Evaluation Report Access Director - Polycom Report Polycom ® RealPresence® Access Director 29 May 2013 Prepared by ICSA Labs 1000 Bent Creek Blvd., Suite 200

Evaluation Report

Polycom® RealPresence

® Access Director

™

29 May 2013

Prepared by ICSA Labs 1000 Bent Creek Blvd., Suite 200

Mechanicsburg, PA 17050 www.icsalabs.com

CTXX-POLYCOM-2013-0529-01

http://www.icsalabs.com/

Polycom RealPresence Access Director Evaluation Report


Page i of i Copyright 2013 ICSA Labs. All Rights Reserved. 1000 Bent Creek Blvd., Suite 200 Mechanicsburg, PA 17050 https://www.icsalabs.com

Table of Contents

Executive Summary .................................................................................................................................. 1

System Components ................................................................................................................................. 3

Test Topology ............................................................................................................................................ 4

Product Deployment .................................................................................................................................. 5

Basic SIP and H.323 Functionality ............................................................................................................ 7

Platform Security ....................................................................................................................................... 8

Functional Security .................................................................................................................................... 9

Administration Testing ............................................................................................................................... 9

Persistence .............................................................................................................................................. 10

Documentation ........................................................................................................................................ 10

Logging .................................................................................................................................................... 10

Summary ................................................................................................................................................. 11

Partners and Resources ......................................................................................................................... 12

Testing Information.................................................................................................................................. 13



Page 1 of 13 Copyright 2013 ICSA Labs. All Rights Reserved. 1000 Bent Creek Blvd., Suite 200 Mechanicsburg, PA 17050 https://www.icsalabs.com

Executive Summary

About this Evaluation

Polycom, Inc. contracted ICSA Labs, an independent division of Verizon, to test and evaluate the Polycom

® RealPresence

® Access Director™ (RPAD), which is a Session Border Controller (SBC)

component of the Polycom® RealPresence

® Platform. The goal of this engagement was to evaluate the

RPAD’s functionality as an SBC and that it will not negatively affect security controls or introduce security vulnerabilities itself while allowing H.323 and Session Initiation Protocol (SIP) videoconferencing functionality.

About ICSA Labs

The goal of ICSA Labs is to significantly increase user and enterprise trust in information security products and solutions. For more than 20 years, ICSA Labs, an independent division of Verizon, has been providing credible, independent, 3rd party security product testing and certification for many of the world’s top security product developers and service providers. Enterprises worldwide rely on ICSA Labs to set and apply objective testing and certification criteria for measuring product compliance and performance. For more information, visit https://www.icsalabs.com.

About Polycom, Inc.

Companies choose Polycom for solutions that enable their geographically dispersed workforces to communicate and collaborate more effectively and productively over distances. Using Polycom telepresence, video, and voice solutions and services, people connect and collaborate from their desktops, meeting rooms, class rooms, and mobile settings. Organizations from a wide variety of industries and the private sector work with Polycom standards-based solutions.

About Session Border Controllers

Session Border Controllers (SBCs) are used to control the signaling and data streams involved in VoIP/video calls conducted by businesses every day. The SBC usually sits on the edge of the network and is used to control SIP and H.323 traffic flow in both directions, help protect against DoS attacks and hide the topology of the organization’s private network.

Product Overview


® Firewall Traversal and Security solutions remove communication barriers to

allow your teams to collaborate more effectively over video. These solutions provide a secure route for users to connect from virtually any location and device, providing support for business-to-business and intra-company collaboration. The Polycom

® RealPresence

® Access Director™ enables users within and beyond the firewall to securely

access video services—whether you are at home, in the office or on the go. A software based edge server—RealPresence Access Director—securely routes communications, management and content through firewalls without requiring additional client hardware or software.

Areas of Evaluation

Polycom contracted ICSA Labs to evaluate the RPAD in the following areas:

Provide basic SIP and H.323 functionality

o Verify protocol support for SIP and H.323

o Client registration through the RPAD




o URI dialing

o Voice/Video calling capabilities

Provide platform security

o Secure administrative access

o Vulnerability testing

o Cryptography

Functional Security

o Policy Enforcement

o Denial of Service (DoS) testing

o No Vulnerabilities introduced

Administration

o Secure administrative interface

o Administrative authentication

o Remote administration

Persistence

o Configuration

o Log storage

o Date/Time

Documentation

o Complete and accurate

Logging

o Authentication attempts

o Voice/Video call attempts

Summary of Findings

During the course of this evaluation, several issues were discovered by the Network Security Lab team and reported to Polycom, Inc. These included small documentation and logging issues as well as discovering the RPAD was vulnerable to a well-known Denial-Of-Service attack.

