrical outlets to make sure that they aren’t stick-
ing their fingers in them, and so on. And perhaps you lock
your expensive home electronics behind cabinet doors to
keep little ones from storing their grilled cheese sandwiches
in the DVD player. You also teach children not to open the
door to strangers. This is a case of protecting against internal
threats and mishaps.
This variety of security from within is where Avaya’s partner-
ship with Extreme Networks brings extra security value.
Virtual LANs (VLANs) help protect network resources by
logically separating different types of traffic from impact by
other activities. Extreme Networks also uses industry-standard
protocols such as 802.1x and LLDP-MED, as well as host
integrity checking, to validate the permissions of devices to
connect to and use the resources of the network. It can also
provide powerful switch-based capabilities that can detect
anomalous behavior and identify potentially damaging net-
work traffic for further evaluation.
Finally, just as your entire family can often end up with a cold
or virus that is sweeping through your child’s elementary
school, so viruses and security threats can bypass the exter-
nally facing firewalls of your enterprise. With 60 to 70 percent
of virus and security threats coming from inadvertent actions
of remote workers who bring their laptops back and forth
between work, home, and public access points, the need to
protect the network, communication systems, and other
mission-critical business applications and systems from within
is as important as protecting them from overt malicious hack-
ing. As recently as October 2006, Apple computer admitted that
a small number of their iPOD music devices were inadvertently
shipped with a PC virus that could infect laptops that they are
attached to. No matter how good your network firewall is, you
are still vulnerable to a wide variety of attacks from within.
03_120989 intro.qxp 1/19/07 9:05 PM Page 3
Introduction 3
Ready to automatically lock doors as people come and go,
childproof the cabinets, and get a flu vaccine? That’s what
converged network security is all about.
How This Book Is Organized
The primary purpose of this book is to highlight the strategic
role that Avaya’s two strategic partners, Juniper Networks and
Extreme Networks, plus Avaya’s own Global Services profes-
sional services, play in the realization of Avaya’s vision and
leadership in converged voice and data networks.
Chapter 1: The Importance of
Securing Converged Networks
Chapter 1 makes the pitch for securing converged networks.
Besides securing your VoIP hardware, you need to protect
all your assets, including mission-critical applications and
servers, such as Customer Service, Unified Communications
and Web conferencing solutions, and so on. This chapter is
not only about what, but how.
Chapter 2: Jumping Juniper
Networks: Improving
Security for All
Chapter 2 describes how Juniper Networks, one of Avaya’s
strategic partners, contributes to the security of converged
networks through its product offerings.
Chapter 3: Extreme Improvements
for Network Security
Chapter 3 shows how Avaya’s strategic partner, Extreme
Networks, contributes to converged network security.
03_120989 intro.qxp 1/19/07 9:05 PM Page 4
4 Converged Network Security For Dummies, Avaya Custom Edition
Chapter 4: Plans, Policies, and
Avaya Security Services
Chapter 4 showcases Avaya Global Services and their security
services as another strategic partner for assessing security
and developing policy, architecture, and design for your
enterprise network.
Icons Used in This Book
Icons are used throughout this book to call attention to mater-
ial worth noting in a special way. Here is a list of the icons
along with a description of each:
If you see a Tip icon, pay attention — you’re about to find out
how to save some aggravation and time.
This icon indicates technical information that is probably
most interesting to IT professionals.
Some points bear repeating, and others bear remembering.
When you see this icon, take special note of what you’re
about to read.
Where to Go from Here
Regardless of where you are in your converged network plan,
never lose sight of the big picture: Avaya is the converged
networks expert and has strategic vision and leadership in
intelligent communications, converged networks, and secu-
rity. Companies that go with Avaya enjoy all the benefits of
Avaya’s knowledge, experience, and strategic partnerships
with Juniper Networks and Extreme Networks. Discover for
yourself why Avaya is the undisputed leader in delivering
intelligent communications solutions.
04_120989 ch01.qxp 1/19/07 9:05 PM Page 5
Chapter 1
The Importance of Securing
Converged Networks
In This Chapter
 Understanding security in converged networks
 Protecting networks and devices in converged networks
J ust look around . . . it seems as though everything that
businesses are doing these days involves the Internet. And
I don’t just mean fancy Web sites with online ordering, but
even the lackluster back-office things: the plumbing, the base-
ment storage room, and the loading dock — the unsexy stuff
is online. I’ll bet even the coffee pot has an IP address.
