Avaya Media gateway g250 Quick reference guide

may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered

trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks

are property of their respective owners.

Avaya G350 Media

Gateway Security

Features Overview

TECHNICAL WHITE PAPER

Avaya G250 and G350 Media Gateway Security Features Overview

Version: 1 Date: November 17, 2005

CID: 115343 Author: Avaya Technology and Consulting

IP Telephony Practice

Abstract:

The Avaya G250 and G350 Media Gateway Security Features Overview CID 115343 supersede

the earlier Avaya G350 Media Gateways Security Features Overview CID: 102411. This

document follows the same template of questions as the earlier aforementioned document and

the sister document Avaya G700 Media Gateway Security Features Overview (CID: 102412).

The Avaya G250 and G350 Media Gateways as show below provide a variety of features which

can be used to enhance security. The goal of this white paper is to summarize the general product

documentation and focus on those features.

G350 Firmware Revision - FW: 24.17.0

may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered

trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks

are property of their respective owners.

Avaya G250/G350

Media Gateway

Security Features

Overview

G250 Firmware Revision - FW: 24.17.0

may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered

trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks

are property of their respective owners.

Avaya G350 Media

Gateway Security

Features Overview

Table of Contents

(Click on link to view more detailed information)

Access Control Lists / Denial of Service (DOS) Protection/ SYN Protection

1. Access Control List’s

2. Denial of Service

3. SYN Protection Feature

Auditing Transactions / Administration

4. CLI Command Auditing (via Syslog)

5. Show Currently Logged on Administrators

Authentication Credentials / RADIUS/PBNAC 802.1x

6. Default User Accounts

7. Username/Password Characteristics

8. RADIUS Switch Administrator Authentication

9. Enable/Disable PBNAC 802.1x

CLI Inactivity Timeout and Pre/Post Login Banners

10. Idle Timeout

11. Banners

Network Client/Server applications

12. Show Protocol

13. Enable/Disable Network Services

14. Client / Server Network Tools

15. Default Listening Ports (UDP/TCP)

16. SSH/SCP/HTTPS/SNMPv3 Support

SNMP / Syslog Configuration

17. SNMP Defaults

18. Syslog / SNMP Output

19. Allowed Managers

may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered

trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks

are property of their respective owners.

Avaya G250/G350

Media Gateway

Security Features

Overview

PBR and VPN Overview

20. Policy Based Routing

21. VPN Application Support

Appendixes

(A) Feature Matrix

(B) FIP’s Overview

may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered

trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks

are property of their respective owners.

Avaya G350 Media

Gateway Security

Features Overview

Access Control Lists / Denial of Service (DOS) Protection

1. Access Control Lists

The G250/G350 supports Access Control Lists (ACL’s) which provide fine

grained control over ingress/egress protocols. In addition, the following

capabilities exist:

The Ability to Restrict:

— ip-fragments-in — applies to incoming packets that contain IP fragments

— ip-fragments-out — applies to outgoing packets that contain IP fragments

— ip-options-in — applies to incoming packets that contain IP options

— ip-options-out — applies to outgoing packets that contain IP options

You can configure policy rules to match packets based on one or more of the

following for ingress and egress:

• Source IP address, or a range of addresses

• Destination IP address or a range of addresses

• IP protocol, such as TCP, UDP, ICMP, IGMP

• Source TCP or UDP port or a range of ports

• Destination TCP or UDP port or a range of ports

• ICMP type and code

Use IP wildcards to specify a range of source or destination IP addresses.

The zero bits in the wildcard correspond to bits in the IP address that

remain fixed. The one bits in the wildcard correspond to bits in the IP

address that can vary. Note that this is the opposite of how bits are used in

a subnet mask.

For access control lists, you can require the packet to be part of an

established TCP session. If the packet is a request for a new TCP session,

the packet does not match the rule. You can also specify whether an

access control list accepts packets that have an IP option field.

may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered

trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks

are property of their respective owners.

Avaya G250/G350

Media Gateway

Security Features

Overview

The following table lists the pre-configured entries in the composite

operation table for rules in an access control list:

NOTE:

You cannot configure additional composite operations for access control

lists, since all possible composite operations are pre-configured.

Each column represents the following:

• No — a number identifying the operation

• Name — a name identifying the operation. Use this to attach the operation

to a rule.

• Access — determines whether the operation forwards (forward) or drops

(deny) the packet

• Notify — determines whether the operation causes a trap when it drops a

packet

• Reset Connection — determines whether the operation causes a connection

reset

To verify access control lists and QoS lists, you can view the configuration

of the lists. You can also test the effect of the lists on simulated IP

packets. Use the ip simulate command in the context of an interface to test a

policy list. The command tests the effect of the policy list on a simulated

IP packet in the interface. You must specify the number of a policy list, the

direction of the packet (in or out), and a source and destination IP address.

You may also specify other parameters.