In each case, Polycom, Inc. addressed the issues and they have all been resolved in the final evaluation code. Polycom, Inc. has met and passed all evaluation criteria used during this evaluation.




System Components

Introduction

ICSA Labs requires that vendors submit for evaluation at ICSA Labs all hardware, software, and documentation that comprise the product under test. For the purposes of this document, the term product refers to the complete system submitted by the vendor to ICSA Labs to be evaluated during testing. This includes any and all documentation, hardware, firmware, software, host operating systems, management stations, etc. used during testing. Servers providing common management services such as syslog and NTP are provided by ICSA Labs and are not considered part of the product under test. This section details the components of the product (or product family) submitted by Polycom for evaluation. All items not listed in this section, as well as any relevant components, were provided by ICSA Labs.

Hardware

Polycom, Inc. submitted the following hardware to ICSA Labs for this evaluation:

RPAD – The RPAD was installed on a server with (2) six-core 2.0Ghz Xeon Processors. The RPAD was equipped with (4) gigabit Ethernet ports, (2) USB ports, and a serial port. The RPAD contained (2) 146GB hard drives.

Polycom, Inc. also submitted the following hardware in support of the RPAD Evaluation:

Site A

o (1) RealPresence®

Collaboration Server (RMX® 2000)

o (1) HDX® 4000

o (1) Apple iPad (with Polycom RealPresence Mobile version 1.3.2-21855_4520)

IOS Version 5.1.1

o (1) Distributed Media Application (DMA)

o (1) RealPresence® Resource Manager (RPRM, one dedicated, one virtualized)

Site B

o (1) RPAD

o (1) RPRM (Virtualized)

o (1) DMA (Virtualized)

Mobile

o (1) Apple iPad (with Polycom RealPresence Mobile version 1.3.2-2185_4520)

IOS Version 5.1.1

Software

Polycom, Inc. submitted the following software to ICSA Labs for this evaluation:

RPAD – Testing began with RPAD version 2.0.0_ build_5471 and concluded with version 2.1.0_build_8181.




Documentation

To satisfy documentation requirements, Polycom, Inc. provided the Network Security Lab team with the following electronic documents in order to assist in the installation, configuration, and administration of the RPAD for this evaluation:


® Access Director™ 2.1.0 System Administrator’s Guide – March, 2013


® Access Director™ 2.1.0 System Getting Started Guide – March, 2013

Deploying Polycom Unified Communications in RPAD System Environments – March, 2013

Test Topology

Introduction

ICSA Labs designs individual test plans for each custom test in order to simulate a realistic deployment of products in a typical end user environment. Since products submitted for testing can often be configured many different ways, ICSA Labs frequently confronts many configuration-related decisions both before and after installing products under test. For the purposes of this engagement, ICSA Labs installed and configured the products as a typical end user would and according to their intended use. The provided documentation was used to assist with all configuration decisions. The final configuration used for testing is detailed within the Product Deployment section of this evaluation report.

Test Description

ICSA Labs deployed the RPAD (RPAD) in the test infrastructure which was designed to simulate an enterprise network deployment. Two sites were created, each containing Polycom, Inc. communications equipment located in their respective private networks, and an RPAD located in each DMZ. Each site was protected with a network firewall and the sites were located on different public networks. Security of the system was tested in site to site communication scenarios as well as in public mobile client scenarios.

Test Bed Diagram




Product Deployment

Introduction

Products can often be configured many different ways. Therefore, ICSA Labs frequently confronts many configuration-related decisions before ever adding a single security policy rule on a product in the lab. ICSA Labs decided to deploy the RPAD using the following:

NAT with a one to one mapping– for inbound/outbound services.

DNS servers were hosted both internally and externally, as the product itself did not support being a DNS server.

The RPAD was deployed in a DMZ behind a firewall with a rule set containing only services defined in the supplied documentation.

Detailed Findings

The RPAD was configured to reside in the site’s DMZ within the ICSA Labs test infrastructure. The general network settings were found under “Admin” -> “Network Settings”. The Network Security Lab team configured the hostname and DNS settings on this page. .

The IP address, subnet mask, and IP default gateway were configured on the “Advanced network setting” tab within the same section. The “Configuration Wizard” button was clicked on and the steps to finish the networking configuration were followed.




A new administration account was then created. From “User”, “Add” was selected and all of the required information was completed. Clicked on “Associated Roles” and moved “Administrator” into the “Selected roles” section and clicked “OK”.

