Avaya Media Gateway G250 Quick reference guide
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks
are property of their respective owners.
Avaya G350 Media
Gateway Security
Features Overview
1
TECHNICAL WHITE PAPER
Avaya G250 and G350 Media Gateway Security Features Overview
Version: 1 Date: November 17, 2005
CID: 115343 Author: Avaya Technology and Consulting
IP Telephony Practice
Abstract:
The Avaya G250 and G350 Media Gateway Security Features Overview CID 115343 supersede
the earlier Avaya G350 Media Gateways Security Features Overview CID: 102411. This
document follows the same template of questions as the earlier aforementioned document and
the sister document Avaya G700 Media Gateway Security Features Overview (CID: 102412).
The Avaya G250 and G350 Media Gateways as show below provide a variety of features which
can be used to enhance security. The goal of this white paper is to summarize the general product
documentation and focus on those features.
G350 Firmware Revision - FW: 24.17.0
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks
are property of their respective owners.
Avaya G250/G350
Media Gateway
Security Features
Overview
2
G250 Firmware Revision - FW: 24.17.0
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks
are property of their respective owners.
Avaya G350 Media
Gateway Security
Features Overview
3
Table of Contents
(Click on link to view more detailed information)
Access Control Lists / Denial of Service (DOS) Protection/ SYN Protection
1. Access Control List’s
2. Denial of Service
3. SYN Protection Feature
Auditing Transactions / Administration
4. CLI Command Auditing (via Syslog)
5. Show Currently Logged on Administrators
Authentication Credentials / RADIUS/PBNAC 802.1x
6. Default User Accounts
7. Username/Password Characteristics
8. RADIUS Switch Administrator Authentication
9. Enable/Disable PBNAC 802.1x
CLI Inactivity Timeout and Pre/Post Login Banners
10. Idle Timeout
11. Banners
Network Client/Server applications
12. Show Protocol
13. Enable/Disable Network Services
14. Client / Server Network Tools
15. Default Listening Ports (UDP/TCP)
16. SSH/SCP/HTTPS/SNMPv3 Support
SNMP / Syslog Configuration
17. SNMP Defaults
18. Syslog / SNMP Output
19. Allowed Managers
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks
are property of their respective owners.
Avaya G250/G350
Media Gateway
Security Features
Overview
4
PBR and VPN Overview
20. Policy Based Routing
21. VPN Application Support
Appendixes
(A) Feature Matrix
(B) FIP’s Overview
(C) Open Ports List
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks
are property of their respective owners.
Avaya G350 Media
Gateway Security
Features Overview
5
Access Control Lists / Denial of Service (DOS) Protection
1. Access Control Lists
The G250/G350 supports Access Control Lists (ACL’s) which provide fine
grained control over ingress/egress protocols. In addition, the following
capabilities exist:
The Ability to Restrict:
— ip-fragments-in — applies to incoming packets that contain IP fragments
— ip-fragments-out — applies to outgoing packets that contain IP fragments
— ip-options-in — applies to incoming packets that contain IP options
— ip-options-out — applies to outgoing packets that contain IP options
You can configure policy rules to match packets based on one or more of the
following for ingress and egress:
• Source IP address, or a range of addresses
• Destination IP address or a range of addresses
• IP protocol, such as TCP, UDP, ICMP, IGMP
• Source TCP or UDP port or a range of ports
• Destination TCP or UDP port or a range of ports
• ICMP type and code
Use IP wildcards to specify a range of source or destination IP addresses.
The zero bits in the wildcard correspond to bits in the IP address that
remain fixed. The one bits in the wildcard correspond to bits in the IP
address that can vary. Note that this is the opposite of how bits are used in
a subnet mask.
For access control lists, you can require the packet to be part of an
established TCP session. If the packet is a request for a new TCP session,
the packet does not match the rule. You can also specify whether an
access control list accepts packets that have an IP option field.
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks
are property of their respective owners.
Avaya G250/G350
Media Gateway
Security Features
Overview
6
The following table lists the pre-configured entries in the composite
operation table for rules in an access control list:
NOTE:
You cannot configure additional composite operations for access control
lists, since all possible composite operations are pre-configured.
Each column represents the following:
• No — a number identifying the operation
• Name — a name identifying the operation. Use this to attach the operation
to a rule.
