Security

In VoIP, physical wire is replaced with an IP connection. The connection is more mobile. Unauthorized relocation of the IP telephone allows unauthorized users to send and receive calls as the valid owner. For further details on toll fraud, see the DEFINITY^� or Avaya Communication Manager documents mentioned in Related Documents.

Any equipment on a data network, including a 4600 Series IP Telephone, can be the target of a Denial of Service attack. Usually, such an attack consists of flooding the network with so many messages that the equipment either:

• spends so much time processing the messages that legitimate tasks are not processed, or
• the equipment overloads and fails.

The 4600 Series IP Telephones cannot guarantee resistance to all Denial of Service attacks. However, each Release has increasing checks and protections to resist such attacks while maintaining appropriate service to legitimate users.

All 4600 Series IP Telephones that have WML Web applications and run R2.2 or greater software support Transport Layer Security (TLS). This standard allows the telephone to establish a secure connection to a HTTPS server, in which the telephone’s upgrade and settings file can reside. This setup adds security over the TFTP alternative.

You also have a variety of optional capabilities to restrict or remove how crucial network information is displayed or used. These capabilities are covered in more detail in
Chapter 4: Server Administration, and include:

• As of Release 2.7, the 4602SW+ and 4625SW IP Telephones support IEEE 802.1X as a Supplicant with the EAP-MD5 authentication method. The functionality is identical to other 4600 Series SW IP Telephones supporting this feature.
• As of Release 2.6, SNMP is disabled by default. You must enable SNMP through DHCP or the 46xxsettings file.
• As of Release 2.6, the 4610SW, 4620SW, 4621SW, and 4622SW IP Telephones support IEEE 802.1X as a Supplicant with the EAP-MD5 authentication method. The modes supported are as follows:
• Unicast Supplicant operation only with PAE multicast pass-through, with and without proxy Logoff, and
• Unicast or multicast Supplicant operation without PAE multicast pass-through or proxy Logoff.

NOTE: The 4601 and 4601+ IP Telephones do not support 802.1X as a Supplicant.

• As of Release 2.3, 4600 Series H.323 IP Telephones support signaling channel encryption while registering, and when registered, with appropriately administered Avaya Media Servers.
• As of Release 2.0, a 4600 Series IP Telephone’s response to SNMP queries is restricted to only IP Addresses on a list you specify.
• As of Release 2.0, an SNMP community string is specified for all SNMP messages sent by the telephone.
• As of Release 1.8, dialpad access to Local Administration Procedures, such as specifying IP Addresses, is restricted by a password.
• Dialpad access to most Local Administration Procedures was removed.
• The end user’s ability to use a telephone Options application to view network data is restricted.