The next step was to integrate with the Polycom, Inc. communications equipment located in each site. Before integration can occur, a provisioning admin account must be created on the RealPresence Resource Manager (RPRM) within the site. Next, the RPAD will connect to the RPRM by going under “Admin” -> “Polycom Management System”. Enter the “Login Name”, the “Password”, and the IP address of the RPRM, and click “Connect”.

The last steps include configuring SIP and H.323 settings. Under “Configuration” -> “SIP and H.323 Settings” configure the External Unencrypted port 5060 with TCP/UDP selected as the transport. Configure the External Encrypted port 5061 with TLS selected as the transport. Configure the Internal Port Settings with 5070 as the unencrypted port and 5071 as the encrypted port. Configure the H.225 Registration Admission Status (RAS) port as 1719 and the H.225 call signaling port as 1720. Add the CIDR networks the RPAD utilizes.




Basic SIP and H.323 Functionality

Introduction

Basic functionality for this custom testing engagement was defined to evaluate basic protocol support for SIP and H.323, client registration, Uniform Resource Identifier (URI) Dialing, and video/voice capabilities. ICSA Labs used the multiple site architecture described earlier to ensure site to site functionality as well as mobile client functionality.




Detailed Findings

The RPAD was evaluated on its ability to allow clients to make and receive video/voice calls including multiple line call support. Multi-protocol support was also evaluated. Various aliases were used throughout testing including E.164 aliases SIP aliases, and H.323 aliases. Client registration as well as endpoint authentication methods were tested. The RPAD met all of the Basic Functionality Evaluation criteria and no issues were found throughout testing.

Platform Security

Introduction

Once configured, the product must be able to prevent unauthorized control of any administrative interface. Also, the product must demonstrate through testing that it is not vulnerable to any publicly known exploits or vulnerabilities as well as not introduce any vulnerabilities while enforcing its policy configuration. Finally, the product must be able to mitigate as well as not be rendered inoperable by any trivial Denial of Service (DoS) attack. The Network Security Lab team uses commercial, in-house-created, and freely-available testing tools to attack and probe the product.

Detailed Findings

ICSA Labs evaluated the RPAD to verify that it is not susceptible to commonly known vulnerabilities or exploits, including network-based attacks. The Network Security Lab team used a combination of commercial and open source tools to scan for possible vulnerabilities. The Network Security Lab team then attempted to exploit possible vulnerabilities. Administrative access was also tested to ensure that no unauthorized administrative access to the machine could be gained through the Web UI. The Network Security Lab team found that an SSL/TLS renegotiation denial-of-service (DoS) attack could render aspects of the RPAD inoperable. If the attack was executed from a public host against the RPAD on TCP port 8443, the administrative GUI was unable to be accessed until the attack had stopped. Furthermore, if the attack was run on TCP port 443, no mobile clients would be able to authenticate, rendering them unable to make calls through the RPAD. These issues were discovered on the original version tested, and have been resolved using version 2.1.0_build_8181.




Functional Security

Introduction

Once configured, the product must be able to maintain basic functionality, and be secure against attacks directed at the functionality of the product. The Network Security Lab team utilized network scans to determine open ports and services. The results of the scans were used to generate a thorough functional security testing plan that would attempt to alter the functionality of the product.

Detailed Findings

ICSA Labs evaluated the RPAD to verify that its services and features function as intended and as a user would reasonably expect. ICSA Labs ensured the RPAD’s ability to function in a Network Address Translation (NAT) scenario through a network firewall. The Network Security Lab team also ensured only

traffic designed to flow through the RPAD was allowed. During routine calls, the Network Security Lab team deployed a number of commercial and open source tools in an attempt to disrupt or degrade the service provided through the RPAD. Several fuzzers for SIP and H.323 were used during attacks, however service was not found to be degraded or disrupted. Polycom, Inc. RPAD met all Functional Security Evaluation criteria. The Network Security Lab team found that the functionality of the RPAD operated securely and as a reasonable user would expect.

Administration Testing

Introduction

Products under test can often have more than a single method by which administration is possible. Whether the product can be administered remotely using vendor-provided administration software, from a web browser-based interface, via some non-networked connection such as a serial port, or via some other means, authentication must be necessary before access to administrative functions is granted. The Network Security Lab team tests not only that authentication mechanisms exist but that they also cannot be bypassed for all administrative interfaces.

