Add to collection(s) Add to saved
  1. No category
Uploaded by kunen

MiVB SMBC SG v 1.0

advertisement 
MiVoice Business on SMB Controller
SECURITY GUIDELINES
VERSION 1.0
MARCH 2023
NOTICE
The information contained in this document is believed to be accurate in all respects but is not warranted
by Mitel Networks™ Corporation (MITEL®). Mitel makes no warranty of any kind with regards to this
material, including, but not limited to, the implied warranties of merchantability and fitness for a particular
purpose. The information is subject to change without notice and should not be construed in any way as a
commitment by Mitel or any of its affiliates or subsidiaries. Mitel and its affiliates and subsidiaries assume
no responsibility for any errors or omissions in this document. Revisions of this document or new editions
of it may be issued to incorporate such changes.
No part of this document can be reproduced or transmitted in any form or by any means - electronic or
mechanical - for any purpose without written permission from Mitel Networks Corporation.
TRADEMARKS
The trademarks, service marks, logos and graphics (collectively "Trademarks") appearing on Mitel's
Internet sites or in its publications are registered and unregistered trademarks of Mitel Networks
Corporation (MNC) or its subsidiaries (collectively "Mitel") or others. Use of the Trademarks is prohibited
without the express consent from Mitel. Please contact our legal department at legal@mitel.com for
additional information. For a list of the worldwide Mitel Networks Corporation registered trademarks,
please refer to the website: http://www.mitel.com/trademarks.
© Copyright 2023, Mitel Networks Corporation
All rights reserved
MiVoice Business on SMB Controller
Security Guidelines
Version 1.0
March 2023
TABLE OF CONTENTS
Overview ...................................................................................................................... 1
New for this Release.................................................................................................................. 1
About MiVoice Business on SMBC .............................................................................. 2
MiVB on SMBC - Security Controls ........................................................................................... 3
About the MiVB on SMBC Documentation Set ............................................................. 4
MiVoice Business System Manual for Mitel SMB Controller ..................................................... 4
Related Product Documentation Sets.................................................................................................... 4
Product Security Documentation ............................................................................................... 5
Product Security Guidelines .................................................................................................................. 5
Product Personal Data Protection and Privacy Controls documents .................................................... 5
MiVB on SMBC - Security Documentation ................................................................................ 6
MiVoice Business................................................................................................................................... 6
IP Phones and MiVoice Business Console ........................................................................................... 6
MiVoice Border Gateway ....................................................................................................................... 6
Mitel Performance Analytics .................................................................................................................. 6
CloudLink Gateway ................................................................................................................................ 6
Mitel Standard Linux .............................................................................................................................. 6
Product Architecture ..................................................................................................... 7
Networking Guidelines ................................................................................................. 9
SMBC Ethernet Ports ................................................................................................................ 9
Ethernet Port 0 (Eth0) ............................................................................................................................ 9
Ethernet Port 1 (Eth1) .......................................................................................................................... 10
Ethernet Port 2 (Eth2) .......................................................................................................................... 10
Network Deployment Rules ..................................................................................................... 10
Management Tools - Security .................................................................................... 11
Mitel Standard Linux and Server Manager .............................................................................. 11
Server Manager – Administrative Access ............................................................................................ 11
Server Manager – Network Security .................................................................................................... 11
MSL – Additional Information.............................................................................................................. 12
Mitel Performance Analytics .................................................................................................... 12
Mitel Border Gateway .............................................................................................................. 13
Mitel Border Gateway – Additional Information ................................................................................... 13
CloudLink Gateway.................................................................................................................. 13
CloudLink Gateway – Additional Information....................................................................................... 13
MiVoice Business .................................................................................................................... 14
Embedded System Management (ESM) - Security ............................................................................. 14
iii
TABLE OF CONTENTS
MiVoice Business – Additional Information ......................................................................................... 14
SMB Controller Manager ......................................................................................................... 15
Controller Manager - Communications Security .................................................................................. 15
Controller Manager - User Accounts ................................................................................................... 16
MiVoice Business Console ......................................................................................... 19
Local Area Network (LAN) Security ............................................................................ 20
Network Access Security ......................................................................................................... 20
Using VLANs to Assist with Security ....................................................................................... 20
Securing Traffic........................................................................................................................ 21
Securing IP Endpoints ............................................................................................................. 21
Prevention of Toll Abuse.......................................................................................................... 21
Data Protection – General Recommendations ........................................................... 22
Protection of Customer Data ................................................................................................... 22
Protection of Communications Data ........................................................................................ 22
Software Patch Management Policy........................................................................... 23
Product Security Information ...................................................................................... 24
Mitel Product Security Vulnerabilities ...................................................................................... 24
Mitel Product Security Advisories ............................................................................................ 24
Mitel Security Documentation .................................................................................................. 24
Disclaimer .................................................................................................................. 25
MIVB ON SMBC - SECURITY GUIDELINES
Overview
This document will be of interest to personnel who are responsible for ensuring the secure deployment and
the secure operation of MiVoice Business (MiVB) when deployed on Mitel’s Small and Medium Business
Controller (SMBC) hardware platform.
