G250 G350 Security SNMP

TECHNICAL WHITE PAPER Avaya G250 and G350 Media Gateway Security Features Overview
Version: CID:
1 115343
Date: Author:
November 17, 2005 Avaya Technology and Consulting IP Telephony Practice
Abstract: The Avaya G250 and G350 Media Gateway Security Features Overview CID 115343 supersede the earlier Avaya G350 Media Gateways Security Features Overview CID: 102411. This document follows the same template of questions as the earlier aforementioned document and the sister document Avaya G700 Media Gateway Security Features Overview (CID: 102412). The Avaya G250 and G350 Media Gateways as show below provide a variety of features which can be used to enhance security. The goal of this white paper is to summarize the general product documentation and focus on those features.
G350 Firmware Revision - FW: 24.17.0
GPW/AMK
2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and may be registered in certain jurisdictions. All trademarks identified by and are registered trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks are property of their respective owners. 1
Avaya G350 Media Gateway Security Features Overview
G250 Firmware Revision - FW: 24.17.0
GPW/AMK
Avaya G250/G350 Media Gateway Security Features Overview
Table of Contents
(Click on link to view more detailed information)
Access Control Lists / Denial of Service (DOS) Protection/ SYN Protection 1. Access Control Lists 2. Denial of Service 3. SYN Protection Feature Auditing Transactions / Administration 4. CLI Command Auditing (via Syslog) 5. Show Currently Logged on Administrators Authentication Credentials / RADIUS/PBNAC 802.1x 6. 7. 8. 9. Default User Accounts Username/Password Characteristics RADIUS Switch Administrator Authentication Enable/Disable PBNAC 802.1x
CLI Inactivity Timeout and Pre/Post Login Banners 10. Idle Timeout 11. Banners Network Client/Server applications 12. Show Protocol 13. Enable/Disable Network Services 14. Client / Server Network Tools 15. Default Listening Ports (UDP/TCP) 16. SSH/SCP/HTTPS/SNMPv3 Support SNMP / Syslog Configuration 17. SNMP Defaults 18. Syslog / SNMP Output 19. Allowed Managers
GPW/AMK
PBR and VPN Overview 20. Policy Based Routing 21. VPN Application Support Appendixes (A) Feature Matrix (B) FIPs Overview (C) Open Ports List
GPW/AMK
Access Control Lists / Denial of Service (DOS) Protection

1. Access Control Lists The G250/G350 supports Access Control Lists (ACLs) which provide fine grained control over ingress/egress protocols. In addition, the following capabilities exist: The Ability to Restrict: ip-fragments-in applies to incoming packets that contain IP fragments ip-fragments-out applies to outgoing packets that contain IP fragments ip-options-in applies to incoming packets that contain IP options ip-options-out applies to outgoing packets that contain IP options You can configure policy rules to match packets based on one or more of the following for ingress and egress: Source IP address, or a range of addresses Destination IP address or a range of addresses IP protocol, such as TCP, UDP, ICMP, IGMP Source TCP or UDP port or a range of ports Destination TCP or UDP port or a range of ports ICMP type and code
Use IP wildcards to specify a range of source or destination IP addresses. The zero bits in the wildcard correspond to bits in the IP address that remain fixed. The one bits in the wildcard correspond to bits in the IP address that can vary. Note that this is the opposite of how bits are used in a subnet mask. For access control lists, you can require the packet to be part of an established TCP session. If the packet is a request for a new TCP session, the packet does not match the rule. You can also specify whether an access control list accepts packets that have an IP option field.
GPW/AMK
The following table lists the pre-configured entries in the composite operation table for rules in an access control list:
NOTE: You cannot configure additional composite operations for access control lists, since all possible composite operations are pre-configured. Each column represents the following: No a number identifying the operation Name a name identifying the operation. Use this to attach the operation to a rule. Access determines whether the operation forwards (forward) or drops (deny) the packet Notify determines whether the operation causes a trap when it drops a packet Reset Connection determines whether the operation causes a connection reset To verify access control lists and QoS lists, you can view the configuration of the lists. You can also test the effect of the lists on simulated IP packets. Use the ip simulate command in the context of an interface to test a policy list. The command tests the effect of the policy list on a simulated IP packet in the interface. You must specify the number of a policy list, the direction of the packet (in or out), and a source and destination IP address. You may also specify other parameters. The following command simulates the effect of applying QoS list number 401 to a packet entering the G350 through interface VLAN 2: G350-001(if:Vlan 2)# ip simulate 401 in CoS1 dscp46 10.1.1.1 10.2.2.2 tcp 1182 20 It is possible to define an access control list on the loopback interface of the G350 in which only certain IPs will be allowed to communicate to the G350. This ACL will be applied on all the G350s interfaces. For example this feature can be used to limit access via telnet to a specific list of IP addresses.
Return to Table of Contents
GPW/AMK
2. DOS Use the icmp in-echo-limit command to set the maximum number of echo requests that can be received in one second. Use the no form of the command to set the limit to its default value. Possible values are [1 10000]. G350-002(super)# icmp in-echo-limit ? Icmp in-echo-limit commands: --------------------------------------------------------------------------Syntax : icmp in-echo-limit <size>. Example: icmp in-echo-limit 100. G350-002(super)# 3. SYN Protection The G250/G350 provides various TCP/IP services and is therefore exposed to a myriad of TCP/IP based DoS attacks. DoS (Denial of Service) attacks refers to a wide range of malicious attacks that can cause a denial of one or more services provided by a targeted host. Specifically, a SYN attack is a well-known TCP/IP attack in which a malicious attacker targets a vulnerable device and effectively denies it from establishing new TCP connections. SYN cookies refers to a well-known method of protection against a SYN attack. Use the tcp syn-cookies command to enable the tcp syn-cookies defense mechanism against SYN attacks. Use the show version of this command to display the SYN cookies statistics. The no version of this command disables the tcp syn-cookies defense mechanism against SYN attacks. Use the clear version of this command to clear the SYN cookie counters. G350-002(super)# tcp syn-cookies To enable the tcp syn-cookies, copy the running configuration to the start-up configuration file and reset the device. G350-002(super)# When the SYN cookies feature is enabled, the G250/G350 alerts the administrator to a suspected SYN attack as it occurs by sending the following syslog message: SYN attack suspected! Number of unanswered SYN requests is greater than 20 in last 10 seconds. G350-002(super)# no tcp syn-cookies To disable the tcp syn-cookies, copy the running configuration to the startup configuration file and reset the device. G350-002(super)#
G350-002(super)# clear tcp syn-cookies counters done! G350-002(super)#

