The
ASM operates in either of two modes:
- In Appliance mode, the SBA utilizes 's solution to guarantee security and reliability. fully support the ASM (Hardware and Software)
- In Server mode, the SBA is customized by the customer with a solution not tested or approved by . Customization can be for functionality or security purposes. does not know the impact of this customization, therefore can only support the Hardware components.
By default, all ASMs are shipped in Appliance mode. Any customization will turn the ASM into Server mode. The only way to return into appliance mode is to re-initialize the ASM using the on-board capability via the WebUI.
Security Risk for a Server
The main risk for a server as a client computer is from a virus attack. A virus is a malware program that, when executed, replicates by inserting copies of itself (possibly modified) into other computer programs or data files. Viruses often perform some type of harmful activity on infected hosts, such as stealing hard disk space or CPU time, accessing private information, corrupting data, displaying political or humorous messages on the user's screen, spamming their contacts, or logging their keystrokes. However, not all viruses carry a destructive payload or attempt to hide themselves—the defining characteristic of viruses is that they are self-replicating computer programs which install themselves without the user's consent.
Infection vectors
Human interaction
Malware uses human interaction to get into a computer and execute itself. The vector can be an email, a file downloaded on web site, a file hosted into a flash drive, or newly installed software. Limiting the human interaction on an embedded system significantly reduces this risk.
Software bugs
Network-related software can contain a bug introduced during the software design that will allow the network capability of this software to execute some unwanted action (breach). Keeping the software updated reduces this risk.
Security on the ASM Module for SBA
The SBA is a mission-critical box because it provides voice survivability to branch office users.
has designed security for the SBA in partnership with Microsoft.
To reduce the attack surfaces of the Windows Server, Microsoft create some requirements for the SBA components, as well as recommending the use of a Security Configuration Wizard template provided by Microsoft to lock down the server and reduce the elements at risk of attack. These templates have been leveraged and customized by
before being applied to the ASM module in order to enhance the security offered.
also implements architectural improvements within the SBA integration to improve the security of the SBA server still further and provide a true secured appliance.
Microsoft Security
The following areas are the Microsoft security elements within the SBA that have been implemented on the
platform in order to lock down and secure the server module, removing potential attack surfaces.
Microsoft Requirement
- Driver or software installation should not replace any Microsoft-authored system components and the driver must not bypass any Windows components.
- For each driver, no errors can occur under the Driver Verifier facility provided with Windows. Poorly written kernel-mode drivers have the potential to cause the system to become unstable or stop working.
- All drivers installed on the system must be signed.
Security Configuration Wizard Template
The Security Configuration Wizard template provided by Microsoft is a security policy created with SCW that configures services, network security, specific registry values, and audit policy. The Security Configuration Wizard template must be applied after the device has been deployed and all the applications have started.
The Security Configuration Wizard template performs the following tasks:
- Disables unnecessary services.
- Provides Windows Firewall with Advanced Security support.
- Updates the registry to secure Windows components.
Enhancements to the Microsoft Template
In addition to the above Security Template provided by Microsoft,
has made the following enhancements to secure the SBA server even further:
- Disable RDP Printer Redirection
- Disable S-Channel Warning generated by failed TLS connection
- Disable administrative file sharing
- Disable SSL v3 client
- Disable SSL v3 server
Architectural Security
The architectural implementation of the SBA server within the SBC platform also enhances the security of the deployed appliance by the following design factors:
Functional
- All operations for deployment and maintenance of the SBA are completed through the SBC secured WebUI and do not require physical or remote access to the ASM module. This removes the human interaction vectors.
- All communication between the SBC and SBA is internal to the SBC. This limits the risk of a software bug.
- does not install "Internet Information Services" and Internet Explorer. This limits the risk of a software bug.
- Configuration of a Level 2 ACL within the SBC platform through the SBC secured WebUI. This limits the risk of a software bug.
- Configuration of Windows Firewall through the secured SBC WebUI. This limits the risk of a software bug and removes the human interaction vectors.
- All updates provided by contain an MD5sum that is signed to ensure authenticity. This removes the human interaction vectors.
Support
As part of the ongoing commitment to provide partners and customers with software and security updates, Microsoft may release bug fixes or service packs as necessary to
and customers to ensure a consistent and highly robust user experience. All updates will be free of charge and are covered by the Windows license agreement. Since the SBA has two major software components — Windows Server and Lync/Skype software components — the updates for each component will be released independently of one another, resulting in a faster time to release.
Windows Server Updates
Microsoft frequently publishes updates to the Windows Server operating system. These updates are publicly available and can be downloaded and applied to the SBA should the customer wish to do so (and if found relevant).
provides additional checks for these update components by running checks, sanity tests, and performance controls and also by ensuring the SBA is compatible with the updates in question. evaluates all patches published by Microsoft. If a patch is a Critical Windows Update that has potential for severe impact, releases a critical Bulletin and package within a week. delivers all the other updates on a monthly cycle for the SBA. starts building and testing on the second Tuesday of the month. Building and testing takes no more than 2 weeks. Once fully tested and verified by , a qualified update file will be posted on the Partner support portal for download. When loaded to the SBA, the system will continue to be supported in Appliance mode.| Note |
|---|
If you download and install a Microsoft update before has verified and tested it for use in products, the SBA will revert to Server mode. |
provides updates and improvements of the Microsoft Security template in the same update packThe SBC downloads and installs Microsoft updates automatically. In most cases, you must reboot the ASM after the SBC installs the update. The following provides information on how to reboot the ASM.
Reboot the ASM
Start
- Log in to your SBC Edge.
- In the SBC Edge WebUI, click the Tasks tab.
- In the left navigation pane, go to Application Solution Module > Operational Status. The Operational Status pane opens on the right.
- In the Windows Update section, click Yes - Restart ASM Now for Restart Required. The following restart the ASM message box opens.
Windows Update - Restart ASM Now
Image Added
Restart the ASM Message
Image Added
Click OK. The Current Activity Status section displays reboot messages to indicate the progression of the ASM reboot.
ASM Reboot in Progress
Image Added
ASM Reboot Completed
Image Added
| Info |
|---|
|
Depending on the package you install, the time it takes for the ASM to reboot differs. |
Lync/Skype Server Component Updates
SBA updates are posted on the Microsoft Update website and can be downloaded by anyone.
provides additional checks for these Lync/Skype update components by running checks, sanity test, and performance control and also by ensuring the SBA is compatible with the updates in question.
Once fully tested and verified by
, a qualified Lync/Skype update file will be posted on the Partner support portal for download. When loaded to the SBA, the system will continue to be supported in Appliance mode.
| Note |
|---|
If you download and install a Microsoft update before has verified and tested it for use in products, the SBA will revert to Server mode. |
Customer Security
It is the customer’s responsibility to use the tools available from
and Microsoft to harden the SBA. Using all the security tools as well as keeping the ASM up to date with
qualified update files will ensure ongoing security support. Use of anti-virus or other customer security solutions on the SBA is not recommended by
due to the low attack surface of the SBA that will render ineffective most of the services provided by such a security solution, and only adding overhead to the SBA performance.