This document provides an overview of the security controls that are available to protect the MiVB on
SMBC from network threats and maintain user data privacy.
Every organization should have a clearly defined IT security policy in place, defining goals, assets, trust
levels, processes and an incident handling procedure. The security mechanisms available in the MiVoice
Business on the SMBC solution should be covered by and configured according to this policy.
The MiVB on SMBC solution’s security controls are provided by the operating systems and the various
applications that are deployed on the SMBC.
Security is an integral part of the operating system and each application’s design. Detailed information
about the security controls is covered in the security documentation for the various applications and the
operating system.
When necessary, this document will refer the reader to the security documentation for the various
applications for more detailed information.
Mitel product documentation can be found on Mitel’s Document Center Web Site.
https://www.mitel.com/document-center
New for this Release
Version 1.0 of this document aligns with the introduction of the MiVB on SMBC solution.
1
MIVB ON SMBC - SECURITY GUIDELINES
About MiVoice Business on SMBC
Mitel ® MiVoice Business is the brand name of the call-processing software that runs on several hardware
platforms, industry standard servers, virtual machines, and Mitel’s Small and Medium Business Controller
(SMBC).
This document is specific to the MiVB on SMBC solution. The MiVB on SMBC solution includes the
following Mitel applications and operating systems:
Applications
•
MiVoice Business (MiVB) is a Mitel IP PBX / Call Control application.
•
Mitel Border Gateway (MBG) is a Session Border Controller (SBC) for SIP trunks and phones, as
well as for Mitel proprietary IP phones and applications.
•
CloudLink Gateway is a technology that enables secure communications between the MiVB, and
Cloud based Unified Communication applications.
•
Mitel Performance Analytics (MPA) is a cloud-based management tool that is hosted on Amazon
Web Services (AWS). MPA is the administration tool that is accessible to the Mitel partner and the
customer and supports secured encrypted access.
Operating Systems
•
Mitel Standard Linux (MSL) is a customized version of the Linux operating system that provides
a base for managed services and Mitel applications.
o
•
Server-Manager is a web-based administrator portal that the Administrator uses to
manage MSL and the installed applications.
Mitel Embedded Linux Software is a customized version of the Linux operating system that is
specifically designed and optimized for use on the SMB Controller.
o
Controller Manager: Controller Manager is a web-based UI for configuring the SMB
Controller.
The MiVB on SMBC applications have been designed with a security-by-design mindset; all of the various
applications have security features that address identity, authentication, encryption, access and
authorization.
The MiVB on SMBC applications have been designed in accordance with Mitel's Secure Development Life
Cycle (MiSDLC), for further details see the section called Secure Development Life Cycle in this document.
The security features of the various applications are either enabled in the system by default, enabled during
the installation/configuration phase of the system, or need to be enabled manually by the system
Administrator when the MiVB on SMBC system is initialized.
2
MIVB ON SMBC - SECURITY GUIDELINES
MiVB on SMBC - Security Controls
The security controls provided by the applications deployed on the SMBC are primarily based on the
following open standard technologies and management access controls:
•
TLS – Transport Layer Security (TLS) provides:
•
Secure signaling between IP phones and MiVoice Business.
•
Secure signaling between remote IP phones and the MiVoice Border Gateway.
•
Secure access to the administration tools for managing the various applications.
•
Secure communications between the CloudLink platform and the Virtual Private Cloud.
•
SSH - Secure Shell (SSH) provides secure console-based access to:
•
•
The MiVoice Business System Administration and configuration tools.
•
The MiVoice Border Gateway administration and configuration tools.
•
The SMB Controller Manager administration and configuration tool.
SRTP - Secure Real-time Transport Protocol (SRTP) is used to protect:
•
The voice media streams between IP phones.
•
The voice media streams between IP phones and the MiVoice Business.
•
The voice media streams between remote IP phones and the MiVoice Border Gateway.
•
Correct configuration of identity and access management policies to ensure all end user and
administrator accounts, roles, permissions and password policies.
•
OAuth2.0 (Open Authorization) may be used by voice mail to authenticate with other email
applications such as Google Apps and Microsoft Office 365.
•
S-LDAP – Secure LDAP may be used for connectivity from MiVoice Business to a customer’s
Active Directory server.
Other mechanisms that can be employed to protect the MiVB on SMBC are based on the following:
•
A securely designed corporate Local Area Network (LAN) infrastructure.
•
Correct configuration of internal and external public facing routers and firewalls.
In addition to the security recommendations described in this document and in the applications
documentation, there are a number of general security aspects that should be addressed by the system
Administrator and/or the Information Technology (IT) security officer.
An important security measure is to establish and maintain physical security. Only authorized personnel
should have access to server locations since many data-exposure attacks can be mounted by having
physical access to a host. Further, the IT data infrastructure should be designed with security in mind,
security controls and protocols should be enabled, and all components of the whole system should be
correctly configured and maintained and updated as necessary.