Consider this phenomenon from another angle. Everything
(coffee pot included) is about TCP/IP. It’s not just in the com-
puter center any more — it’s everywhere! The sheer ubiquity of
TCP/IP technology (and from now on I’ll just say IP but I mean
the same thing) is making it more important than before.
Avaya has been on the leading edge of this revolution by
developing communications technology — especially Voice
over IP (VoIP) that uses beefed-up enterprise data networks,
doing away with the large and largely inefficient and costly
voice networks. But Avaya isn’t alone; strategic converged
network technology partners Juniper Networks and Extreme
Networks have been right there on the cutting edge develop-
ing the enabling and protective technologies that give Avaya
products and services even more punch.
04_120989 ch01.qxp 1/19/07 9:05 PM Page 6
6 Converged Network Security For Dummies, Avaya Custom Edition
Arrival of Converged Networks
Circuit-switched networks are soooo 20th century. They’re
expensive, underutilized, and definitely not cool. When was
the last time you read about a killer app that ran on a circuit-
switched phone network? Thought so.
Success in business today is all about IP. Avaya and their
partners Juniper Networks and Extreme Networks have been
working their fingers to the bone on a big mission: getting
voice and other communications technologies off the voice
network and onto the data network. This new network is still
a data network, but it carries more than just your data, it
carries your voice. Or put another way, your voice is data!
The new voice-plus-data network is called a converged network.
The applications are converged, the protocols are converged,
and even the wiring is converged. The single, multi-technology
converged network carries all kinds of communications. A con-
verged network is an IP network with the same technology at
its core that runs the Internet. But converged networks carry
not just computer-to-computer traffic, but also voice and other
time- and delay-sensitive traffic, too, such as telephony, video
and streaming media.
In addition to laptops and servers, many cool new devices are
found on converged networks, such as IP phones. Although in
appearance just like office phones seen everywhere, IP phones
are data network devices. They plug into Ethernet networks
just like computers and printers do. To the average user, IP
phones are just like office phones, but to the IT manager and
the CIO, they are network devices. And to the CFO and CEO,
they are saving the organization lots of money by reducing
communications costs. (Maybe they thought of this because
we kept plugging laptops into the phone jack and vice-versa.)
Protection of Converged
Networks and Devices
So if you thought that data networks were important (they
are!), when you put your phone system on your converged
04_120989 ch01.qxp 1/19/07 9:05 PM Page 7
Chapter 1: The Importance of Securing Converged Networks 7
network, the network becomes more important than ever.
The network’s reliability and freedom from jitter (you coffee
drinkers will be happy to note) is not negotiable. Anyone who
remembers the early days of digital cell phones remembers
the clipping and other bizarre effects that digital transmission
had on voice. That just won’t fly on converged networks
today.
Not only is performance more vital, but so is security. Threats
don’t originate only on the Internet, to be repelled by the fire-
wall and antivirus software. That’s the old school of security.
Threats exist within the network as well — from sick laptops
to mobile user carelessness. A new approach for security is
called for — scalable, holistic security that protects the very
fabric of the network.
There’s more at stake if the converged network is compro-
mised. In a converged network environment, if you take the
network away, you might as well turn off the power. In fact, if
you’re using Power over Ethernet (PoE) devices, turning off
the network is the same as turning off the power!
VoIP-related complexities
and challenges
Adding voice to the enterprise network has many advantages
for an enterprise, but it also makes protecting the network
more complicated:
 All network devices must operate with minimum latency
in order to assure the quality of performance-sensitive
services such as VoIP and streaming media.
 All security devices must be specifically aware of VoIP
and other multimedia technologies so that they can con-
tinue to offer robust protection while not getting in the
way of these services.
Existing security issues — Denial of Service (DoS), worms,
viruses, spam and so on — that plague servers that run
e-mail, Web sites and other applications, now also plague the
VoIP systems.
04_120989 ch01.qxp 1/19/07 9:05 PM Page 8
8 Converged Network Security For Dummies, Avaya Custom Edition
Evolving protection techniques
to answer new threats
Not so long ago, if you had a firewall, you were pretty well set
for network security. Firewalls were the only means necessary
to protect data networks from fairly simple threats, which were
unsophisticated and easily brushed aside. When there was
little for troublemakers to do but vandalize the Web site, fire-
walls were all you needed. But as the value of business data on
the Internet increases, the threats are growing in sophistication
as they try to pry into business data for fun and profit.