• Access — determines whether the operation forwards (forward) or drops
(deny) the packet
• Notify — determines whether the operation causes a trap when it drops a
packet
• Reset Connection — determines whether the operation causes a connection
reset
To verify access control lists and QoS lists, you can view the configuration
of the lists. You can also test the effect of the lists on simulated IP
packets. Use the ip simulate command in the context of an interface to test a
policy list. The command tests the effect of the policy list on a simulated
IP packet in the interface. You must specify the number of a policy list, the
direction of the packet (in or out), and a source and destination IP address.
You may also specify other parameters.
The following command simulates the effect of applying QoS list number 401 to
a packet entering the
G350 through interface VLAN 2:
G350-001(if:Vlan 2)# ip simulate 401 in CoS1 dscp46 10.1.1.1 10.2.2.2
tcp 1182 20
It is possible to define an access control list on the loopback interface of
the G350 in which only certain IPs will be allowed to communicate to the
G350. This ACL will be applied on all the G350’s interfaces. For example
this feature can be used to limit access via telnet to a specific list of IP
addresses.
Return to Table of Contents
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks
are property of their respective owners.
Avaya G250/G350
Media Gateway
Security Features
Overview
7
2. DOS
Use the icmp in-echo-limit command to set the maximum number of echo requests
that can be received in one second. Use the no form of the command to set the
limit to its default value. Possible values are [1 – 10000].
G350-002(super)# icmp in-echo-limit ?
Icmp in-echo-limit commands:
---------------------------------------------------------------------------
Syntax : icmp in-echo-limit <size>.
Example: icmp in-echo-limit 100.
G350-002(super)#
3. SYN Protection
The G250/G350 provides various TCP/IP services and is therefore exposed to a
myriad of TCP/IP based DoS attacks. DoS (Denial of Service) attacks refers
to a wide range of malicious attacks that can cause a denial of one or more
services provided by a targeted host. Specifically, a SYN attack is a
well-known TCP/IP attack in which a malicious attacker targets a vulnerable
device and effectively denies it from establishing new TCP connections.
SYN cookies refers to a well-known method of protection against a SYN attack.
Use the tcp syn-cookies command to enable the tcp syn-cookies defense
mechanism against SYN attacks. Use the show version of this command to
display the SYN cookies statistics. The no version of this command disables
the tcp syn-cookies defense mechanism against SYN attacks. Use the clear
version of this command to clear the SYN cookie counters.
G350-002(super)# tcp syn-cookies
To enable the tcp syn-cookies, copy the running configuration to the start-up
configuration file and reset the device.
G350-002(super)#
When the SYN cookies feature is enabled, the G250/G350 alerts the
administrator to a suspected SYN attack as it occurs by sending the following
syslog message:
SYN attack suspected! Number of unanswered SYN requests is greater
than 20 in last 10 seconds.
G350-002(super)# no tcp syn-cookies
To disable the tcp syn-cookies, copy the running configuration to the start-
up configuration file and reset the device.
G350-002(super)#
G350-002(super)# clear tcp syn-cookies counters
done!
G350-002(super)#
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks
are property of their respective owners.
Avaya G250/G350
Media Gateway
Security Features
Overview
8
G350-002(super)# show tcp syn-cookies
Status: Enabled
Statistics:
SYN recd:
Connections established
Local Address Remote Address State Last
------------------ ------------------ ------------ ------
192.168.1.254 192.168.1.32 Established 4
G350-002(super)#
Return to Table of Contents
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks
are property of their respective owners.
Avaya G250/G350
Media Gateway
Security Features
Overview
9
Auditing Transactions / Administration
4. CLI Command Auditing (via Syslog)
Config change related SNMP traps will be sent if "config" trap is enabled. It
is enabled by default when typing "set snmp trap enable all". Additionally,
traps can be sent to a log file, console session, telnet session and stored
on the Gateway.
Relevant logs can also be sent to a syslog server by enabling a log server
through the CLI:
set logging server x.x.x.x
set logging server x.x.x.x enable
set logging server condition CLI Notification x.x.x.x
The above example will log to the syslog server x.x.x.x every event from the
CLI application with severity "Notification" and above. Other applications
are also available.