3
MIVB ON SMBC - SECURITY GUIDELINES
About the MiVB on SMBC Documentation Set
Documents for Mitel® products are available on the Mitel Document Center web site.
https://www.mitel.com/document-center
The Mitel Document Center web site can also be accessed by anyone with a miaccess.mitel.com account
via the MiAccess Portal.
MiVoice Business System Manual for Mitel SMB Controller
This document should be used in conjunction with the document called MiVoice Business System Manual
for Mitel SMB Controller.
The MiVoice Business System Manual for Mitel SMB Controller covers the following topics:
•
•
•
•
•
•
•
Product overview.
Networking guidelines.
Installation of hardware and software.
Software upgrades.
Maintenance and troubleshooting.
Migration.
Details about the Mitel applications associated with MiVB on SMBC.
Related Product Documentation Sets
For a complete list of Mitel product documentation related to MiVB on SMBC, refer to the Section called
Related Documents in the document MiVoice Business System Manual for Mitel SMB Controller.
Complete product installation, engineering and administration documentation related to the various
applications that are deployed on the MiVB on SMBC solution can be found on Mitel’s Document Center
web site.
https://www.mitel.com/document-center
4
MIVB ON SMBC - SECURITY GUIDELINES
Product Security Documentation
Security controls and features for specific applications and how to enable them are discussed in various
documents within the product documentation suite which includes product administration, management,
deployment, installation guides and security related documents.
The product Security Guidelines summarize all of the product’s security controls and features in one
document and provides the Administrator with security recommendations. The product Security Guidelines
also refers the Administrator to the appropriate sections of product documents for further details on specific
controls.
The product’s Personal Data Protection and Privacy Controls document identifies the personal data
collected, processed or transferred by the product. The Personal Data Protection and Privacy Controls
document also provides the Administrator with recommendations on how to secure the personal data and
refers the Administrator to the appropriate product documents for further details.
Additional product security information and recommendations may be found in Technical Papers, White
Papers and FAQs which are located on Mitel’s Document Center.
The following section provides an overview of the type of information that will be found in the Security
Guidelines and the Personal Data Protection and Privacy Controls document.
Product Security Guidelines
The product security guidelines are to be used in conjunction with the product’s documentation suite to
ensure the product is securely deployed and maintained. The product security guidelines provide detailed
information and recommendations on the following topics:
•
•
•
•
•
•
•
•
The product’s architecture.
An overview of the product’s security controls and features.
How the administration interfaces are secured.
Certificate management.
Access controls and authentication controls.
Audit trails and logs.
LAN and WAN communications security.
VoIP security
Product Personal Data Protection and Privacy Controls documents
The Personal Data Protection and Privacy Controls documents are to be used in conjunction with the
product’s documentation suite to assist the customer with their data security regulations compliance
initiatives. The Personal Data Protection and Privacy Controls documents provide detailed information on
the following:
•
•
•
5
Identification of personal data that is collected, processed, or transferred.
How the product security features relate to data security regulations.
Where the security feature is documented.
MIVB ON SMBC - SECURITY GUIDELINES
MiVB on SMBC - Security Documentation
To ensure that the MiVB on SMBC is securely deployed, operated and maintained, the Administrator
should be familiar with the information and the recommendations provided in the security documents that
are listed in this section.
MiVoice Business
•
•
•
•
Mitel MiVoice Business – Security Guidelines.
Mitel MiVoice Business – Personal Data Protection and Privacy Controls.
MiVoice Business Secure Voice Communications.
MiVoice Business Security FAQ.
IP Phones and MiVoice Business Console
•
•
•
•
•
•
Mitel MiVoice 6900 Series IP Phones (MiNET) Personal Data Protection and Privacy Controls
Version.
Mitel 6800/6900 Series SIP Phones - Personal Data Protection and Privacy Controls.
Mitel IP Sets Engineering Guidelines, refer to the section on Security.
MiVoice Business Console Personal Data Protection and Privacy Controls.
Mitel 6800/6900/6900w Series SIP Phones Administrator Guide.
SIP-DECT Security Guidelines.
MiVoice Border Gateway
•
•
•
MiVoice Border Gateway Personal Data Protection and Privacy Controls.
MiVoice Border Gateway Engineering Guidelines.
Security and the Mitel Teleworker Application Whitepaper.
Mitel Performance Analytics
•
•
Mitel Performance Analytics Security Summary.
Mitel Performance Analytics Best Practices.
CloudLink Gateway
•
•
•
CloudLink Security.
CloudLink Chat Security.
CloudLink Security FAQ.
Mitel Standard Linux
•
•
6
Mitel Standard Linux Security Technical Paper.
MSL Installation and Administration Guide.
MIVB ON SMBC - SECURITY GUIDELINES
Product Architecture
The following diagram shows architecture of the MiVB on SMBC solution, how the applications are
integrated and how the solution connects to networks and external devices.
