Sei sulla pagina 1di 40

TECHNICAL WHITE PAPER

Avaya G250 and G350 Media Gateway Security Features Overview

Version: 1 Date: November 17, 2005

CID: 115343 Author: Avaya Technology and Consulting


IP Telephony Practice

Abstract:

The Avaya G250 and G350 Media Gateway Security Features Overview CID 115343 supersede
the earlier Avaya G350 Media Gateways Security Features Overview CID: 102411. This
document follows the same template of questions as the earlier aforementioned document and
the sister document Avaya G700 Media Gateway Security Features Overview (CID: 102412).

The Avaya G250 and G350 Media Gateways as show below provide a variety of features which
can be used to enhance security. The goal of this white paper is to summarize the general product
documentation and focus on those features.

G350 Firmware Revision - FW: 24.17.0

GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G350 Media
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Gateway Security
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Features Overview
are property of their respective owners.

1
G250 Firmware Revision - FW: 24.17.0

GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview

2
Table of Contents
(Click on link to view more detailed information)

Access Control Lists / Denial of Service (DOS) Protection/ SYN Protection

1. Access Control List’s


2. Denial of Service
3. SYN Protection Feature

Auditing Transactions / Administration

4. CLI Command Auditing (via Syslog)


5. Show Currently Logged on Administrators

Authentication Credentials / RADIUS/PBNAC 802.1x

6. Default User Accounts


7. Username/Password Characteristics
8. RADIUS Switch Administrator Authentication
9. Enable/Disable PBNAC 802.1x

CLI Inactivity Timeout and Pre/Post Login Banners

10. Idle Timeout


11. Banners

Network Client/Server applications

12. Show Protocol


13. Enable/Disable Network Services
14. Client / Server Network Tools
15. Default Listening Ports (UDP/TCP)
16. SSH/SCP/HTTPS/SNMPv3 Support

SNMP / Syslog Configuration

17. SNMP Defaults


18. Syslog / SNMP Output
19. Allowed Managers

GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G350 Media
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Gateway Security
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Features Overview
are property of their respective owners.

3
PBR and VPN Overview

20. Policy Based Routing


21. VPN Application Support

Appendixes

(A) Feature Matrix


(B) FIP’s Overview
(C) Open Ports List

GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview

4
Access Control Lists / Denial of Service (DOS) Protection
1. Access Control Lists

The G250/G350 supports Access Control Lists (ACL’s) which provide fine
grained control over ingress/egress protocols. In addition, the following
capabilities exist:

The Ability to Restrict:


— ip-fragments-in — applies to incoming packets that contain IP fragments
— ip-fragments-out — applies to outgoing packets that contain IP fragments
— ip-options-in — applies to incoming packets that contain IP options
— ip-options-out — applies to outgoing packets that contain IP options

You can configure policy rules to match packets based on one or more of the
following for ingress and egress:

• Source IP address, or a range of addresses


• Destination IP address or a range of addresses
• IP protocol, such as TCP, UDP, ICMP, IGMP
• Source TCP or UDP port or a range of ports
• Destination TCP or UDP port or a range of ports
• ICMP type and code

Use IP wildcards to specify a range of source or destination IP addresses.


The zero bits in the wildcard correspond to bits in the IP address that
remain fixed. The one bits in the wildcard correspond to bits in the IP
address that can vary. Note that this is the opposite of how bits are used in
a subnet mask.

For access control lists, you can require the packet to be part of an
established TCP session. If the packet is a request for a new TCP session,
the packet does not match the rule. You can also specify whether an
access control list accepts packets that have an IP option field.

GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G350 Media
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Gateway Security
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Features Overview
are property of their respective owners.

5
The following table lists the pre-configured entries in the composite
operation table for rules in an access control list:

NOTE:
You cannot configure additional composite operations for access control
lists, since all possible composite operations are pre-configured.

Each column represents the following:


• No — a number identifying the operation
• Name — a name identifying the operation. Use this to attach the operation
to a rule.
• Access — determines whether the operation forwards (forward) or drops
(deny) the packet
• Notify — determines whether the operation causes a trap when it drops a
packet
• Reset Connection — determines whether the operation causes a connection
reset

To verify access control lists and QoS lists, you can view the configuration
of the lists. You can also test the effect of the lists on simulated IP
packets. Use the ip simulate command in the context of an interface to test a
policy list. The command tests the effect of the policy list on a simulated
IP packet in the interface. You must specify the number of a policy list, the
direction of the packet (in or out), and a source and destination IP address.
You may also specify other parameters.

The following command simulates the effect of applying QoS list number 401 to
a packet entering the

G350 through interface VLAN 2:


G350-001(if:Vlan 2)# ip simulate 401 in CoS1 dscp46 10.1.1.1 10.2.2.2
tcp 1182 20

It is possible to define an access control list on the loopback interface of


the G350 in which only certain IPs will be allowed to communicate to the
G350. This ACL will be applied on all the G350’s interfaces. For example
this feature can be used to limit access via telnet to a specific list of IP
addresses.

Return to Table of Contents

GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview

6
2. DOS

Use the icmp in-echo-limit command to set the maximum number of echo requests
that can be received in one second. Use the no form of the command to set the
limit to its default value. Possible values are [1 – 10000].

G350-002(super)# icmp in-echo-limit ?


Icmp in-echo-limit commands:
---------------------------------------------------------------------------
Syntax : icmp in-echo-limit <size>.
Example: icmp in-echo-limit 100.