Detailed Findings

ICSA Labs evaluated the RPAD to verify that administrative functions exist to properly install and configure the product for intended operation and that appropriate controls exist to ensure that no unauthorized control of its administrative functions can be obtained. All configurations were performed through the web interface. Cryptography of the session was analyzed to ensure proper use of a strong TLS cipher suite. SSH access can be turned on; however standard admin users cannot access this functionality. It is for the sole purpose of Polycom, Inc. technical support personnel. The RPAD met all of the Administration Evaluation criteria and no issues were found throughout testing.




Persistence

Introduction

Power outages, electrical storms, and inadvertent power losses should not cause the product to lose valuable information such as the configuration, log data, authentication data, and system clock information. This section documents the findings of the Network Security Lab team while testing the RPAD against the persistence requirements.

Detailed Findings

ICSA Labs evaluated the RPAD to verify that configuration information, administrative settings, stored log data, and date and time settings are persistent across all system restarts. Polycom, Inc. RPAD met all of the Persistence Evaluation criteria. The Network Security Lab team found that all configuration information, administrative settings, log data, and date and time information were persistent across all planned and unplanned system restarts.

Documentation

Introduction

The Network Security Lab team evaluated the documentation provided with the product to verify that the vendor supplies adequate documentation to assist an end user with the installation, configuration, maintenance, and administration of the product. Throughout testing, the Network Security Lab team used the documentation provided and evaluated it for accuracy, completeness, and usefulness.

Detailed Findings

During initial testing, the Network Security Lab team discovered the documentation did not contain event disposition information. Polycom, Inc. resolved this issue by adding log disposition information to the provided documentation.

Logging

Introduction

This evaluation requires the product to provide extensive logging capabilities. ICSA Labs evaluated the RPAD to verify that it has the ability to capture, store, and present adequate system and network event information to enable an administrator to audit security related events. For the purposes of these tests, it is not required that logging is enabled at all times or that it is enabled by default. However, the capability must exist to capture the required log events and information.

Detailed Findings

The Polycom, Inc. RPAD stores log data internally and can be configured to transmit logs to a remote syslog server. Internal logs are divided into several logs based on event/function. There are several log files including a webAdmin.log, utility.log, snmp.log, sipService.log, h323Service.log, activeCallAuditor.log, etc. The RPAD provides the ability to archive logs as well, and both active and archived logs can be downloaded and viewed. The RPAD provides the ability to set the log retention period, and log rolling (archiving) frequency. The RPAD also allows five application log level settings that range from DEBUG to FATAL.




The Network Security Lab team configured the RPAD to store the logs locally and selected INFO as the log level setting. Analysts performed a number of actions, including accessing the administrative interface, initiating calls, and changing the configuration to ensure that the RPAD properly logged all activity. The Network Security Lab team also configured the RPAD for logging to a remote syslog and found no issues in the performance of the RPAD using this method. The Network Security Lab team discovered that the application log level setting needed to be set to DEBUG in order to see a reason for a rejected call. The Polycom, Inc. RPAD met all of the Logging Evaluation criteria. The Network Security Lab team found that the logging capabilities available on the RPAD permitted administrators to adequately audit security-related system and network events.

Summary

During the course of this evaluation, several issues were discovered by the Network Security Lab team and reported to Polycom, Inc. These included small documentation and logging issues as well as discovering the RPAD was vulnerable to a well-known Denial-Of-Service attack.

In each case, Polycom, Inc. addressed the issues and they have all been resolved in the final evaluation code. Polycom, Inc. has met and passed all evaluation criteria used during this evaluation.




Partners and Resources

Introduction

This evaluation was made possible through the use of ICSA Labs’ partnerships, commercial tools, open source tools and resources available on the Internet. The following is a list of partnerships, tools and resources used during this evaluation.

Commercial Partnerships

Open Source Projects / Other Commercial Tools

Other Research Sources




Testing Information

This report is issued by the authority of the Managing Director, ICSA Labs. Tests are done under normal operating conditions. Please visit www.icsalabs.com for the most current information about this and other products.

Lab Report Date

29 May 2013

Test Location

ICSA Labs 1000 Bent Creek Blvd., Suite 200 Mechanicsburg, PA 17050

Product Developer’s Headquarters

Polycom, Inc. 6001 America Center Dr. San Jose, CA 95164 Copyright 2013 ICSA Labs. All Rights Reserved. Testing reports shall not be reproduced except in full, without prior written approval of ICSA Labs. All other product, brand and company names in this document are trademarks or registered trademarks of their respective companies.

Documents

Evaluation Report Access Director - Polycom Report Polycom ® RealPresence® Access Director 29 May 2013 Prepared by ICSA Labs 1000 Bent Creek Blvd., Suite 200