In this section:
The Sonus ASM operates in either of two modes:
By default, all ASMs are shipped in Appliance mode. Any customization will turn the ASM into Server mode. The only way to return into appliance mode is to re-initialize the ASM using the on-board capability via the WebUI.
The main risk for a server as a client computer is from a virus attack. A virus is a malware program that, when executed, replicates by inserting copies of itself (possibly modified) into other computer programs or data files. Viruses often perform some type of harmful activity on infected hosts, such as stealing hard disk space or CPU time, accessing private information, corrupting data, displaying political or humorous messages on the user's screen, spamming their contacts, or logging their keystrokes. However, not all viruses carry a destructive payload or attempt to hide themselves—the defining characteristic of viruses is that they are self-replicating computer programs which install themselves without the user's consent.
Malware uses human interaction to get into a computer and execute itself. The vector can be an email, a file downloaded on web site, a file hosted into a flash drive, or newly installed software. Limiting the human interaction on an embedded system significantly reduces this risk.
Network-related software can contain a bug introduced during the software design that will allow the network capability of this software to execute some unwanted action (breach). Keeping the software updated reduces this risk.
The SBA is a mission-critical box because it provides voice survivability to branch office users. Sonus has designed security for the SBA in partnership with Microsoft.
To reduce the attack surfaces of the Windows Server, Microsoft create some requirements for the SBA components, as well as recommending the use of a Security Configuration Wizard template provided by Microsoft to lock down the server and reduce the elements at risk of attack. These templates have been leveraged and customized by Sonus before being applied to the ASM module in order to enhance the security offered.
Sonus also implements architectural improvements within the SBA integration to improve the security of the SBA server still further and provide a true secured appliance.
In additon, Sonus recommends Sophos antivirus and ransomware protection for the ASM. See Installing Sophos Antivirus and Ransomware Protection on the ASM for details.
The following areas are the Microsoft security elements within the SBA that have been implemented on the Sonus platform in order to lock down and secure the server module, removing potential attack surfaces.
The Security Configuration Wizard template provided by Microsoft is a security policy created with SCW that configures services, network security, specific registry values, and audit policy. The Security Configuration Wizard template must be applied after the device has been deployed and all the applications have started.
The Security Configuration Wizard template performs the following tasks:
In addition to the above Security Template provided by Microsoft, Sonus has made the following enhancements to secure the SBA server even further:
The architectural implementation of the SBA server within the Sonus SBC platform also enhances the security of the deployed appliance by the following design factors:
As part of the ongoing commitment to provide partners and customers with software and security updates, Microsoft may release bug fixes or service packs as necessary to Sonus and customers to ensure a consistent and highly robust user experience. All updates will be free of charge and are covered by the Windows license agreement. Since the SBA has two major software components — Windows Server and Lync/Skype software components — the updates for each component will be released independently of one another, resulting in a faster time to release.
Microsoft frequently publishes updates to the Windows Server operating system. These updates are publicly available and can be downloaded and applied to the SBA should the customer wish to do so (and if found relevant).
Sonus provide additional checks for these update components by running checks, sanity tests, and performance controls and also by ensuring the SBA is compatible with the updates in question.
Every second Tuesday of each month, Sonus evaluates all patches published by Microsoft. If a patch is a Critical Windows Update that has potential for severe impact, Sonus releases a critical Bulletin and package within a week. Sonus delivers all the other updates on a 3-month cycle for the SBA. (Jan, Apr, July, Oct). Sonus starts building and testing on the second Tuesday of the month. Building and testing takes no more than 3 weeks. Once fully tested and verified by Sonus, a qualified update file will be posted on the Partner support portal for download. When loaded to the SBA, the system will continue to be supported in Appliance mode.
If you download and install a Microsoft update before Sonus has verified and tested it for use in Sonus products, the SBA will revert to Server mode.
Sonus provides updates and improvements of the Microsoft Security template in the same update pack.
SBA updates are posted on the Microsoft Update website and can be downloaded by anyone. Sonus provide additional checks for these Lync update components by running checks, sanity tesst, and performance control and also by ensuring the SBA is compatible with the updates in question.
Once fully tested and verified by Sonus, a qualified Lync update file will be posted on the Partner support portal for download. When loaded to the SBA, the system will continue to be supported in Appliance mode.
If you download and install a Microsoft update before Sonus has verified and tested it for use in Sonus products, the SBA will revert to Server mode.
It is the customer’s responsibility to use the tools available from Sonus and Microsoft to harden the SBA. Using all the security tools as well as keeping the ASM up to date with Sonus qualified update files will ensure ongoing security support. With the exception of applications listed under Approved Partner Solutions for ASM and Installing Sophos Antivirus and Ransomware Protection on the ASM, use of anti-virus or other customer security solutions on the SBA is not recommended by Sonus due to the low attack surface of the SBA that will render ineffective most of the services provided by such a security solution, and only adding overhead to the SBA performance.