GPW/AMK 2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and may be registered in certain jurisdictions. All trademarks identified by and are registered trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks are property of their respective owners. 7 Avaya G250/G350 Media Gateway Security Features Overview
G350-002(super)# show tcp syn-cookies Status: Enabled Statistics: SYN recd: Connections established Local Address -----------------192.168.1.254 G350-002(super)# Remote Address -----------------192.168.1.32 State -----------Established Last -----4
GPW/AMK
Auditing Transactions / Administration

4. CLI Command Auditing (via Syslog) Config change related SNMP traps will be sent if "config" trap is enabled. It is enabled by default when typing "set snmp trap enable all". Additionally, traps can be sent to a log file, console session, telnet session and stored on the Gateway. Relevant logs can also be sent to a syslog server by enabling a log server through the CLI: set logging server x.x.x.x set logging server x.x.x.x enable set logging server condition CLI Notification x.x.x.x
The above example will log to the syslog server x.x.x.x every event from the CLI application with severity "Notification" and above. Other applications are also available. Examples:
01-13-2004 13:27:23 Local7.Notice 192.168.1.70 JAN 13 13:27:26 192.168.1.70 Cli Command[CLI-Notification: root: session mgc<000> 01-13-2004 13:26:50 Local7.Notice 192.168.1.70 JAN 13 13:26:53 192.168.1.70 CliCommand[CLI-Notification: root: set mediaserver 192.168.1.20 192.168.1.70 5023 sat<000> 01-13-2004 13:26:22 Local7.Notice 192.168.1.70 JAN 13 13:26:25 192.168.1.70 CliCommand[CLI-Notification: root: set mediaserver 192.168.1.70 192.168.1.30 5023 sat<000> 01-13-2004 13:22:26 Local7.Notice 192.168.1.70 JAN 13 13:22:29 192.168.1.70 CliCommand[CLI-Notification: root: copy running-config startup-config <000> 01-13-2004 13:18:55 Local7.Notice 192.168.1.70 JAN 13 13:18:58 192.168.1.70 CliCommand[CLI-Notification: root: dir<000> 01-13-2004 13:18:36 Local7.Notice 192.168.1.70 JAN 13 13:18:38 192.168.1.70 CliCommand[CLI-Notification: root: telnet 192.168.1.1<000> 01-13-2004 13:17:48 Local7.Notice 192.168.1.70 JAN 13 13:17:50 192.168.1.70 CliCommand[CLI-Notification: root: traceroute 131.94.57.51<000> 01-13-2004 13:17:18 Local7.Notice 192.168.1.70 JAN 13 13:17:20 192.168.1.70 CliCommand[CLI-Notification: root: hostname G350<000> 01-13-2004 13:15:44 Local7.Notice 192.168.1.70 JAN 13 13:15:46 192.168.1.70 CliCommand[CLI-Notification: root: ping 192.168.1.1<000> 01-13-2004 13:15:19 Local7.Notice 192.168.1.70 JAN 13 13:15:21 192.168.1.70 CliCommand[CLI-Notification: root: set logging server condition CLI Notification 192.168.1.100<000>
01-13-2004 13:28:55 Local7.Notice 192.168.1.70 JAN 13 13:28:58 192.168.1.70 CliCommand[CLI-Notification: root: exit<000> 01-13-2004 13:30:29 Local7.Notice 192.168.1.70 JAN 13 13:30:32 192.168.1.70 CliCommand[CLI-Notification: georgia: exit<000> 01-13-2004 13:30:24 Local7.Notice 192.168.1.70 JAN 13 13:30:27 192.168.1.70 CliCommand[CLI-Notification: georgia: session mgc<000>
The Set logging server facility followed by the name of the output facility and IP address of the Syslog server to the following list of possible facilities set logging server facility. A total of 3 syslog servers can be
configured.
The following example defines a FTP Deamon as the output facility for Syslog reports generated by the Syslog server with an IP address of 168.12.1.15. The G350 and G250 have user logging enabled by default from the factory. Set logging server facility ftpd 168.12.1.15
The available types are listed below: auth (Authorization) deamon (Background System Process) clkd (clock Deamon) clkd2 (Clock Deamon) mail (Electronic Mail) local0-local7 (For Local Use) ftpd (FTP Deamon) kern (Kernel) alert (Log Alert) audi (Log Audit) ntp (NTP sub) lpr (Printing) sec (Security) syslog (System Logging) uucp (Unix-to-Unix Copy Program) news (Usenet news) user (User Process) Use the show logging server condition command followed by the IP address of the Syslog server. If you do not specify an IP address, the command displays the status of all Syslog servers defined for the G250/G350. This command displays whether the server is enable or disable and lists all filters defined on the server.
GPW/AMK
5. Displaying Currently Logged on Administrators With the G250/G350 gateways there are three primary ways to administer the gateway, direct connect via the console, Telnet and secure shell (Ssh) Telnet. To display the current users logged on to the G250/G350 via Ssh or Telnet issue the following commands below: Command: show ip ssh Ssh Engine: Enable Max Sessions: 2 Key Type: DSA , 768 bit Listen Port: 22 Ciphers List: 3des-cbc Session-Id 0 Command: Version 2 Encryption 3des-cbc User root IP: Port 192.168.1.31:3528
show ip telnet
Telnet Engine: Enable Max Sessions: 5 Listen Port: 23 Session-Id User: 0 root
IP: Port 192.168.1.32:1055
GPW/AMK
Authentication Credentials / RADIUS

6. Usernames By default there is only a single user account, named root, with password root, which accesses the administrator level. You cannot delete this basic user account, nor modify its access level. But you can modify its basic password. G350-002(super)# show username User account -------------------------------root G350-002(super)# password access-type -------------------------------- --------***** admin