As shown in the above diagram, the MiVoice Business on SMBC solution consists of the following
applications:
MiVoice Business: MiVoice Business is a Mitel call control / IP-PBX application that runs on several
hardware platforms including the SMB Controller platform.
MiVoice Border Gateway: The MiVoice Border Gateway (MBG) is a Session Border Controller (SBC)
for SIP trunks and SIP phones, as well as for Mitel proprietary IP phones and applications. The MBG
also provides a web and application proxy service to enable services to be securely accessed from a
remote location.
CloudLink Gateway: CloudLink Gateway is a technology that enables secure communication
between the on-premise MiVoice Business PBX and cloud-based applications.
7
MIVB ON SMBC - SECURITY GUIDELINES
Mitel Performance Analytics: Mitel Performance Analytics (MPA) is an optional blade that enables
communication with the Mitel Performance Analytics Cloud Service that is hosted on Amazon Web
Services (AWS) to provide users with real-time alerts, detailed reporting and secure remote access.
Mitel Standard Linux: Mitel Standard Linux (MSL) is an operating system that provides a base for a
suite of managed services and applications.
Server-Manager: Server Manager is a web-based administrator portal that provides the Administrator
with the means to manage the MSL Server and the installed applications.
Mitel Embedded Linux: Mitel Embedded Linux is a customized version of the Linux operating system
that is specifically designed and optimized for the SMB Controller. It is lightweight, easy to use and
maintain.
Controller Manager: Controller Manager is a web-based UI for configuring the SMB Controller.
8
MIVB ON SMBC - SECURITY GUIDELINES
Networking Guidelines
This section discusses networking guidelines that are specific to the MiVB on SMBC, additional networking
information and guidelines can be found in the product documentation for the SMBC applications.
SMBC Ethernet Ports
The MiVB on SMBC has three Gigabit Ethernet interfaces (Ethernet Ports 0, 1 and 2) which are accessible
via three RJ45 connectors located on the front panel of the SMBC. The three Gigabit Ethernet Ports are
labeled on the front panel as Eth0, Eth1 and Eth2.
The SMBC currently uses Ethernet Port 0 and Ethernet Port 1 only. Ethernet Port 2 is not used at time, but
may be used in a future release of MiVB on SMBC.
Warning: The SMBC must never be directly connected to the Internet. To access the Internet, SMBC
Ethernet Port 1 must always connect to a firewall, which in-turn connects to the Internet.
Warning: Ethernet Port 2, is not currently activated and it should never be connected to any network or
any device.
A description of the SMBC Ethernet ports follows, for detailed information refer to the MiVoice Business
System Manual for Mitel SMB Controller.
Ethernet Port 0 (Eth0)
Ethernet Port 0 is always used to connect the SMBC to the customer’s LAN.
Ethernet Port 0 provides connectivity to the following virtual interfaces using three statically programmed
internal IP addresses on the same subnet.
•
•
•
9
MSL Server Manager and MiVoice Business including Embedded System Management (ESM).
Mitel Border Gateway’s LAN Port.
SMB Controller Manager.
MIVB ON SMBC - SECURITY GUIDELINES
Quality of Service (QoS)
The SMB Controller does not transmit VLAN tagged traffic, so Layer 2 (L2) Ethernet priority on outgoing
packets cannot be set. However, the SMB Controller does use DSCP to provide L3 priority information on
transmitted packets.
To ensure that L2 priority is utilized throughout the network, Ethernet Port 0 must be connected to a L2
Ethernet switch that is VLAN capable, and Ethernet L2 priority information and VLAN assignment must be
applied at the L2 Ethernet switch port that SMBC Ethernet Port 0 is connected to.
For ensuring voice and video quality across a network, Mitel recommends that specific DSCP (L3) and
IEEE 802.1p (L2) Quality of Service (QoS) settings be used so that the networking equipment treats voice,
video and signaling packets with higher priorities than less critical traffic.
Following the QoS recommendations will help make voice, video and signaling traffic more resistant to a
Denial of Service (DoS) attack.
Mitel’s recommended QoS values for L2 and L3 are shown in the following table. For additional information
related to QoS refer to the MiVoice Business Engineering Guidelines, the Mitel IP Sets Engineering
Guidelines and Network Engineering for IP Telephony.
Mitel Service Class
Telephony (Voice Media)
Signaling (MiNET)
Multimedia Conferencing
Standard
Recommended L2 Values
6
3
4
0
Recommended L3 Values
46 (EF)
24 (CS3)
34 (AF41)
0 (DF) (BE)
Ethernet Port 1 (Eth1)
The Mitel Border Gateway WAN port is routed from within the SMBC to Ethernet Port 1.
To provide the MBG WAN port with access to the Internet, Ethernet Port 1 must be connected to a firewall,
which in-turn connects to the Internet.
Warning: Ethernet Port 1 must never be directly connected to the Internet.
Ethernet Port 1 provides connectivity to the Mitel Border Gateway’s WAN port which requires one static IP
address from the ISP.
