Avaya SBCE behind corporate Firewall? 1

[rgunther]

Hey guys... So we have an Avaya SBCE installed and up and working using a separate public internet connection from our corporate network. In looking at most of the deployment methods for the ASBCE they show the asbce being deployed behind the corporate firewall? Is this a requirement? What benefit does it give? The Avaya IPO systems are on our same local lan, but again the sbce is on a seperate public internet connection. It would involve some pretty significate re-IP ing and re-design to move behind our firewall, and just not sure what the benefit would be. Isnt the SBC a firewall in itself? Just wanted to get everyone's input and suggestions.

Thanks,

 

[kyle555]

Yes, it's a firewall itself.

Read the security guide. Nothing is locked down by default. Someone can always try registering a thousand times a minute unless you set limits relative to number of people you have.

The SBC does have a config parameter where you put in how many remote workers you have and it dynamically generates best guesses around how many messages of each type should be allowed.

You're more than welcome to plug in a wire with a public IP on it. That's fine.

Enterprise deployments typically have all the public IPs hitting a firewall and some of those IPs are NATted to the SBC where the untrusted SBC interfaces have DMZ IPs. That's where in the Network Configuration part of the SBC for A1, B1, etc that you have a public IP you can map to each A1 or B1 IP to pleasantly work behind a NAT.

But that isn't required. You can still get a DSL modem with 1 WAN port out of it, plug it to your SBC and assign the public IP on the SBC's B1 interface and go on your merry way. There's no security risk there. The only security risk is if you don't lock down the SIP protocol stuff and that's true whether it's behind a firewall or not.

 

[G van Hamburg]

Putting the Avaya SBCE behind the customer firewall is always my recommendation. Besides all the technical points I advice it just to have a clear demarcation point.

Freelance Certified Avaya Aura Engineer

 

[rgunther]

Thanks guys... We currently do not have it behind our firewall; but have implemented routing based on URI Groups & User Agents. Also blacklisting unpermitted IP blocks as we see them. Also turned on "Use preferred ports" & "Avaya HTTP Agents Only" on our IP Office systems. Then i have also whitelisted only the URLs & files needed on my Reverse Proxy entries for the 46xxsettings file & certificates. Hopefully this is enough good measures to prevent unauthorized access.

 

[kyle555]

Read the security guide.

DDoS Protection lets you define how many remote workers you have and it guesstimates how many SIP messages of each type should be allowed within a given interval.
Domain DDoS settings

Scrubber packages. Use 2 - it's for trunks/remote workers and 4 - it's for Avaya Remote Workers. Stops stuff if funny business is happening.

 

[rgunther]

Thanks Kyle.

We have very few remote workers <40. The minimum you can define on the DDOS Protection is 100 so i will go with that. I have not enabled scrubber packages, but will definitely look into it!

 

[ipohead]

Some Avaya documents show a firewall before and after the SBCE and others connected direct to the internet.

 

[dsm600rr]

Here is how mine is configured. Wondering if I should do something different.

ACSS

 

[ipohead]

This is from the manual so I assume that the firewalls are only a demarcation point as the SBCE is behind a DMZ.