7. Username/Password Characteristics Username: minimum 4 characters, maximum 31 characters Password: minimum 8 characters, maximum 31 characters (all US printable non white characters from keyboard are valid) There can be up to 3 password entry attempts at login before the session is terminated Up to 10 unique local usernames can be configured on the G350
When you start to use Avaya G250/G350 Manager or the CLI, you must enter a username. The username that you enter sets your privilege level. The commands that are available to you during the session depend on your privilege level. If you use RADIUS authentication, the RADIUS server sets your privilege level. It is important to note that if the same username is defined locally on the gateway and in RADIUS that the local username (ID) will take precedence over username (ID) created on the RADIUS server.
You can use Read-only privilege level to view configuration parameters. You can use Read-write privilege level to view and change all configuration parameters except those related to security. For example, you cannot change a password with Read-write privilege level. You can use Admin privilege level to view and change all configuration parameters, including parameters related to security. Use Admin privilege level only when you need to change configuration that is
2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and may be registered in certain jurisdictions. All trademarks identified by and are registered trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks are property of their respective owners. 12 Avaya G250/G350 Media Gateway Security Features Overview
GPW/AMK
related to security, such as adding a new user accounts and setting the device policy manager access source. An example of the source would be issuing the no ip telnet command. Username commands: --------------------------------------------------------------------------Usage: username <name> password <passwd> access-type {read-only|readwrite|admin} Does the ability exist to force a minimum length username and/or password (other than default minimum of 4 characters username and 8 characters for password)? No. However, this can be accomplished by using an external authentication database such as RADIUS. Does the configuration file include user account passwords or SNMP Community Strings? The configuration file does not include SNMP community strings and user/password data. Are there any undocumented usernames or SNMP community strings? No. All "diag" accounts are in-accessible without first logging into the G350 via a super-user account first. Backdoor password recovery exists but can only be used via a direct connection to the console port. It can also be disabled. Is there any way to enforce password aging on local accounts used to administer the G350? No. However, this can be accomplished by using an external authentication database such as RADIUS. Is there any way to enforce account "lock-out" after user inactivity of that account i.e. user has not logged in for 60 days? No. However, this can be accomplished by using an external authentication database such as RADIUS. Any way to enforce "lock-out" of accounts after excessive retries?
Yes in addition to a RADIUS external authentication which provides its own set of options for lock-out, the following global command to set login authentication lockout parameters for local administers. G350-002<super>#login authentication lockout? Login authentication lockout commands: -------------------------------------------------------------------Syntax : login authentication lockout <time> attempt <count? <time> - integer <30..3600> seconds. Interval of time account lockout is enforced. 0 No timeout <count> - integer <1..10>. Successive number of failures before lockout 0 - NO timeout Example: login authentication lockout 360 attempt 5 The login authentication command supports the ability to enable local craft user from services and a password Any way for the G350 to prevent simple/dictionary words from being chosen as passwords? No. However, this can be accomplished by using an external authentication database such as RADIUS.
2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and may be registered in certain jurisdictions. All trademarks identified by and are registered trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks are property of their respective owners. 13 Avaya G250/G350 Media Gateway Security Features Overview
GPW/AMK
Any way to age passwords? And if so, any way for the G350 to prevent password reuse, and if so how many past passwords are stored? No. However, this can be accomplished by using an external authentication database such as RADIUS.
GPW/AMK
8. RADIUS Switch Administrator Authentication If your network has a RADIUS server, you can configure the Avaya G350 Media Gateway to use RADIUS authentication. A RADIUS server provides centralized authentication service for many devices on a network. When you use RADIUS authentication, you do not need to configure usernames and passwords on the G350. When logging into the G350/G250, the G350/G250 searches for your username and password in its own database first. If it does not find them, it activates RADIUS authentication.
G350-002(super)# show radius authentication Mode: Primary-server: Secondary-server: Retry-number: Retry-time: UDP-port: shared-secret: G350-002(super)# Enable 192.168.1.205 172.16.1.205 4 5 1645 *****
The Avaya G250/G350 Media Gateway includes a security mechanism through which the system administrator defines users and assigns each user and username and a password. Each user is assigned a privilege level. The users privilege level determines which commands the user can perform. In addition to its basic security mechanism, the G250/G350 supports secure data transfer via SSH and SCP. The G250/G350 can be configured to work with an external RADIUS server to provide user authentication. When RADIUS authentication is enabled on the G250/G350, the RADIUS server operates in conjunction with the G250/G350 security mechanism. When the user enters a does not find the username in its own database, it establishes a connection with the RADIUS server, and the RADIUS server provides the necessary authentication services.
9. Enable/Disable PBNAC 802.1x
The G350 also uses the 802.1x protocol in conjunction with EAP within EAPOL and over RADIUS to provide a means for authenticating and authorizing users attached to a LAN port, and for preventing access to that port in cases where the authentication process fails.
GPW/AMK
Note:
The 802.1x protocol is not supported on the G250 as of CM 3.0.
G350-002(super)# set port dot1x ? Set port dot1x commands: --------------------------------------------------------------------------set port dot1x initialize Initialize port dot1x set port dot1x max-req Sets per port the max-req, the maximal number of times the port tries to retransmit requests to the Authenticated Station before the session is terminated Set dot1x control parameter per port Sets per port the 802.1x quiet period, minimal idle time between authentication attempts Set the port to re-authenticate Set dot1x re-authentication mode per port Sets per port the re-authentication period, an idle time between reauthentication attempts Sets per port the server-timeout - the time for the port to wait for a reply from the Authentication Server Sets per port the supp-timeout, a time for the port to wait for a reply from the Authenticated Station Sets per port the transmit period, a time Interval between attempts to access the authenticated Station
set port dot1x port-control set port dot1x quiet-period
set port dot1x re-authenticate set port dot1x re-authentication set port dot1x re-authperiod
set port dot1x server-timeout
set port dot1x supp-timeout
set port dot1x tx-period
G350-002(super)# show port dot1x ? Show port dot1x commands: --------------------------------------------------------------------------Syntax : show port dot1x [<mod/port>] Example: show port dot1x 3/2 show port dot1x statistics Shows the port dot1x statistics.
G350-002(super)# clear dot1x ? Clear dot1x commands: --------------------------------------------------------------------------clear dot1x config Resets the 802.1x configuration parameters
GPW/AMK
GPW/AMK
CLI Inactivity Timeout and Pre/Post Login Banners