Ethernet Port 2 (Eth2)
Ethernet Port 2 is not used and must not be connected
Network Deployment Rules
Network deployment rules and networking scenarios specific to the MiVB on SMBC are discussed in the
MiVoice Business System Manual for Mitel SMB Controller.
10
MIVB ON SMBC - SECURITY GUIDELINES
Management Tools - Security
Mitel Standard Linux and Server Manager
Mitel Standard Linux (MSL) is an operating system and server solution that provides a base for a suite of
managed services and applications delivered from the Mitel Applications Management Center (AMC).
Server Manager is a web-based control panel for performing MSL administrative tasks such as installing
applications, configuring the server and its optional features, and managing available services.
Server Manager is used to install and upgrade the blade applications, including:
•
MiVoice Business (MiVB).
•
MiVoice Border Gateway (MBG).
•
CloudLink Gateway (CLGW).
•
Mitel Performance Analytics (MPA) Probe.
Server Manager – Administrative Access
The Administrator password (or System password) is used to access the Server Manager and the server
console as the "admin" user and the Linux shell as the "root" user.
•
Choose a secure, non-trivial password that is at least eight digits in length and contains a mix of
numbers, upper and lower case letters, and punctuation characters.
•
After you have entered and confirmed the password, the MSL software examines the password for
strength. If it is found to be weak, you are offered the chance to change it.
•
It is recommended that passwords be changed on a regular basis.
•
Server Manager login is protected from brute force password attacks. By default, six consecutive
failed login attempts within a 10-minute period locks out the source IP address of the client for 30
minutes.
Warning
The MSL admin account is separate from the SMB Controller Manager admin account. Changes to the
"admin" password in MSL are not reflected in SMB Controller Manager (and vice versa).
It is the responsibility of the customer to manually maintain the passwords, and to ensure that the
passwords are updated as per their organizational policies.
Server Manager – Network Security
11
•
By default, Server Manager is accessible only from the local area network (LAN). To extend access
privileges to other networks, you must program them, for instructions refer to the Mitel Standard
Linux Installation and Administration Guide.
•
Access to Server Manager is only possible via an encrypted connection, using SSL (https).
•
Access to Server Manager must be permitted and it is recommended that access be restricted to
designated management IP address(es), and not from the public network (Internet). For details
regarding access from remote networks, refer to the MiVoice Business System Manual for Mitel
SMB Controller and the Mitel Standard Linux Installation and Administration Guide.
MIVB ON SMBC - SECURITY GUIDELINES
•
If remote access to Server Manager has been used to install MSL, then once MSL has been
successfully installed on the SMBC and Server Manager is accessible via the MSL IP address –
then to ensure security it is recommended that SSH access be disabled.
MSL – Additional Information
Refer to the Mitel Standard Linux Security Technical Paper for details on the following:
•
•
•
•
•
•
•
•
Administrative access.
Remote access.
Secure shell settings.
Password rules.
Audit trails.
MSL Hardening.
Encryption of data in transit and data at rest.
Certificates.
Mitel Performance Analytics
The Mitel Performance Analytics (MPA) probe is installed and initially managed on the SMBC with Server
Manager. Communications are secured via Server Manager’s security controls.
For details, refer to:
•
The Mitel Performance Analytics Probe Installation and Configuration Guide.
•
The MiVoice Business – System manual for SMB Controller.
Once installed, MPA is managed via its own management interface. Refer to the Mitel Performance
Analytics Security Summary for information related to:
12
•
Data storage.
•
Audit logs.
•
Two-factor authentication.
•
Security for Remote access connections.
•
Amazon Web Services security practices.
•
Mend scans of MPA.
MIVB ON SMBC - SECURITY GUIDELINES
Mitel Border Gateway
Mitel Border Gateway (MBG) is installed and managed on the SMBC with Server Manager, and MBG
management access and communications are secured via Server Manager’s security controls. The MBG is
always installed in the dual network interface configuration on SMBC (AKA Server-Gateway mode).
For details refer to the Mitel Border Gateway Installation and Maintenance Guide and the MiVoice Business
– System manual for SMB Controller.
Mitel Border Gateway – Additional Information
Refer to the Mitel Border Gateway Installation and Maintenance Guide and Engineering Guidelines for
details on the following security features:
•
•
•
•
Firewall requirements.
Remote proxy services.
Certificates.
Audit logs.
CloudLink Gateway
The CloudLink Gateway is installed and managed on the SMBC with Server Manager, and communications
are secured via Server Manager’s security controls.
For details refer to the MiVoice Business – CloudLink Integration with MiVoice Business Deployment Guide
and the MiVoice Business – System manual for SMB Controller.
CloudLink Gateway – Additional Information
The following CloudLink Gateway documents cover security information:
13
•
CloudLink Accounts:
o Managing accounts.
o Managing users.
o User roles and privileges.
o Logs and call traces.
•
CloudLink Gateway:
o Administrative and Customer accounts.
o Best practices for site deployments.
o Networking information.
o IP Port tables.
•
CloudLink Security:
o Access Control.
o Incident management.
o Encryption.