Examples:
01-13-2004 13:27:23 Local7.Notice 192.168.1.70 JAN 13 13:27:26 192.168.1.70 Cli
Command[CLI-Notification: root: session mgc<000>
01-13-2004 13:26:50 Local7.Notice 192.168.1.70 JAN 13 13:26:53 192.168.1.70
CliCommand[CLI-Notification: root: set mediaserver 192.168.1.20 192.168.1.70 5023
sat<000>
01-13-2004 13:26:22 Local7.Notice 192.168.1.70 JAN 13 13:26:25 192.168.1.70
CliCommand[CLI-Notification: root: set mediaserver 192.168.1.70 192.168.1.30 5023
sat<000>
01-13-2004 13:22:26 Local7.Notice 192.168.1.70 JAN 13 13:22:29 192.168.1.70
CliCommand[CLI-Notification: root: copy running-config startup-config <000>
01-13-2004 13:18:55 Local7.Notice 192.168.1.70 JAN 13 13:18:58 192.168.1.70
CliCommand[CLI-Notification: root: dir<000>
01-13-2004 13:18:36 Local7.Notice 192.168.1.70 JAN 13 13:18:38 192.168.1.70
CliCommand[CLI-Notification: root: telnet 192.168.1.1<000>
01-13-2004 13:17:48 Local7.Notice 192.168.1.70 JAN 13 13:17:50 192.168.1.70
CliCommand[CLI-Notification: root: traceroute 131.94.57.51<000>
01-13-2004 13:17:18 Local7.Notice 192.168.1.70 JAN 13 13:17:20 192.168.1.70
CliCommand[CLI-Notification: root: hostname G350<000>
01-13-2004 13:15:44 Local7.Notice 192.168.1.70 JAN 13 13:15:46 192.168.1.70
CliCommand[CLI-Notification: root: ping 192.168.1.1<000>
01-13-2004 13:15:19 Local7.Notice 192.168.1.70 JAN 13 13:15:21 192.168.1.70
CliCommand[CLI-Notification: root: set logging server condition CLI Notification
192.168.1.100<000>
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks
are property of their respective owners.
Avaya G250/G350
Media Gateway
Security Features
Overview
10
01-13-2004 13:28:55 Local7.Notice 192.168.1.70 JAN 13 13:28:58 192.168.1.70
CliCommand[CLI-Notification: root: exit<000>
01-13-2004 13:30:29 Local7.Notice 192.168.1.70 JAN 13 13:30:32 192.168.1.70
CliCommand[CLI-Notification: georgia: exit<000>
01-13-2004 13:30:24 Local7.Notice 192.168.1.70 JAN 13 13:30:27 192.168.1.70
CliCommand[CLI-Notification: georgia: session mgc<000>
The Set logging server facility followed by the name of the output facility
and IP address of the Syslog server to the following list of possible
facilities set logging server facility. A total of 3 syslog servers can be
configured.
The following example defines a FTP Deamon as the output facility for Syslog
reports generated by the Syslog server with an IP address of 168.12.1.15.
The G350 and G250 have user logging enabled by default from the factory.
Set logging server facility ftpd 168.12.1.15
The available types are listed below:
auth (Authorization)
deamon (Background System Process)
clkd (clock Deamon)
clkd2 (Clock Deamon)
mail (Electronic Mail)
local0-local7 (For Local Use)
ftpd (FTP Deamon)
kern (Kernel)
alert (Log Alert)
audi (Log Audit)
ntp (NTP sub)
lpr (Printing)
sec (Security)
syslog (System Logging)
uucp (Unix-to-Unix Copy Program)
news (Usenet news)
user (User Process)
Use the show logging server condition command followed by the IP address of the Syslog
server. If you do not specify an IP address, the command displays the status of all
Syslog servers defined for the G250/G350. This command displays whether the server is
enable or disable and lists all filters defined on the server.
Return to Table of Contents
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks
are property of their respective owners.
Avaya G250/G350
Media Gateway
Security Features
Overview
11
5. Displaying Currently Logged on Administrators
With the G250/G350 gateways there are three primary ways to administer the
gateway, direct connect via the console, Telnet and secure shell (Ssh)
Telnet. To display the current users logged on to the G250/G350 via Ssh or
Telnet issue the following commands below:
Command: show ip ssh
Ssh Engine: Enable
Max Sessions: 2
Key Type: DSA , 768 bit
Listen Port: 22
Ciphers List: 3des-cbc
Session-Id Version Encryption User IP: Port
0 2 3des-cbc root 192.168.1.31:3528
Command: show ip telnet
Telnet Engine: Enable
Max Sessions: 5
Listen Port: 23
Session-Id User: IP: Port
0 root 192.168.1.32:1055
Return to Table of Contents
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks
are property of their respective owners.