10. Idle Timeout
Use the set logout command to set the number of minutes until the system automatically disconnects an idle session. The default is 15 minutes. Possible valued are [0 99]. Setting the value to 0 disables the automatic disconnection of idle sessions. G350-002(super)# show logout CLI timeout is 15 minutes

11. Banners
The login banner displays before the user is prompted for the login name. The banners can be modified using the following commands G350-002(super)# show banner login Welcome to G350 Media Gateway FW version 24.17.0 G350-002(super)# banner login G350-002<super-login># line 5 G250_001 Done! G350-002<super-login># line 5 Unauthorized access is prohibited Done! G350-002<super-login>#exit G350-002(super)# show banner login G250_001 Unauthorized access is prohibited G350-002(super)# The post-login banner displays after the user has logged in successfully. G350-002(super)# show banner post-login Both the pre/post banner login commands utilize the line command for banner entry. The line command supports a range of from [1 24] lines of text. G350-002(super)# banner post-login G350-002<super-login># line 5 G250_001 Done! G350-002<super-login># line 5 Unauthorized access is prohibited Done! G350-002<super-login>#exit

Network Client/Server applications

12. Show Protocol Use the show protocol command to display the status of a specific management protocol, or all protocols for the G250/G350. The G250 does not support a WEB interface. The HTTP protocol is disabled by default on the G250. SSHv2 is the supported Ssh protocol. G350-002(super)# show protocol Protocols Status ------------------SSH-SERVER ON TELNET-CLIENT OFF TELENT-SERVER ON SNMPv1-SERVER ON SNMPv3-SERVER ON HTTP-SERVER ON RECOVERY-PASSWORD ON DHCP-SERVER OFF TFTP-SERVER OFF DNS-CLIENT ON Non-administrative protocols -------------------------FTP-CLIENT TFTP-CLIENT SCP-CLIENT G250-001(super)# show protocol Protocols Status ------------------SSH-SERVER ON TELNET-CLIENT OFF TELENT-SERVER OFF SNMPv1-SERVER ON SNMPv3-SERVER ON HTTP-SERVER ON RECOVERY-PASSWORD ON DHCP-SERVER ON TFTP-SERVER ON DNS-CLIENT ON Non-administrative protocols -------------------------FTP-CLIENT TFTP-CLIENT SCP-CLIENT
G350-002(super)#

13. Enable/Disable Services (use no form of command to disable: no ip http) G350-002(super)# Done! G350-002(super)# Done! G350-002(super)# This command can ip http ip telnet ip telnet-client be called only from console port
Note: The telnet-client on the G250/G350 is disabled by default and can only be enabled when connected via the local console port. The G250/G350 internal Telnet server supports up to 5 incoming concurrent sessions. The G250/G350 internal Telnet client supports up to 6 outgoing concurrent sessions. One outgoing Telnet session for each incoming Telnet session, and one for the console port
Toggle ICMP redirects by issuing the command: [no] ip redirect (under interface context) Toggle SNMP: [no] ip snmp disables SNMPv1 and SNMPv3 {global command} Toggle FTP client: Not possible. But it is possible to block TCP 21 port in outgoing ACL for interface loopback Toggle recovery password: set terminal recovery password enable/disable To disable only SNMPv1 use the no snmp server community command.
GPW/AMK
14. Client / Server Network Tools Telnet Client Disabled by Default (requires Console Access to enable) Telnet Server Enabled By Default HTTP Server Enabled By Default on G350 (not supported on G250) SNMPv1 and SNMPv3 Agent Enabled By Default (Read, Read-Write, Trap)
GPW/AMK
15. Default Listen Ports The output below is the result of an NMAP TCP and UDP port scan on the G350. [root@scsradius ~]# nmap -sT 135.148.208.78. Please see Appendix C for additional information open ports in the G250/G350 gateways. Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-09-14 16:40 EDT Interesting ports on 135.148.208.78: (The 1660 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 22/tcp open ssh 23/tcp open telnet 80/tcp open http MAC Address: 00:04:0D:29:CA:6D (Avaya) Nmap finished: 1 IP address (1 host up) scanned in 33.360 seconds [admin@scsradius ~]$ nmap -sU 135.148.208.78 Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-09-14 16:40 EDT Interesting ports on 135.148.208.78: (The 1477 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 161/udp open|filtered snmp MAC Address: 00:04:0D:29:CA:6D (Avaya) Nmap finished: 1 IP address (1 host up) scanned in 137.319 seconds [admin@scsradius ~]$
GPW/AMK
16. SSH/SCP/SNMPv3 SSH, SCP and SNMPv3 are supported in G250/G350. SSHv2, SNMPv1 and SNMPv3 can be globally enabled and disabled. The community strings for SNMPv1 can be disabled. G350-002(super)# Show SNMP Authentication trap disabled Community-Access ---------------read-only read-write SNMPv3 Notification Status -------------------------Traps: enabled Informs: enabled SNMP-Rec-Address ---------------192.168.1.30 UDP port: 162 DM Community-String ---------------****** ******
Retries:
Timeout:
3 seconds Trap/Inform -------------trap User name ----------ReadCommN
Model Level Notification ----- ----- ------------v1 noauth all
The SCP client is enabled by default and can not be disabled. HTTP is disabled and not support by the G250. The HTTP server is enabled by default on the G350 and can be disabled.
The SSH server can be enabled/disabled with the ip ssh command and the no ip ssh command.
G350-002(super)# clear ssh-client ? Clear ssh-client commands: --------------------------------------------------------------------------clear ssh-client known-hosts clears the ssh known-host file content. Used to unlock man-in-the-middle attack prevention mechanism and allow scp server authentication after scp server public key change
GPW/AMK
SNMP / Syslog Configuration