MIVB ON SMBC - SECURITY GUIDELINES
MiVoice Business
MiVoice Business is installed on the SMBC with Server Manager, and initial management access and
communications are secured via Server Manager’s security controls. The MiVoice Business is isolated from
the Internet by the customers firewall and the MBG. For details refer to the MiVoice Business – System
manual for SMB Controller.
Once MiVoice Business has been installed on the SMBC, management and administration of MiVoice
Business is performed via the MiVoice Business Embedded System Management (ESM) tool.
Embedded System Management (ESM) - Security
To ensure privacy and maintain system integrity, access to the MiVoice Business is restricted by a login
password to those users that can be identified and authenticated.
Users logging in to the System Administration Tool for the first time after installation are required to change
the default password. The password strength and the user session inactivity timer are both configurable.
If a user fails to log in after a three consecutive attempts, the event is recorded in the maintenance log and
the user is locked out of the system for 15 minutes.
Transport Layer Security protocol (TLS) is used to encrypt the data on the connection between the
Administrator’s computer and the ESM tool. Access to ESM should be limited to LAN networks.
MiVoice Business – Additional Information
For additional details regarding the MiVB’s extensive security controls, refer to the:
14
•
MiVoice Business Security Guidelines.
•
MiVoice Business Personal Data Protection and Privacy Controls.
•
MiVoice Business System Administration Tool Help files.
MIVB ON SMBC - SECURITY GUIDELINES
SMB Controller Manager
The SMB Controller Manager (CM) is a pre-installed web-based configuration tool available on the
SMB Controller, independent of an installed call control application or other software applications. CM
offers a simple, user-friendly interface and an online help for configuration and maintenance tasks, for
details on using CM to configure the SMBC refer to the MiVoice Business – System manual for SMB
Controller.
Controller Manager - Communications Security
All Controller Manager communications between the PC and the SMBC are encrypted with:
•
TLS 1.2 (HTTPS)
•
OpenSSH_8.2p1 (SSH)
Controller Manager communicates via the following IP Ports.
Link Type &
Directionality
Port and
Protocol
Initial data Sent
from peer  to
peer
Port Status
HTTPS
(Secure
Transmission)
PCSMBC
8443
(TCP)

Open
Used for
Embedded Linux
administration
Find My
SMBC
(HTTP)
PCSMBC
8888
(TCP)

Open
Used for
discovering the
SMBC on the
same segment
Service
15
Usage
(Default
Condition)
MIVB ON SMBC - SECURITY GUIDELINES
Controller Manager - User Accounts
The SMB Controller Manager has two user accounts. One account is the Normal Mode account, it is used
for initial access when the SMB Controller is first started up and runs in normal mode, this account is also
used to install MSL.
The other account is the Emergency Mode account and is used when, for any reason, the SMB Controller
software is not running correctly, and the SMB Controller has to start up in Emergency Mode.
Normal Mode User Account
To access SMB Controller Manager the first time in Normal Mode:
•
•
The default username is ‘admin’
The default password is ‘admin’
Warning: To prevent unauthorized access to Controller Manager, it is necessary to change the default
username and password during the first login.
Warning:
The MSL admin account is separate from the SMB Controller Manager admin account. Changes to the
"admin" password in MSL is not reflected in SMB Controller Manager (and vice versa).
CAUTION:
It is the responsibility of the customer to manually maintain the passwords.
It is not possible to recover a forgotten SMB Controller Manager Admin Password. The only way to recover
the SMB Controller is to put the system into Emergency Mode via CRTL Button and then login to the
Controller Web UI using the root/root (username/password) and then initiate a Factory Reset. A factory
reset removes all data including all installed blades and application.
For further details, refer to the MiVoice Business System manual for SMB Controller.
16
MIVB ON SMBC - SECURITY GUIDELINES
Controller Manager - Access and Identity Controls
To ensure privacy and maintain system integrity, access to Controller Manager is restricted by a login
password to users that can be identified and authenticated.
The usernames and passwords are stored as a salted MD5 hash on the SMBC platform.
If an administrative user login fails, the event is recorded in the SMB Controller Manager event log.
There is no event log entry in the case of valid administrative user login, except if a parallel valid
administrative user login takes place from another IP address.
Password rules for the accounts are as follows:
•
•
A password must consist of a minimum of 8 and a maximum of 255 characters.
Unlike usernames, the passwords are case sensitive.
•
The password must contain at least one uppercase letter A – Z.
•
The password must contain at least one lowercase letter a – z.
•
The password must contain at least one digit 0 – 9.
•
The password must contain at least one of the following special characters:
?, /, <, >, -, +, *, #, =, full stop, comma, or space.
•
German umlauts (for example, ä, ö, ü) and other diacritical characters (for example, é, à, â) are not
permitted.
•
The default password “password” is not permitted.
•
The password must not be the same as the username.
Emergency Mode User Account
For further information about Emergency Mode and why the Administrator would need to enable
Emergency Mode, details, refer to the MiVoice Business System manual for SMB Controller.
