Avaya 555-245-600 사용자 설명서
Security
230 Avaya Application Solutions IP Telephony Deployment Guide
Avaya capitalizes on Linux’ security advantage
The Avaya servers run under the Linux operating system that has two important security
features:
features:
●
Built-in protection against certain types of Denial of Service (DOS) attack, such as SYN
floods, ping floods, malformed packets, oversized packets, sequence number spoofing,
ping/finger of death, etc. Attacks are recognized at the lower levels of the software and
their effect is blunted. (It is not possible for a target system to always provide service
during a DOS attack. Rather, the protection is to automatically resume service as soon as
the attack is removed.)
floods, ping floods, malformed packets, oversized packets, sequence number spoofing,
ping/finger of death, etc. Attacks are recognized at the lower levels of the software and
their effect is blunted. (It is not possible for a target system to always provide service
during a DOS attack. Rather, the protection is to automatically resume service as soon as
the attack is removed.)
●
The Linux kernel is compiled with a set of options to precisely tailor its operation to
maximize security consistent with required operation of the system. These include a
number of built-in firewall and filtering options. All file and directory permissions are set to
minimize access as much as possible consistent with proper system operation. The disk
drives of the S8700-series, S8500, and the S8300 Servers contain multiple partitions,
each of which is restricted according to the type of data that it contains. All unneeded
services are disabled either permanently or through administration for those services.
Disabled services and capabilities include NFS, SMB, X-windows, rcp, rlogin, and rexec.
The system administrator has additional control of which services are visible from the
multiple Ethernet interfaces that are connected to the enterprise LAN. Other Ethernet
interfaces are permanently configured to restrict services.
maximize security consistent with required operation of the system. These include a
number of built-in firewall and filtering options. All file and directory permissions are set to
minimize access as much as possible consistent with proper system operation. The disk
drives of the S8700-series, S8500, and the S8300 Servers contain multiple partitions,
each of which is restricted according to the type of data that it contains. All unneeded
services are disabled either permanently or through administration for those services.
Disabled services and capabilities include NFS, SMB, X-windows, rcp, rlogin, and rexec.
The system administrator has additional control of which services are visible from the
multiple Ethernet interfaces that are connected to the enterprise LAN. Other Ethernet
interfaces are permanently configured to restrict services.
One-time passwords
Standard login accounts use static passwords that can be used multiple times to log in to a
system. Anyone who can monitor the login messages can also capture passwords, and use the
passwords to gain access. You can administer the Avaya servers for one-time passwords that
have a fixed-user name but not a fixed password. In this case, users must supply a unique,
one-time password for each session, and even if the password is compromised, it cannot be
reused. When a system is covered by an Avaya service contract, all logins that are accessed by
Avaya Services technicians are protected by one-time passwords.
system. Anyone who can monitor the login messages can also capture passwords, and use the
passwords to gain access. You can administer the Avaya servers for one-time passwords that
have a fixed-user name but not a fixed password. In this case, users must supply a unique,
one-time password for each session, and even if the password is compromised, it cannot be
reused. When a system is covered by an Avaya service contract, all logins that are accessed by
Avaya Services technicians are protected by one-time passwords.
Shell access
Access to a “shell” from which arbitrary commands can be executed is not granted by default to
a login on an Avaya server. When a login is created, the system administrator can specify
whether or not the account is permitted to have shell access. Accounts that are denied shell
access can either log in to an Avaya Communication Manager administration screen or a Web
page upon successful login. In both cases, the operations that these logins can perform are
restricted. Generally, only people who perform hardware maintenance or software maintenance
on the server need shell access permissions administered in their login accounts.
a login on an Avaya server. When a login is created, the system administrator can specify
whether or not the account is permitted to have shell access. Accounts that are denied shell
access can either log in to an Avaya Communication Manager administration screen or a Web
page upon successful login. In both cases, the operations that these logins can perform are
restricted. Generally, only people who perform hardware maintenance or software maintenance
on the server need shell access permissions administered in their login accounts.