17. SNMP Defaults G350-002(super)# show snmp Authentication trap disabled Community-Access ---------------read-only read-write Community-String ---------------***** *****
SNMPv3 Notifications Status ----------------------------Traps: Enabled Informs: Enabled Retries: 3
Timeout: 3 seconds
SNMP-Rec-Address Model Level Notification Trap/Inform User name ---------------- ----- ------- --------------- ----------- -----------------0.0.0.0 v1 UDP port: 162 DM G350-002(super)# G350-002(super)# set snmp ? Set snmp commands: --------------------------------------------------------------------------set snmp community Set SNMP community string set snmp retries Set The SNMP Retries Number set snmp timeout Set The SNMP Timeout set snmp trap Set snmp trap, use 'set snmp trap help' for more info G350-002(super)# G350-002(super)# set snmp community ? Set snmp community commands: --------------------------------------------------------------------------Usage: set snmp community <access_type> [community string] (access_type = read-only | read-write ) noauth all trap ReadCommN
GPW/AMK
G350-???(super)# no snmp ? No snmp commands: --------------------------------------------------------------------------no snmp community Disable SNMPv1 service (community based) no snmp dynamic-trap-manager Toggles off notification type filters from dynamic trap manager instance no snmp engineID no snmp group no snmp host receiver no snmp notifications no snmp remote-user no snmp user no snmp view Set the SNMPv3 engineID to default Delete SNMPv3 group (vacm mib) Remove SNMP notification (trap or inform) or filters Disable sending SNMPv3 notification (trap and inform) Delete SNMPv3 remote user (usm and vacm mib) Delete SNMPv3 user (usm and vacm mib) Delete SNMPv3 view (vacm mib)
G350-???(super)# show snmp ? Show snmp commands: --------------------------------------------------------------------------Usage: show snmp
show show show show show show
snmp snmp snmp snmp snmp snmp
engineID group retries timeout user userToGroup
show snmp view G350-002(super)#
Show SNMPv3 engineID Show SNMPv3 groups Show SNMP Retries Number Show SNMP Timeout Show SNMPv3 users Show the mapping table between SNMPv3 users and groups Shows SNMPv3 views
G350-002(super)# show snmp view View Name: iso Subtree Oid: 1 Subtree Mask: View Type: include Storage Type: nonVolatile Status: active
View Name: restricted Subtree Oid: 1.3.6.1.2.1.1 Subtree Mask: View Type: include Storage Type: nonVolatile Status: active
GPW/AMK
View Name: restricted Subtree Oid: 1.3.6.1.2.1.11 Subtree Mask: View Type: include Storage Type: nonVolatile Status: active --type q to quit or space key to continue--
View Name: restricted Subtree Oid: 1.3.6.1.6.3.10.2.1 Subtree Mask: View Type: include Storage Type: nonVolatile Status: active
View Name: restricted Subtree Oid: 1.3.6.1.6.3.11.2.1 Subtree Mask: View Type: include Storage Type: nonVolatile Status: active
View Name: restricted Subtree Oid: 1.3.6.1.6.3.15.1.1 Subtree Mask: View Type: include Storage Type: nonVolatile --type q to quit or space key to continue-Status: active
View Name: snmpv1View Subtree Oid: 1 Subtree Mask: View Type: include Storage Type: nonVolatile Status: active
View Name: snmpv1View Subtree Oid: 1.3.6.1.6 Subtree Mask: View Type: exclude Storage Type: nonVolatile Status: active
View Name: snmpv1View Subtree Oid: 1.3.6.1.6.3.1 Subtree Mask: View Type: include --type q to quit or space key to continue-GPW/AMK 2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and may be registered in certain jurisdictions. All trademarks identified by and are registered trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks are property of their respective owners. 26 Avaya G250/G350 Media Gateway Security Features Overview
Storage Type: nonVolatile Status: active
View Name: snmpv1View Subtree Oid: 1.3.6.1.6.3.12 Subtree Mask: View Type: include Storage Type: nonVolatile Status: active
View Name: snmpv1View Subtree Oid: 1.3.6.1.6.3.13 Subtree Mask: View Type: include Storage Type: nonVolatile Status: active
View Name: v3configView Subtree Oid: 1 Subtree Mask: --type q to quit or space key to continue-View Type: include Storage Type: nonVolatile Status: active
View Name: v3configView Subtree Oid: 1.3.6.1.6 Subtree Mask: View Type: exclude Storage Type: nonVolatile Status: active
View Name: v3configView Subtree Oid: 1.3.6.1.6.3.10.2.1 Subtree Mask: View Type: include Storage Type: nonVolatile Status: active
View Name: v3configView Subtree Oid: 1.3.6.1.6.3.11.2.1 --type q to quit or space key to continue-Subtree Mask: View Type: include Storage Type: nonVolatile Status: active
GPW/AMK
View Name: v3configView Subtree Oid: 1.3.6.1.6.3.15.1.1 Subtree Mask: View Type: include Storage Type: nonVolatile Status: active
View Name: v3configView Subtree Oid: 1.3.6.1.6.3.15.1.2.2.1.7 Subtree Mask: View Type: include Storage Type: nonVolatile Status: active
View Name: v3configView --type q to quit or space key to continue-Subtree Oid: 1.3.6.1.6.3.15.1.2.2.1.10 Subtree Mask: View Type: include Storage Type: nonVolatile Status: active
View Name: v3configView Subtree Oid: 1.3.6.1.4.1.1751.2.53.1.2.1.3.0.2 Subtree Mask: ff:fa View Type: exclude Storage Type: nonVolatile Status: active