The following command simulates the effect of applying QoS list number 401 to

a packet entering the

G350 through interface VLAN 2:

G350-001(if:Vlan 2)# ip simulate 401 in CoS1 dscp46 10.1.1.1 10.2.2.2

tcp 1182 20

It is possible to define an access control list on the loopback interface of

the G350 in which only certain IPs will be allowed to communicate to the

G350. This ACL will be applied on all the G350’s interfaces. For example

this feature can be used to limit access via telnet to a specific list of IP

addresses.

Return to Table of Contents

may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered

trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks

are property of their respective owners.

Avaya G250/G350

Media Gateway

Security Features

Overview

2. DOS

Use the icmp in-echo-limit command to set the maximum number of echo requests

that can be received in one second. Use the no form of the command to set the

limit to its default value. Possible values are [1 – 10000].

G350-002(super)# icmp in-echo-limit ?

Icmp in-echo-limit commands:

---------------------------------------------------------------------------

Syntax : icmp in-echo-limit <size>.

Example: icmp in-echo-limit 100.

G350-002(super)#

3. SYN Protection

The G250/G350 provides various TCP/IP services and is therefore exposed to a

myriad of TCP/IP based DoS attacks. DoS (Denial of Service) attacks refers

to a wide range of malicious attacks that can cause a denial of one or more

services provided by a targeted host. Specifically, a SYN attack is a

well-known TCP/IP attack in which a malicious attacker targets a vulnerable

device and effectively denies it from establishing new TCP connections.

SYN cookies refers to a well-known method of protection against a SYN attack.

Use the tcp syn-cookies command to enable the tcp syn-cookies defense

mechanism against SYN attacks. Use the show version of this command to

display the SYN cookies statistics. The no version of this command disables

the tcp syn-cookies defense mechanism against SYN attacks. Use the clear

version of this command to clear the SYN cookie counters.

G350-002(super)# tcp syn-cookies

To enable the tcp syn-cookies, copy the running configuration to the start-up

configuration file and reset the device.

G350-002(super)#

When the SYN cookies feature is enabled, the G250/G350 alerts the

administrator to a suspected SYN attack as it occurs by sending the following

syslog message:

SYN attack suspected! Number of unanswered SYN requests is greater

than 20 in last 10 seconds.

G350-002(super)# no tcp syn-cookies

To disable the tcp syn-cookies, copy the running configuration to the start-

up configuration file and reset the device.

G350-002(super)#

G350-002(super)# clear tcp syn-cookies counters

done!

G350-002(super)#

may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered

trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks

are property of their respective owners.

Avaya G250/G350

Media Gateway

Security Features

Overview

G350-002(super)# show tcp syn-cookies

Status: Enabled

Statistics:

SYN recd:

Connections established

Local Address Remote Address State Last

------------------ ------------------ ------------ ------

192.168.1.254 192.168.1.32 Established 4

G350-002(super)#

Return to Table of Contents

may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered

trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks

are property of their respective owners.

Avaya G250/G350

Media Gateway

Security Features

Overview

Auditing Transactions / Administration

4. CLI Command Auditing (via Syslog)

Config change related SNMP traps will be sent if "config" trap is enabled. It

is enabled by default when typing "set snmp trap enable all". Additionally,

traps can be sent to a log file, console session, telnet session and stored

on the Gateway.

Relevant logs can also be sent to a syslog server by enabling a log server

through the CLI:

set logging server x.x.x.x

set logging server x.x.x.x enable

set logging server condition CLI Notification x.x.x.x

The above example will log to the syslog server x.x.x.x every event from the

CLI application with severity "Notification" and above. Other applications

are also available.

Examples:

01-13-2004 13:27:23 Local7.Notice 192.168.1.70 JAN 13 13:27:26 192.168.1.70 Cli

Command[CLI-Notification: root: session mgc<000>

01-13-2004 13:26:50 Local7.Notice 192.168.1.70 JAN 13 13:26:53 192.168.1.70

CliCommand[CLI-Notification: root: set mediaserver 192.168.1.20 192.168.1.70 5023

sat<000>

01-13-2004 13:26:22 Local7.Notice 192.168.1.70 JAN 13 13:26:25 192.168.1.70

CliCommand[CLI-Notification: root: set mediaserver 192.168.1.70 192.168.1.30 5023

sat<000>

01-13-2004 13:22:26 Local7.Notice 192.168.1.70 JAN 13 13:22:29 192.168.1.70

CliCommand[CLI-Notification: root: copy running-config startup-config <000>

01-13-2004 13:18:55 Local7.Notice 192.168.1.70 JAN 13 13:18:58 192.168.1.70

CliCommand[CLI-Notification: root: dir<000>

01-13-2004 13:18:36 Local7.Notice 192.168.1.70 JAN 13 13:18:38 192.168.1.70

CliCommand[CLI-Notification: root: telnet 192.168.1.1<000>

01-13-2004 13:17:48 Local7.Notice 192.168.1.70 JAN 13 13:17:50 192.168.1.70

CliCommand[CLI-Notification: root: traceroute 131.94.57.51<000>

01-13-2004 13:17:18 Local7.Notice 192.168.1.70 JAN 13 13:17:20 192.168.1.70

CliCommand[CLI-Notification: root: hostname G350<000>

01-13-2004 13:15:44 Local7.Notice 192.168.1.70 JAN 13 13:15:46 192.168.1.70

CliCommand[CLI-Notification: root: ping 192.168.1.1<000>

01-13-2004 13:15:19 Local7.Notice 192.168.1.70 JAN 13 13:15:21 192.168.1.70

CliCommand[CLI-Notification: root: set logging server condition CLI Notification

192.168.1.100<000>

may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered

trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks

are property of their respective owners.