To access SMB Controller Manager in emergency mode:
•
•
The username is ‘admin’
The password is ‘admin’
Important Warnings
The default password for the Emergency Mode user account cannot be changed, and Controller Manager
should never be shut down or disabled.
Controller Manager must remain active at all times in case a situation arises:
17
•
Where the SMB Controller software is not running correctly. In such a situation the SMBC has to be
started up with Controller Manager via the Emergency Mode account.
•
Where the SMBC applications and operating system need to be reinstalled. In such a situation the
Administrator will need to use Controller Manager via the Normal Mode account.
MIVB ON SMBC - SECURITY GUIDELINES
For further details regarding Controller Manager accounts, refer to the MiVoice Business – System manual
for SMB Controller.
Important Security Recommendations
To minimize any security risks associated with Control Manager, the Administrator should comply with the
following recommendations:
18
•
For management purposes, the Administrator should create a secure management network,
meaning a network that is accessible only to authorized administrative users.
•
The Administrator must ensure that Controller Manager is only accessible from the secure
management network within the customer’s LAN.
•
That Controller Manager should never be made accessible via a remote network.
MIVB ON SMBC - SECURITY GUIDELINES
MiVoice Business Console
The MiVoice Business Console provides security-related features that allow customers to secure user data
and telecommunications data and to prevent unauthorized access to the user's data.
Refer to the MiVoice Business Console Personal Data Protection and Privacy Controls document for details
on the following security features:
•
•
•
•
System access and authorization controls.
Password controls and password encryption.
Communications protection for voice streaming and user messaging.
Data protection
For communications security, the voice (media) and signaling paths between the MiVoice Business
Console (MiVoice Business-C) and the MiVoice Business should be encrypted.
To ensure that the communication paths between the MiVoice Business-C and the MiVoice Business are
secured, the administrator will need to run the MiVoice Business-C Configuration Wizard when the MiVoice
Business-C is first installed or when an upgrade is taking place, for details refer to the MiVoice Business-C
Installation Guide, and the MiVoice Business Security Guidelines.
For a list of the security controls available for the MiVoice Business Console, refer to the MiVoice Business
Console Personal Data Protection and Privacy Controls and the IP Sets Engineering Guidelines.
19
MIVB ON SMBC - SECURITY GUIDELINES
Local Area Network (LAN) Security
The MiVoice Business on SMBC solution, the IP phones, and associated networking infrastructure
communicate using the customer’s Local Area Network (LAN).
Network Access Security
It is recommended that the Ethernet LAN switches used to provide IP phones with LAN connectivity be
managed, enterprise-grade switches that include integrated access control measures. It is also
recommended that the system administrator ensure that the switch access control measures are properly
configured and maintained.
Wireless networks should also employ access control measures and user authentication mechanisms with
a minimum of WPA2 encryption and a separate SSID for voice applications. SSID to VLAN mapping is
recommended.
For additional information refer to the IP sets Engineering Guidelines.
Using VLANs to Assist with Security
To make eavesdropping attacks or Denial of Service attacks more difficult, or less effective, traffic on the
LAN should be grouped according to traffic types and trust levels. This can be achieved with the use of
Virtual LANs. VLANs can be used to segregate controller-to-controller signaling, controller-to-phone
signaling, and voice traffic.
When VLANs are used to provide isolation between traffic types, it will make the solution more robust
against virus-based attacks and network flooding attacks. In particular, if Voice over Internet Protocol
(VoIP) traffic is grouped into a single VLAN, and the nodes on this VLAN are strongly protected, a wormbased attack causing network overload that originated on a node located on another VLAN might only
marginally affect the VoIP LAN.
As an example, traffic types could be segregated as follows:
1. One VLAN grouping all of the call control engines together, MiVoice Business and 3300 ICPs
2. One or several VLANs grouping all of the IP phones together
3. One or several VLANs for supporting the data traffic
When the traffic types have been segregated by VLAN, hosts or devices belonging to different VLANs can
communicate only through a Layer 3 switch or router that connects the two VLANs. This means that
broadcast traffic is blocked across VLANs, preventing broadcast storms from propagating network wide.
Additionally, many modern routers offer Intrusion Detection/Prevention Systems (IDS/IPS), which are able to
detect and/or block more advanced types of attacks.
.
20
MIVB ON SMBC - SECURITY GUIDELINES
Securing Traffic
For recommendations on how to secure LAN traffic, refer to the MiVB Security Guidelines, the Guidelines
discuss the following topics in detail:
•
Securing controller to controller traffic.
•
Controller to controller authentication.
•
Streaming voice to a PSTN gateway.
•
Streaming voice to a TDM connection.
•
Streaming voice to voice mail, Record-A-Call and conferences.
Securing IP Endpoints
For recommendations on how to secure IP endpoints refer to the MiVB Security Guidelines and the IP Sets
Engineering Guidelines, these documents discuss the following topics in detail:
•
Network access authentication (802.1X).
•
Phone authentication via call control.
•
Encryption of voice and call signaling streams.