View Name: v3configView Subtree Oid: 1.3.6.1.4.1.1751.2.53.1.2.1.3.0.5 Subtree Mask: ff:fa View Type: exclude Storage Type: nonVolatile Status: active
--type q to quit or space key to continue-View Name: snmpv1WriteView Subtree Oid: 1 Subtree Mask: View Type: include Storage Type: nonVolatile Status: active
GPW/AMK
View Name: snmpv1WriteView Subtree Oid: 1.3.6.1.6 Subtree Mask: View Type: exclude Storage Type: nonVolatile Status: active
View Name: snmpv1WriteView Subtree Oid: 1.3.6.1.6.3.1 Subtree Mask: View Type: include Storage Type: nonVolatile Status: active
G350-002(super)# show snmp group
Group Name: initial Security Model: v3 Security Level: noauth Read View: restricted Write View: restricted Notify View: restricted Status: active
GPW/AMK
Group Name: ReadCommG Security Model: v1 Security Level: noauth Read View: snmpv1View Write View: Notify View: snmpv1View Status: active
Group Name: ReadCommG --type q to quit or space key to continue-Security Model: v2c Security Level: noauth Read View: snmpv1View Write View: Notify View: snmpv1View Status: active
Group Name: WriteCommG Security Model: v1 Security Level: noauth Read View: snmpv1WriteView Write View: snmpv1WriteView Notify View: snmpv1WriteView Status: active
Group Name: WriteCommG Security Model: v2c Security Level: noauth Read View: snmpv1WriteView --type q to quit or space key to continue-Write View: snmpv1WriteView Notify View: snmpv1WriteView Status: active
Group Name: v3ReadOnlyG Security Model: v3 Security Level: auth Read View: v3configView Write View: Notify View: v3configView Status: active
GPW/AMK
Group Name: v3AdminViewG Security Model: v3 Security Level: priv Read View: iso Write View: iso Notify View: iso Status: active
Group Name: v3ReadWriteG Security Model: v3 Security Level: auth Read View: v3configView Write View: v3configView Notify View: v3configView Status: active G350-002(super)#
GPW/AMK
18. Syslog /SNMP Output * When trying to log in via Telnet using Invalid Credentials JAN 5 09:12:32 192.168.1.70 lntUnAuthAccessEvent[SECURITY-Warning: Unauthorized Access from IP address = 192.168.1.100, User = root, Protocol = 23<000> 0010 0020 0030 0040 0050 0060 0B 01 11 6F 04 0E 2B 46 06 74 C0 05 06 02 09 30 A8 02 01 01 2B 11 01 01 04 06 06 06 64 17 01 02 01 09 30 B5 01 04 2B 0E 69 44 01 06 06 01 43 51 01 09 2D 03 26 04 2B 67 36 0E 01 06 02 43 03 51 01 40 4F 04 26 04 04 30 04 0E 01 C0 36 72 04 51 A8 30 6F 40 26 .+.....i.-g.@... .F.....DC.6CO060 ...+....Q&....ro ot0...+....Q&..@ ....d0...+....Q& .....
Frame Length: 101 bytes Community: public OID: .1.3.6.1.4.1.6889.1.45.103.2 Address: 192.168.1.70 sysUpTime: 0 days, 09:52:41 Generic: 6 - Enterprise Specific Specific: 68 OID: .1.3.6.1.4.1.81.38.14.3 ASN1 Type: Octet String 0x04 (4) Value: root OID: .1.3.6.1.4.1.81.38.14.4 ASN1 Type: IP Address 0x40 (64) Value: 192.168.1.100 OID: .1.3.6.1.4.1.81.38.14.5 ASN1 Type: Integer32 0x02 (2) Value: 23 * When trying to log in via HTTP using Invalid Credentials JAN 5 15:52:22 192.168.1.70 lntUnAuthAccessEvent[SECURITY-Warning: Unauthorized Access from IP address = 127.1.1.127, User = root, Protocol = 80<000> 0010 0020 0030 0040 0050 0060 0B 01 11 6F 04 0E 2B 46 06 74 7F 05 06 02 09 30 01 02 01 01 2B 11 01 01 04 06 06 06 7F 50 01 02 01 09 30 B5 01 04 2B 0E 69 44 01 06 06 01 43 51 01 09 2D 03 26 04 2B 67 36 0E 01 06 02 12 03 51 01 40 81 04 26 04 04 30 04 0E 01 C0 36 72 04 51 A8 30 6F 40 26 .+.....i.-g.@... .F.....DC.6..060 ...+....Q&....ro ot0...+....Q&..@ . .. 0...+....Q& ....P
Frame Length: 101 bytes Community: public OID: .1.3.6.1.4.1.6889.1.45.103.2 Address: 192.168.1.70 sysUpTime: 0 days, 09:50:36 Generic: 6 - Enterprise Specific Specific: 68 OID: .1.3.6.1.4.1.81.38.14.3 ASN1 Type: Octet String 0x04 (4) Value: root OID: .1.3.6.1.4.1.81.38.14.4 ASN1 Type: IP Address 0x40 (64)
Value: 127.1.1.127 OID: .1.3.6.1.4.1.81.38.14.5 ASN1 Type: Integer32 0x02 (2) Value: 80 In order to receive syslog messages for SNMP events using the wrong community strings the following command has to be entered: set logging server condition security notification x.x.x.x (x.x.x.x = IP Address of syslog server)
G350-002(super)# show logging server condition ****************************************************** *** Message logging configuration of SYSLOG sink *** Sink Is Disabled Sink default severity: Warning Server name: 192.168.1.100 Server facility: local7 Server access level: read-write G350-002(super)#
When trying to query SNMP agent using incorrect community string JAN 13 12:46:27
01-13-2004 12:46:26 Local7.Notice 192.168.1.70 192.168.1.70 authenticFailure[SECURITY-Notification: AuthenticationFailure<000> 0000 0010 0020 30 2D 02 01 00 04 06 70 75 62 6C 69 63 A4 20 06 0B 2B 06 01 04 01 B5 69 01 2D 67 02 40 04 C0 A8 01 46 02 01 04 02 01 00 43 03 00 AE 55 30 00
0-.....public. . .+.....i.-g.@... .F......C...U0.
Frame Length: 47 bytes Community: public OID: .1.3.6.1.4.1.6889.1.45.103.2 Address: 192.168.1.70 sysUpTime: 0 days, 00:07:26 Generic: 4 - Authentication Failure Specific: 0 * There are two different trap notifications- standard Authentication Failure which is sent on a bad SNMPv1 community and the Avaya proprietary trap lntUnAuthAccessEvent. The lntUnAuthAccessEvent trap is controlled on a per trap receiver. G350-002(super)# show snmp ?