Avaya G250/G350

Media Gateway

Security Features

Overview

01-13-2004 13:28:55 Local7.Notice 192.168.1.70 JAN 13 13:28:58 192.168.1.70

CliCommand[CLI-Notification: root: exit<000>

01-13-2004 13:30:29 Local7.Notice 192.168.1.70 JAN 13 13:30:32 192.168.1.70

CliCommand[CLI-Notification: georgia: exit<000>

01-13-2004 13:30:24 Local7.Notice 192.168.1.70 JAN 13 13:30:27 192.168.1.70

CliCommand[CLI-Notification: georgia: session mgc<000>

The Set logging server facility followed by the name of the output facility

and IP address of the Syslog server to the following list of possible

facilities set logging server facility. A total of 3 syslog servers can be

configured.

The following example defines a FTP Deamon as the output facility for Syslog

reports generated by the Syslog server with an IP address of 168.12.1.15.

The G350 and G250 have user logging enabled by default from the factory.

Set logging server facility ftpd 168.12.1.15

The available types are listed below:

auth (Authorization)

deamon (Background System Process)

clkd (clock Deamon)

clkd2 (Clock Deamon)

mail (Electronic Mail)

local0-local7 (For Local Use)

ftpd (FTP Deamon)

kern (Kernel)

alert (Log Alert)

audi (Log Audit)

ntp (NTP sub)

lpr (Printing)

sec (Security)

syslog (System Logging)

uucp (Unix-to-Unix Copy Program)

news (Usenet news)

user (User Process)

Use the show logging server condition command followed by the IP address of the Syslog

server. If you do not specify an IP address, the command displays the status of all

Syslog servers defined for the G250/G350. This command displays whether the server is

enable or disable and lists all filters defined on the server.

Return to Table of Contents

Other manuals for Media Gateway G250

This manual suits for next models

Table of contents

Other Avaya Gateway manuals

Avaya

Avaya G450 Manager Instruction sheet

Avaya

Avaya CMC1 User manual

Avaya

Avaya G700 Quick start guide

Avaya

Avaya Media Gateway G250 User manual

Avaya

Avaya Advanced Gateway 2330 User manual

Avaya

Avaya Media Gateway G250 Installation guide

Avaya

Avaya G450 Manager User manual

Avaya

Avaya MCC1 User manual

Avaya

Avaya MCC1 Quick start guide

Avaya

Avaya W310 User manual

Avaya

Avaya Media Gateway G250 Instruction Manual

Avaya

Avaya G450 Manager Instruction Manual

Avaya

Avaya G650 Instruction Manual

Avaya

Avaya Media Gateway G350 Instruction Manual

Avaya

Avaya Media Gateway G350 User manual

Avaya

Avaya G250 Series User manual

Avaya

Avaya QuesCom 400 Supplement

Avaya

Avaya G450 Manager User manual

Avaya

Avaya Advanced Gateway 2330 User manual

Avaya

Avaya G650 Instruction Manual

Avaya

Avaya Advanced Gateway 2330 User manual

Avaya

Avaya G700 Instruction Manual

Avaya

Avaya G450 Manager Operating and maintenance manual

Avaya

Avaya G430 Quick start guide

Popular Gateway manuals by other brands

Telecom FM

Telecom FM onestream gfx Programming guide

UfiSpace

UfiSpace LoRa GPE810U Quick setup guide

Merak

Merak MMk-736F Quick setup guide

Robustel

Robustel R3010 user guide

turck

turck BL20-PG-EN-V3 user manual

IBM

IBM Security Web Gateway Appliance quick start guide

SSS Siedle

SSS Siedle Smart Gateway Commissioning instructions

ADTRAN

ADTRAN 424RG Installation

Chorus

Chorus Hyperfibre XGS-250WX-A user guide

Dragino

Dragino G308 user manual

Data Domain

Data Domain DD690g Installation and setup guide

Raritan

Raritan Laptop Release notes

Haivision

Haivision Torpedo quick start guide

ATCOM

ATCOM AG-268 user manual

LST

LST M500RFE-AS Specification sheet

Vega

Vega VEGA BS-3 user manual

Kinnex

Kinnex Media Gateway quick start guide

2N Telekomunikace

2N Telekomunikace 2N StarGate user manual

Avaya Media Gateway G250 Quick reference guide

Popular Gateway manuals by other brands