Avaya G250/G350
Media Gateway
Security Features
Overview
12
Authentication Credentials / RADIUS
6. Usernames
By default there is only a single user account, named root, with password
root, which accesses the administrator level. You cannot delete this basic
user account, nor modify its access level. But you can modify its basic
password.
G350-002(super)# show username
User account password access-type
-------------------------------- -------------------------------- ---------
root ***** admin
G350-002(super)#
Return to Table of Contents
7. Username/Password Characteristics
•Username: minimum 4 characters, maximum 31 characters
•Password: minimum 8 characters, maximum 31 characters (all US
printable non white characters from keyboard are valid)
•There can be up to 3 password entry attempts at login before the
session is terminated
•Up to 10 unique “local” usernames can be configured on the G350
When you start to use Avaya G250/G350 Manager or the CLI, you must enter a
username. The username that you enter sets your privilege level. The commands
that are available to you during the session depend on your privilege level.
If you use RADIUS authentication, the RADIUS server sets your privilege
level. It is important to note that if the same username is defined locally
on the gateway and in RADIUS that the local username (ID) will take
precedence over username (ID) created on the RADIUS server.
•You can use Read-only privilege level to view configuration parameters.
•You can use Read-write privilege level to view and change all
configuration parameters except those related to security. For example,
you cannot change a password with Read-write privilege level.
•You can use Admin privilege level to view and change all configuration
parameters, including parameters related to security. Use Admin
privilege level only when you need to change configuration that is
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks
are property of their respective owners.
Avaya G250/G350
Media Gateway
Security Features
Overview
13
related to security, such as adding a new user accounts and setting the
device policy manager access source. An example of the source would be
issuing the no ip telnet command.
Username commands:
---------------------------------------------------------------------------
Usage: username <name> password <passwd> access-type {read-only|read-
write|admin}
•Does the ability exist to force a minimum length username and/or
password (other than default minimum of 4 characters username and 8
characters for password)? No. However, this can be accomplished by
using an external authentication database such as RADIUS.
•Does the configuration file include user account passwords or SNMP
Community Strings? The configuration file does not include SNMP
community strings and user/password data.
•Are there any “undocumented” usernames or SNMP community strings?
No. All "diag" accounts are in-accessible without first logging into
the G350 via a super-user account first. Backdoor password recovery
exists but can only be used via a direct connection to the console
port. It can also be disabled.
•Is there any way to enforce password aging on “local” accounts used
to administer the G350? No. However, this can be accomplished by
using an external authentication database such as RADIUS.
•Is there any way to enforce account "lock-out" after user inactivity
of that account – i.e. user has not logged in for 60 days? No.
However, this can be accomplished by using an external
authentication database such as RADIUS.
•Any way to enforce "lock-out" of accounts after excessive retries?
Yes in addition to a RADIUS external authentication which provides its
own set of options for lock-out, the following global command to set
login authentication lockout parameters for local administers.
G350-002<super>#login authentication lockout?
Login authentication lockout commands:
--------------------------------------------------------------------
Syntax : login authentication lockout <time> attempt <count?
<time> - integer <30..3600> seconds.
Interval of time account lockout is enforced.
0 –No timeout
<count> - integer <1..10>.
Successive number of failures before lockout
0- NO timeout
Example: login authentication lockout 360 attempt 5
The login authentication command supports the ability to enable local craft
user from services and a password
•Any way for the G350 to prevent simple/dictionary words from being
chosen as passwords? No. However, this can be accomplished by using
an external authentication database such as RADIUS.
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks
are property of their respective owners.
Avaya G250/G350
Media Gateway
Security Features
Overview
14
•Any way to age passwords? And if so, any way for the G350 to prevent
password reuse, and if so how many past passwords are stored? No.
However, this can be accomplished by using an external
authentication database such as RADIUS.
Return to Table of Contents
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks
are property of their respective owners.
Avaya G250/G350
Media Gateway
Security Features
Overview
15
8. RADIUS Switch Administrator Authentication
If your network has a RADIUS server, you can configure the Avaya G350 Media
Gateway to use RADIUS authentication. A RADIUS server provides centralized
authentication service for many devices on a network. When you use RADIUS
authentication, you do not need to configure usernames and passwords on the
G350. When logging into the G350/G250, the G350/G250 searches for your
username and password in its own database first. If it does not find them, it
activates RADIUS authentication.