19. Allowed Managers There is no equivalent command on the G250/G350 to the G700 set allowed managers. However, it is possible to define an access control list on the loopback interface in which only certain IPs will be allowed to communicate to the G250/G350. This ACL will be applied on all the G250/G350 interfaces. 20. Policy Based Routing Overview Policy-based routing allows you to configure a routing scheme based on traffics source IP address, destination IP address, IP protocol, and other characteristics. You can use policy-based routing (PBR) lists to determine the routing of packets that match the rules defined in the list. Each PBR list includes a set of rules, and each rule includes a next hop list. Each next hop list contains up to 20 next hop destinations to which the G250/G350 sends packets that match the rule. A destination can be either an IP address or an interface. Policy-based routing takes place only when the packet enters the interface, not when it leaves. Policy-based routing takes place after the packet is processed by the Ingress Access Control. Thus, the PBR list evaluates the packet after the packets DSCP field has been modified by the Ingress QoS List.
The most common application for policy-based routing is to provide for separate routing of voice and data traffic. It can also be used as a means to provide backup routes for defined traffic types. Although there are many possible applications for policy-based routing, the most common application is to create separate routing for voice and data traffic. For more information please see the Administration for the G250 and G350 Gateways user documentation located at support.avaya.com web site.
20. VPN Applications VPN (Virtual Private Network) defines a private secure connection between two nodes on a public network such as the Internet. VPN at the IP level is deployed using IPSec. IPSec (IP Security) is a standards-based set of protocols defined by the IETF that provide privacy, integrity, and authenticity to information transferred across IP networks.
The standard key exchange method employed by IPSec uses the IKE (Internet Key Exchange) protocol to exchange key information between the two nodes (called peers). Each peer maintains SAs (security associations) to maintain the private secure connection. IKE operates in two phases: The Phase-1 exchange negotiates an IKE SA. The IKE SA created in Phase-1 secures the subsequent Phase-2 exchanges, which in turn generate IPSec SAs. IPSec SAs secure the actual traffic between the protected networks behind the peers, while the
IKE SA only secures the key exchanges that generate the IPSec SAs between the peers. The G250/G350 IPSec VPN feature is designed to support site-to-site topologies, in which the two peers are Gateways. For additional information on the VPN features of G250 and G350 gateways, please see the VPN application note titled G350 and G250 R3.0 IPsec VPN. The application note is located on the support.avaya.com. and can be located by selecting user guides in the right hand column from the main support page. Then select download by product name and click on the letter G and choose either G250 or G350. At the product page click on view all documents in the left hand column. From the view all documents page scroll down the page and select the following application note.
Application & Technical Notes : English - U.S. Date Jul-05 Title Application Note: G350 and G250 R3.0 IPSec VPN Doc ID
Return to Table of Contents ***END***
GPW/AMK
Appendix A Feature Matrix by Release Release CM2.1 Security Features Policy based routing (PBR) SNMPv3 SSH and SCP Sniffer application - sniffing of all packets that go in/out of G350/G250 Gateways CPU interface IPsec VPN FIPS 140-2 for G350 Enforcement minimum password length to 8 characters User account Lockout after number of failed login attempts (login authentication [lockout <time> | attempt <count> ]) Audit of login requests to Syslog PBNAC 802.1x support CM3.0 VPN enhancements FIPS 140-2 for G250 Open ports plugging (shutting unintended or unnecessary TCP/UDP ports)
CM2.2
CM3.0
GPW/AMK
Appendix B FIPS 140-2 Overview The Federal Information Processing Standard 140-2(FIPS 140-2) is a standard that describes US Federal government requirements that IT products should meet for Sensitive, but Unclassified (SBU) use. The standard was published by the National Institute of Standards and Technology (NIST), has been adopted by the Canadian government's Communication Security Establishment (CSE). The G250, G250-BRI, and G350 are Level 1 compliant, multi-chip stand-alone cryptographic modules in commercial grade metal cases. When operating in FIPS compliant mode modules provide: VPN, Voice over Internet Protocol (VoIP) media-gateway services, Ethernet switching, IP routing, and data security for IP traffic Status output via LEDs and logs available through the modules management interface Network interfaces for data input and output A console port The cryptographic boundary includes all of the components within the physical enclosure of the branch gateway chassis, without any expansion modules. However, the media Modules for voice and Wide Area Connectivity which are supported in G350/G250 do not execute any crypto processing. Therefore, the media modules can be installed in the gateway without invalidating FISP 140-2 requisites. This does not apply to S8300 module. Additional information on the G350 FIPS compliance can be obtained from NIST site (http://csrc.nist.gov/cryptval/140-1/140sp/140sp519.pdf) The G250 is now in final stage of compliance evaluation and its security policy will be available within few weeks. G350 certificate is available from http://csrc.nist.gov/cryptval/140-1/140crt/140crt519.pdf
GPW/AMK
Appendix C Open ports on G350/G250/G700 products The list of protocols supported by gateways and should be reported by the port scan tools.
Protocol number 1 6 17 47 50 Protocol description Supported by Gateways Notes - lists command that enables/disables applications Always on Always on Always on Always on Enabled by VPN license installation Disabled by default 89 112 OSPF Open Shortest Path First VRRP protocol G350/G250 G350/G250 [no] route ospf Disabled by default [no] route vrrp Disabled by default Table 1 input/output IP protocols
ICMP protocol TCP protocol UDP datagram protocols GRE General Routing Encapsulation (VPN-PPTP) ESP Encapsulating Security Payload
All - G350/G250/G700 All All G350/G250 G350/G250
For all other protocols Gateways will respond with ICMP protocol unreachable message The Gateway listens on the following TCP or UDP ports:
Port Number Application description FTP server Supporte d by Gateways All Behavior in CM 3.0 Behavior in G350 CM2.1 and CM2.2 Same as in 3.0
21/tcp
The FTP server normally keeps the port closed. The port should be seen as open for short window during announcement file transfer. [no] ip ssh Default: enabled [no] ip telnet Default: enabled
22/tcp 23/tcp 67/udp
SSH server Telnet server DHCP/BOOTP relay
G350 G250 All G350 G250
Always open Always open Always open
[no] ip bootp-dhcp Default: disabled
GPW/AMK
Port Number
Application description DHCP server
Supporte d by Gateways G350 G250
Behavior in CM 3.0
Behavior in G350 CM2.1 and CM2.2 Always Open in CM2.2 Not supported in CM2.1
68/udp
[no] ip dhcp-server Default: disabled
69/udp
TFTP Server
G350 G250
[no] ip tftp-server Default: disabled
Always Open in CM2.2 Not supported in CM2.1
80/tcp 161/udp 500/udp
HTTP server SNMP isakmp
G700, G350 all G350 G250
[no] ip http Default: enabled [no] ip snmp Default: enabled Enabled by license installation copy [tftp|scp|ftp] license-file Default: disabled
Always open Always open Always Open in CM2.2 Not supported in CM2.1 Always open
520/udp 1030/udp
RIP-2 routing protocol ????
G350 G250 All
Default: disabled Seems to be dynamic port cannot determine application that opens this port (in other scans it was 1031/udp). set survivable-call-engine [ disable | enable] Default: disabled Always open
1039/TCP
Secure H.248 protocol for SLS Unicast Gatekeeper Discovery H.245 (RAS) Registration H.245 (RAS) Call Setup H.245 (RAS) Radius client VoIP engine statistics
all
Not supported
1718/udp
G250
set survivable-call-engine [ disable | enable] Default: disabled
Not supported
1719/udp
G250
Not supported
1720/tcp
G250
Not supported
1812/udp 2020/UDP
all all
set radius authentication Default: disabled Always Closed
Always open Always open
GPW/AMK
Port Number
Application description Avaya EMB Config Port NAT-T
Supporte d by Gateways all G350 G250
Behavior in CM 3.0
Behavior in G350 CM2.1 and CM2.2 Same as in CM3.0 Always Open in CM2.2 Not supported in CM2.1 Not supported
2050/UDP `2070/UDP
Uncontrolled, always open (*) Will be closed in CM3.1 Enabled by license installation copy [tftp|scp|ftp] license-file Default: disabled
2945/TCP
Unencrypted H.248 port of SLS NAT-P
G250
set survivable-call-engine [ disable | enable] Default: disabled Enabled by license installation copy [tftp|scp|ftp] license-file Default: disabled
4500/UDP
G350 G250
Always Open in CM2.2 Not supported in CM2.1 Always Open in CM2.2 Not supported in CM2.1
5012/TCP
CHIA Port
all
Always closed
5050/TCP
SerialNum
all
Always open on emb-vlan [no] ip license- server Default: Closed on external interface Always open (uncontrolled) in G700
Same in CM2.2 Not supported in CM2.1
2048 to 65534/UDP 50002/UDP 50003/UDP
RTP traffic CNA test plug control port CNA test plug echo port
all G350 G250 G350 G250
Dynamically opened for active RTP sessions [no] cna-testplug-services Default: disabled [no] cna-testplug-services Default: disabled This port is open for short periods of time Not supported Not supported
For all other UDP application, Gateways will respond with port unreachable message. For all other TCP applications, Gateways will respond with TCP packet with RST flag set
GPW/AMK