Malware (viruses, worms, and Trojan horses) have more atti-
tude and impact than they used to, and insider threats are
more potent than before. And by insider threats, we mean
both the malicious kind and the accidental variety: The classic
example is a laptop or other mobile device that becomes
infected with a worm or virus while it is on the Internet in an
unprotected location, then brought back into the network
where it is free to infect other systems.
To meet these threats, network design techniques and new
security capabilities are available to protect business net-
works, including:
 Firewalls: Like a moat encircling the castle, the original
network protector remains the mainstay of perimeter net-
work protection. They permit data traffic of known types
to specific servers and devices such as Web servers,
e-mail servers, and VoIP gateways, while rejecting all
other intrusive traffic.
The perimeter isn’t just between the enterprise and the
rest of the world. Juniper Networks firewalls can also be
used to protect internal assets by creating security zones
for internal traffic and then applying the same sorts of
policies as they would to external traffic, such as between
brokers and research analyst organizations in a financial
institution. See Chapter 2 for more discussion on zone
architectures.
 Intrusion detection and intrusion prevention systems:
These devices perform a more careful examination of net-
work traffic than firewalls do. As the name suggests, IDS
and IPS devices detect intrusions — whether it’s a hacker
probing your network or a virus using your network to
04_120989 ch01.qxp 1/19/07 9:05 PM Page 9
Chapter 1: The Importance of Securing Converged Networks 9
spread by scanning network traffic for specific signatures
or anomalous traffic patterns. Intrusion detection systems
generate alarms to notify network personnel that some-
thing is amiss, whereas intrusion prevention systems can
actually stop the progress of an attack by dropping the
offending traffic much like a firewall.
 Unified access control (UAC) and Network access control
(NAC): This newest technique helps to ensure that all con-
nections to the network conform to the policies set by the
organization. UAC/NAC is used to authenticate and verify
devices that connect to the enterprise network, devices
such as PCs and IP phones. The two protocols in use are
802.1x and Link Layer Discovery Protocol (LLDP). Each is
concerned with verifying both that the devices are author-
ized to connect to the network and also that such devices
are healthy and present no threat to the organization.
A good UAC/NAC solution does four things:
• Makes sure the device or user is who they claim
to be.
• Makes sure the device or user is authorized to use
the network.
• Makes sure the device is healthy and presents no
threat to the organization or the network.
• Quickly reacts to threats and disconnects rogue
systems from the network in real-time. This respon-
siveness to constantly changing business needs is
a part of Extreme Networks engaged network and
Juniper Networks UAC solutions.
 Network partitioning: Enterprise networks can be
divided into zones based upon business needs. This is
accomplished with VLANs and firewalls, used together
or separately. Network partitioning is an effective way to
safely deliver high-quality services to a variety of devices
and users, such as IP phones and employees. You can
even enable visitors to use your network to reach the
Internet and back into their own corporate networks,
without giving them access to any of your own business
systems or applications.
 MAC and IP Security: Sometimes called wire level control
and security, IP security protects the traffic and systems
that control the network, such as Domain Name Service
(DNS) servers or Avaya Communication Manager
04_120989 ch01.qxp 1/19/07 9:05 PM Page 10
10 Converged Network Security For Dummies, Avaya Custom Edition
software. This protection minimizes exposure to Denial of
Service (DoS) attacks, spoofing, and so-called ‘man in the
middle’ attacks, whether they originate outside the net-
work or within it.
One way to think about IP security is that the network has two
major layers: the Routing/Firewall layer, which connects LANs
together and to the outside world, and the LAN Layer, which
connects end user devices to corporate resources like DHCP
servers, DNS servers, databases, applications and, of course,
communications systems and applications. Within this LAN
layer are edge switches, typically 24 or 48 ports that support
PCs and IP phones, and aggregation switches that connect edge
switches to the other resources and router/firewalls. Security at
this layer ensures that no one can plug a rogue laptop into the
network and try to steal information or services from other
users.
All devices in a converged network communicate using the
TCP/IP network protocol, and to a great extent they all partici-
pate in the great realm of threats and vulnerabilities.
Understanding threats in today’s
business environment
IP communications has facilitated capabilities unimagined
in the past, such as employees’ ability to work from remote
locations such as homes, WiFi hotspots, hotels, conference
venues, and even airplanes, buses and trains.