G350-002(super)# show radius authentication
Mode: Enable
Primary-server: 192.168.1.205
Secondary-server: 172.16.1.205
Retry-number: 4
Retry-time: 5
UDP-port: 1645
shared-secret: *****
G350-002(super)#
The Avaya G250/G350 Media Gateway includes a security mechanism through which
the system administrator defines users and assigns each user and username and
a password. Each user is assigned a privilege level. The user’s privilege
level determines which commands the user can perform.
In addition to its basic security mechanism, the G250/G350 supports secure
data transfer via SSH and SCP.
The G250/G350 can be configured to work with an external RADIUS server to
provide user authentication. When RADIUS authentication is enabled on the
G250/G350, the RADIUS server operates in conjunction with the G250/G350
security mechanism. When the user enters a does not find the username in its
own database, it establishes a connection with the RADIUS server, and the
RADIUS server provides the necessary authentication services.
9. Enable/Disable PBNAC 802.1x
The G350 also uses the 802.1x protocol in conjunction with EAP within EAPOL
and over RADIUS to provide a means for authenticating and authorizing users
attached to a LAN port, and for preventing access to that port in cases where
the authentication process fails.
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks
are property of their respective owners.
Avaya G250/G350
Media Gateway
Security Features
Overview
16
Note: The 802.1x protocol is not supported on the G250 as of CM 3.0.
G350-002(super)# set port dot1x ?
Set port dot1x commands:
---------------------------------------------------------------------------
set port dot1x initialize Initialize port dot1x
set port dot1x max-req Sets per port the max-req, the maximal
number of times the port tries to
retransmit requests to the Authenticated
Station before the session is terminated
set port dot1x port-control Set dot1x control parameter per port
set port dot1x quiet-period Sets per port the 802.1x quiet period,
minimal idle time between authentication
attempts
set port dot1x re-authenticate Set the port to re-authenticate
set port dot1x re-authentication Set dot1x re-authentication mode per port
set port dot1x re-authperiod Sets per port the re-authentication
period, an idle time between re-
authentication attempts
set port dot1x server-timeout Sets per port the server-timeout - the
time for the port to wait for a reply
from the Authentication Server
set port dot1x supp-timeout Sets per port the supp-timeout, a time
for the port to wait for a reply from the
Authenticated Station
set port dot1x tx-period Sets per port the transmit period, a time
Interval between attempts to access the
authenticated Station
G350-002(super)# show port dot1x ?
Show port dot1x commands:
---------------------------------------------------------------------------
Syntax : show port dot1x [<mod/port>]
Example: show port dot1x 3/2
show port dot1x statistics Shows the port dot1x statistics.
G350-002(super)# clear dot1x ?
Clear dot1x commands:
---------------------------------------------------------------------------
clear dot1x config Resets the 802.1x configuration parameters
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks
are property of their respective owners.
Avaya G250/G350
Media Gateway
Security Features
Overview
17
Return to Table of Contents
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks
are property of their respective owners.
Avaya G250/G350
Media Gateway
Security Features
Overview
18
CLI Inactivity Timeout and Pre/Post Login Banners
10. Idle Timeout
Use the set logout command to set the number of minutes until the system
automatically disconnects an idle session. The default is 15 minutes.
Possible valued are [0 – 99]. Setting the value to 0 disables the
automatic disconnection of idle sessions.
G350-002(super)# show logout
CLI timeout is 15 minutes
Return to Table of Contents
11. Banners
The login banner displays before the user is prompted for the login name. The
banners can be modified using the following commands
G350-002(super)# show banner login
Welcome to G350 Media Gateway
FW version 24.17.0
G350-002(super)# banner login
G350-002<super-login># line 5 “ G250_001 “
Done!
G350-002<super-login># line 5 “ Unauthorized access is prohibited“
Done!
G350-002<super-login>#exit
G350-002(super)# show banner login
G250_001
Unauthorized access is prohibited
G350-002(super)#
The post-login banner displays after the user has logged in successfully.
G350-002(super)# show banner post-login
Both the pre/post banner login commands utilize the line command for banner
entry. The line command supports a range of from [1 – 24] lines of text.