G250 G350 Security SNMP

Transféré par

Informations du document

Description originale:

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

G250 G350 Security SNMP

Transféré par

Droits d'auteur :

Formats disponibles

TECHNICAL WHITE PAPER Avaya G250 and G350 Media Gateway Security Features Overview

November 17, 2005 Avaya Technology and Consulting IP Telephony Practice

G350 Firmware Revision - FW: 24.17.0

Avaya G350 Media Gateway Security Features Overview

G250 Firmware Revision - FW: 24.17.0

Avaya G250/G350 Media Gateway Security Features Overview

Avaya G350 Media Gateway Security Features Overview

Avaya G250/G350 Media Gateway Security Features Overview

Access Control Lists / Denial of Service (DOS) Protection

Avaya G350 Media Gateway Security Features Overview

Return to Table of Contents

Avaya G250/G350 Media Gateway Security Features Overview

G350-002(super)# clear tcp syn-cookies counters done! G350-002(super)#

Return to Table of Contents

Avaya G250/G350 Media Gateway Security Features Overview

Auditing Transactions / Administration

Return to Table of Contents

Avaya G250/G350 Media Gateway Security Features Overview

IP: Port 192.168.1.32:1055

Return to Table of Contents

Avaya G250/G350 Media Gateway Security Features Overview

Authentication Credentials / RADIUS

Return to Table of Contents

Return to Table of Contents

Avaya G250/G350 Media Gateway Security Features Overview

9. Enable/Disable PBNAC 802.1x

Avaya G250/G350 Media Gateway Security Features Overview

The 802.1x protocol is not supported on the G250 as of CM 3.0.

set port dot1x port-control set port dot1x quiet-period

set port dot1x server-timeout

set port dot1x supp-timeout

set port dot1x tx-period

Avaya G250/G350 Media Gateway Security Features Overview

Return to Table of Contents

Avaya G250/G350 Media Gateway Security Features Overview

CLI Inactivity Timeout and Pre/Post Login Banners

Return to Table of Contents

Return to Table of Contents

Network Client/Server applications

Return to Table of Contents

Return to Table of Contents

Avaya G250/G350 Media Gateway Security Features Overview

Return to Table of Contents

Avaya G250/G350 Media Gateway Security Features Overview

Return to Table of Contents

Avaya G250/G350 Media Gateway Security Features Overview

3 seconds Trap/Inform -------------trap User name ----------ReadCommN

Model Level Notification ----- ----- ------------v1 noauth all

Return to Table of Contents

Avaya G250/G350 Media Gateway Security Features Overview

SNMP / Syslog Configuration

SNMPv3 Notifications Status ----------------------------Traps: Enabled Informs: Enabled Retries: 3

Avaya G250/G350 Media Gateway Security Features Overview

G350-???(super)# show snmp ? Show snmp commands: --------------------------------------------------------------------------Usage: show snmp

show show show show show show

snmp snmp snmp snmp snmp snmp

engineID group retries timeout user userToGroup

show snmp view G350-002(super)#

Avaya G250/G350 Media Gateway Security Features Overview

Storage Type: nonVolatile Status: active

Avaya G250/G350 Media Gateway Security Features Overview

Avaya G250/G350 Media Gateway Security Features Overview

Return to Table of Contents END