Network security requirements

Avaya makes the following security recommendations for all networks incorporating G700 Media Gateways:

• All portions of the system should reside behind a firewall. Different elements of the system may reside in separate network segments, but each segment should be protected by a firewall. All network elements must have routeable addresses from segment to segment without address translation.

When address translation must be used (for example, to support a single Road Warrior PC logging in over a hotel's LAN, using the IP address owned by the hotel for the IPSEC packets) the VPN solution that performs address translation must support H.323 and translate the embedded IP addresses in the H.225 messages. Since encryption prevents translation at the firewall, the Road Warrior H.225 streams must not be encrypted by the endpoint or switch.

• Networks should employ switched ports throughout. Not only does this help QoS, but it greatly reduces opportunities for eavesdropping.
• If a G700 or an IP phone is placed outside of the protected corporate network, the firewall must be opened up to allow UDP traffic to pass through as well as to allow dynamic port allocation (This weakens the firewall and is not desirable).
• Care must be taken in the installation of the TFTP server used to serve firmware to the various portions of the G700 system. TFTP is not a secure protocol. The TFTP server should be isolated so that only the minimum necessary data (for example, IP phone firmware) is present on it and the server provides only read access to the files it serves.