G350-002(super)# banner post-login
G350-002<super-login># line 5 “ G250_001 “
Done!
G350-002<super-login># line 5 “ Unauthorized access is prohibited“
Done!
G350-002<super-login>#exit
Return to Table of Contents
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks
are property of their respective owners.
Avaya G250/G350
Media Gateway
Security Features
Overview
19
Network Client/Server applications
12. Show Protocol
Use the show protocol command to display the status of a specific
management protocol, or all protocols for the G250/G350. The G250 does
not support a WEB interface. The HTTP protocol is disabled by default on
the G250. SSHv2 is the supported Ssh protocol.
G350-002(super)# show protocol
Protocols Status
------------ --------
SSH-SERVER ON
TELNET-CLIENT OFF
TELENT-SERVER ON
SNMPv1-SERVER ON
SNMPv3-SERVER ON
HTTP-SERVER ON
RECOVERY-PASSWORD ON
DHCP-SERVER OFF
TFTP-SERVER OFF
DNS-CLIENT ON
Non-administrative protocols
--------------------------
FTP-CLIENT
TFTP-CLIENT
SCP-CLIENT
G250-001(super)# show protocol
Protocols Status
------------ --------
SSH-SERVER ON
TELNET-CLIENT OFF
TELENT-SERVER OFF
SNMPv1-SERVER ON
SNMPv3-SERVER ON
HTTP-SERVER ON
RECOVERY-PASSWORD ON
DHCP-SERVER ON
TFTP-SERVER ON
DNS-CLIENT ON
Non-administrative protocols
--------------------------
FTP-CLIENT
TFTP-CLIENT
SCP-CLIENT
G350-002(super)#
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks
are property of their respective owners.
Avaya G250/G350
Media Gateway
Security Features
Overview
20
Return to Table of Contents
13. Enable/Disable Services (use no form of command to disable: no ip
http)
G350-002(super)# ip http
Done!
G350-002(super)# ip telnet
Done!
G350-002(super)# ip telnet-client
This command can be called only from console port
•Note: The telnet-client on the G250/G350 is disabled by default and can
only be enabled when connected via the local console port.
•The G250/G350 internal Telnet server supports up to 5 incoming
concurrent sessions.
•The G250/G350 internal Telnet client supports up to 6 outgoing
concurrent sessions. One outgoing Telnet session for each incoming
Telnet session, and one for the console port
Toggle ICMP redirects by issuing the command: [no] ip redirect (under
interface context)
Toggle SNMP: [no] ip snmp disables SNMPv1 and SNMPv3 {global command}
Toggle FTP client: Not possible. But it is possible to block TCP 21 port in
outgoing ACL for interface loopback
Toggle recovery password: set terminal recovery password enable/disable
To disable only SNMPv1 use the no snmp server community command.
Return to Table of Contents
Other manuals for Media Gateway G250
13
This manual suits for next models
1
Table of contents
Other Avaya Gateway manuals
Avaya
Avaya SG5 User manual
Avaya
Avaya G860 User manual
Avaya
Avaya G700 Quick start guide
Avaya
Avaya G450 Manager Installation guide
Avaya
Avaya G430 User manual
Avaya
Avaya Media Gateway G250 Instruction Manual
Avaya
Avaya G450 Manager User manual
Avaya
Avaya G860 Manual
Avaya
Avaya G860 Wiring diagram
Avaya
Avaya Media Gateway G350 Instruction Manual
Avaya
Avaya G700 Installation guide
Avaya
Avaya G700 User manual
Avaya
Avaya G700 Quick start guide
Avaya
Avaya CMC1 Quick start guide
Avaya
Avaya G450 Manager Instruction sheet
Avaya
Avaya Residential Gateway-I User manual
Avaya
Avaya G700 Operating and safety instructions
Avaya
Avaya G450 Manager User manual
Avaya
Avaya G450 Manager User manual
Avaya
Avaya ClearOne Converge Pro VH20 Supplement
Popular Gateway manuals by other brands
AudioCodes
AudioCodes Mediant 600 user manual
Ericsson
Ericsson EDACS Data Advantage Series Installation and Maintenance
Seneca
Seneca Z-GW-MB user manual
Comelit
Comelit 1456 Technical manual
ZyXEL Communications
ZyXEL Communications P-661HNU-FX Support notes
Asyst Technologies
Asyst Technologies Advantag 9100 Technical manual