•
Certificates
•
Wi-Fi security.
•
Embedded voice mail.
Prevention of Toll Abuse
Any communication system that has a combination of Direct Inward System Access (DISA), integrated auto
attendant, Recorded Announcement Devices groups, an auto attendant or voice mail can be susceptible to
toll abuse. Therefore, it is important to assign appropriate telephone privileges and restrictions to devices.
In addition, publicly accessible telephones should be denied toll access unless authorized through an
attendant.
MiVoice Business provides comprehensive toll control as an integral part of the call control engine.
Refer to the MiVoice Business Security Guidelines for further information on the prevention of toll abuse.
21
MIVB ON SMBC - SECURITY GUIDELINES
Data Protection – General Recommendations
The following section provides the Administrator with general recommendations for protecting customer
data and privacy.
Protection of Customer Data
During operation the MiVB on SMBC solution records and stores customer data such as call data, personal
contacts and voice messages.
The Administrator should protect this data from unauthorized access by using restrictive access controls.
•
For remote management use SRM (Secure IP Remote Management) or set up the IP network in
such a way that from outside the LAN only authorised persons have access to the IP addresses of
the MiVoice Business on SMBC applications.
•
Restrict the number of user accounts to the minimum necessary and assign to the user accounts
only those authorisation profiles that are actually required.
•
Instruct system Administrators to open the remote maintenance access to the communication
server only for the amount of time needed for access.
•
Instruct users with access rights to change their passwords on a regular basis and mange the
passwords in a secure manner.
Protection of Communications Data
The MiVoice Business on SMBC solution comprises features which allow calls to be monitored or recorded
without the call parties noticing. Inform your customers that these features can only be used in compliance
with national data protection provisions. Customers must be aware of local call recording legal
requirements.
Unencrypted phone calls made on the IP network can be recorded and played back by anyone with the
right resources. To protect data communications:
22
•
Use encrypted voice transmission whenever possible, and make encryption the default setting.
•
Use dedicated encrypted VPN, or private network connections, between different business
locations on the same private network. This will ensure secure connections in addition to encryption
on the end-devices, such as IP or SIP phones.
•
Use the MiVoice Border Gateway to connect Teleworker phones that are connected to the
business via Internet. Teleworker phones include secure connection to and from MiVoice Border
Gateway and do not require a separate VPN (allowing simple installation and mobility).
MIVB ON SMBC - SECURITY GUIDELINES
Software Patch Management Policy
It is necessary for the administrator to ensure that the applications deployed on the MiVoice Business on
SMBC solution are always updated and equipped with all critical patches to guarantee the highest level of
security. Mitel has developed best practices for the management and installation of security patches
released by the operating system vendors aiming to guarantee the highest level of security and the correct
functioning of the system.
23
MIVB ON SMBC - SECURITY GUIDELINES
Product Security Information
Mitel Product Security Vulnerabilities
The Product Security Policy discusses how Mitel assesses security risks, resolves confirmed security
vulnerabilities, and how the reporting of security vulnerabilities is performed.
Mitel's Product Security Policy is available at: https://www.mitel.com/support/security-advisories/mitelproduct-security-policy
Mitel Product Security Advisories
Mitel Product Security Advisories are available at: https://www.mitel.com/support/security-advisories
Mitel Security Documentation
Mitel security documentation includes product-specific Security Guidelines and Important Information for
Customer GDPR Compliance Initiatives and Data Protection and Privacy Controls. Mitel also has Technical
Papers and White papers that discuss network security and data centre security.
Mitel Product Security Documentation is available at: https://www.mitel.com/en-ca/document-center
24
MIVB ON SMBC - SECURITY GUIDELINES
Disclaimer
THIS SOLUTIONS ENGINEERING DOCUMENT IS PROVIDED “AS IS” AND WITHOUT WARRANTY. IN NO EVENT WILL
MITEL NETWORKS CORPORATION OR ITS AFFILIATES HAVE ANY LIABILITY WHATSOEVER ARISING FROM IN
CONNECTION WITH THIS DOCUMENT. You acknowledge and agree that you are solely responsible to comply with
any and all laws and regulations in association with your use of MiVoice Business and/or other Mitel products and
solutions including without limitation, laws and regulations related to call recording and data privacy. The
information contained in this document is not, and should not be construed as, legal advice. Should further
analysis or explanation of the subject matter be required, please contact an attorney.
25
Related documents
Mitel MiVoice Small Business - Co
Mitel MiVoice Small Business - Co
1162_6420-5000CP_DEI_DS.qxd:Layout 1
1162_6420-5000CP_DEI_DS.qxd:Layout 1
Mitel Healthcare Brochure
Mitel Healthcare Brochure
Mitel Powerpoint Template
Mitel Powerpoint Template
Mitel MiVoice 5304 IP Phone
Mitel MiVoice 5304 IP Phone
Mitel Phone Manager Mobile R52 Datasheet
Mitel Phone Manager Mobile R52 Datasheet
Document12396418 12396418
Document12396418 12396418
Download
advertisement