This is where the big-I Internet comes into play, as an
untrusted network, over which business communications
and information will be exchanged with a remote worker or
branch office. It’s never enough to just send data across the
network — you need to protect it somehow, using means that
reflect an intelligent architecture and good use of resources.
Remote access
Remote access is the mechanism that provides the “just like in
the office” connectivity to all of the resources that are normally
available to you when you are actually in the office. With
remote access you can get to these resources from anywhere in
the world, so it’s understandably in demand. Understandably,
04_120989 ch01.qxp 1/19/07 9:05 PM Page 11
Chapter 1: The Importance of Securing Converged Networks 11
also, remote access is vulnerable to threats and can place
the entire converged network at risk. Any entry point into a
network by legitimate users can be targeted by others too,
or simply accidentally put sensitive data at risk. (Read any
stories in the news lately about a misplaced or stolen laptop?
Besides putting whatever files that are on the laptop at risk,
such mobile devices may provide easy entry to top-secret
confidential files elsewhere in the network.)
People accessing VoIP resources by using either a VoIP phone
or softphone need to know their communications are secured.
VoIP phones use IPSec VPNs to encrypt traffic from the phone
to the PBX (phone switch). The VoIP phone establishes a
VPN tunnel to one of the head end firewalls to get connected
to the corporate network without fear of interference or
eavesdroppers.
Softphone users accessing corporate resources need to be
authenticated, and checked to ensure that the PC from which
they are logging in is not compromised or introducing worms,
viruses, or Trojans into the network. This is where technology
such as Juniper Networks SSL VPN (clientless access) becomes
really important, delivering the performance required for VoIP
applications and also ensuring end-point integrity.
Avaya’s VPNRemote for 4600 Series software VPN client is
built directly into the Avaya IP telephone itself. This enhance-
ment enables you to plug in the Avaya IP phone and use it
seamlessly with any broadband Internet connection, such as
your home DSL or cable modem connection. You can then
experience the same IP telephone features — as if you were
using the phone in the office — simply by plugging the phone
into your home network.
External access
Remote access is more than just access to the enterprise net-
work for employees, but also access to enterprise applications
by others, including suppliers, partners, and customers. Such
access provides competitive advantage by streamlining the
order and fulfillment of goods and services. But when access to
key enterprise applications is provided to users outside of the
organization, the risk of security incidents rises proportionally.
That, together with the arrival of IP-based voice communica-
tions, makes network security a matter of vital importance.
04_120989 ch01.qxp 1/19/07 9:05 PM Page 12
12 Converged Network Security For Dummies, Avaya Custom Edition
Internal access
More than half of corporate virus problems originate from
within the enterprises network, through employees who
inadvertently pass around infected files, USB drives, or by
connecting their laptops to their unsecured home networks
to work on that important proposal over the weekend. With
more mobile employees in a company, the threat of picking up
a virus from a laptop that moves back and forth between the
office, home, hotels and open WiFi hotspots grows, and UAC/
NAC becomes very important.
Protecting the inside of the corporate network is where
Extreme Networks’ Sentriant Appliance and Juniper Networks
UAC and IPS/IDS (what Juniper Networks calls “IDP”) solu-
tions can watch network traffic patterns and mitigate the
effects of viruses and malicious traffic. Extreme Networks’
Sentriant AG also helps to ensure that devices on the network
adhere to pre-defined security access policies.
Partnering for Better Protection
Companies on the cutting edge of converged networking need
comprehensive security solutions, not piecemeal approaches.
Technologies based on open standards and market-leading
products and technologies that can meet the changing net-
work demands of today’s enterprise environments give the
best value. Avaya’s strategic relationships with Juniper
Networks and Extreme Networks advances telecommunica-
tions and converged network capabilities, making Avaya the
front-runner in today’s new offerings.
Juniper Networks and Extreme Networks provide state of the
art protection against the increasing array of threats, protect-
ing converged networks from internal and external risks.
Avaya’s Global Security Consulting Services is your consulting
partner whether you need risk assessment, policy develop-
ment, or network and security architecture — all delivered by
seasoned experts, who know Avaya and other brands of net-
work hardware and software.
Chapters 2 and 3 describe Juniper Networks’ and Extreme
Networks’ security approaches and solutions that may just
knock your socks off! Chapter 4 aims to wow! you with Avaya’s
security consulting services.