G350-002(super)#

3. SYN Protection

The G250/G350 provides various TCP/IP services and is therefore exposed to a


myriad of TCP/IP based DoS attacks. DoS (Denial of Service) attacks refers
to a wide range of malicious attacks that can cause a denial of one or more
services provided by a targeted host. Specifically, a SYN attack is a
well-known TCP/IP attack in which a malicious attacker targets a vulnerable
device and effectively denies it from establishing new TCP connections.
SYN cookies refers to a well-known method of protection against a SYN attack.

Use the tcp syn-cookies command to enable the tcp syn-cookies defense
mechanism against SYN attacks. Use the show version of this command to
display the SYN cookies statistics. The no version of this command disables
the tcp syn-cookies defense mechanism against SYN attacks. Use the clear
version of this command to clear the SYN cookie counters.

G350-002(super)# tcp syn-cookies


To enable the tcp syn-cookies, copy the running configuration to the start-up
configuration file and reset the device.
G350-002(super)#

When the SYN cookies feature is enabled, the G250/G350 alerts the
administrator to a suspected SYN attack as it occurs by sending the following
syslog message:

SYN attack suspected! Number of unanswered SYN requests is greater


than 20 in last 10 seconds.

G350-002(super)# no tcp syn-cookies


To disable the tcp syn-cookies, copy the running configuration to the start-
up configuration file and reset the device.
G350-002(super)#

G350-002(super)# clear tcp syn-cookies counters


done!
G350-002(super)#

GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview

7
G350-002(super)# show tcp syn-cookies
Status: Enabled

Statistics:
SYN recd:
Connections established

Local Address Remote Address State Last


------------------ ------------------ ------------ ------
192.168.1.254 192.168.1.32 Established 4
G350-002(super)#

Return to Table of Contents

GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview

8
Auditing Transactions / Administration

4. CLI Command Auditing (via Syslog)

Config change related SNMP traps will be sent if "config" trap is enabled. It
is enabled by default when typing "set snmp trap enable all". Additionally,
traps can be sent to a log file, console session, telnet session and stored
on the Gateway.

Relevant logs can also be sent to a syslog server by enabling a log server
through the CLI:

set logging server x.x.x.x


set logging server x.x.x.x enable
set logging server condition CLI Notification x.x.x.x

The above example will log to the syslog server x.x.x.x every event from the
CLI application with severity "Notification" and above. Other applications
are also available.

Examples:

01-13-2004 13:27:23 Local7.Notice 192.168.1.70 JAN 13 13:27:26 192.168.1.70 Cli


Command[CLI-Notification: root: session mgc<000>

01-13-2004 13:26:50 Local7.Notice 192.168.1.70 JAN 13 13:26:53 192.168.1.70


CliCommand[CLI-Notification: root: set mediaserver 192.168.1.20 192.168.1.70 5023
sat<000>

01-13-2004 13:26:22 Local7.Notice 192.168.1.70 JAN 13 13:26:25 192.168.1.70


CliCommand[CLI-Notification: root: set mediaserver 192.168.1.70 192.168.1.30 5023
sat<000>

01-13-2004 13:22:26 Local7.Notice 192.168.1.70 JAN 13 13:22:29 192.168.1.70


CliCommand[CLI-Notification: root: copy running-config startup-config <000>

01-13-2004 13:18:55 Local7.Notice 192.168.1.70 JAN 13 13:18:58 192.168.1.70


CliCommand[CLI-Notification: root: dir<000>

01-13-2004 13:18:36 Local7.Notice 192.168.1.70 JAN 13 13:18:38 192.168.1.70


CliCommand[CLI-Notification: root: telnet 192.168.1.1<000>

01-13-2004 13:17:48 Local7.Notice 192.168.1.70 JAN 13 13:17:50 192.168.1.70


CliCommand[CLI-Notification: root: traceroute 131.94.57.51<000>

01-13-2004 13:17:18 Local7.Notice 192.168.1.70 JAN 13 13:17:20 192.168.1.70


CliCommand[CLI-Notification: root: hostname G350<000>

01-13-2004 13:15:44 Local7.Notice 192.168.1.70 JAN 13 13:15:46 192.168.1.70


CliCommand[CLI-Notification: root: ping 192.168.1.1<000>

01-13-2004 13:15:19 Local7.Notice 192.168.1.70 JAN 13 13:15:21 192.168.1.70


CliCommand[CLI-Notification: root: set logging server condition CLI Notification
192.168.1.100<000>

GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview

9
01-13-2004 13:28:55 Local7.Notice 192.168.1.70 JAN 13 13:28:58 192.168.1.70
CliCommand[CLI-Notification: root: exit<000>

01-13-2004 13:30:29 Local7.Notice 192.168.1.70 JAN 13 13:30:32 192.168.1.70


CliCommand[CLI-Notification: georgia: exit<000>

01-13-2004 13:30:24 Local7.Notice 192.168.1.70 JAN 13 13:30:27 192.168.1.70


CliCommand[CLI-Notification: georgia: session mgc<000>

The Set logging server facility followed by the name of the output facility
and IP address of the Syslog server to the following list of possible
facilities set logging server facility. A total of 3 syslog servers can be
configured.

The following example defines a FTP Deamon as the output facility for Syslog
reports generated by the Syslog server with an IP address of 168.12.1.15.
The G350 and G250 have user logging enabled by default from the factory.

Set logging server facility ftpd 168.12.1.15

The available types are listed below:

auth (Authorization)
deamon (Background System Process)
clkd (clock Deamon)
clkd2 (Clock Deamon)
mail (Electronic Mail)
local0-local7 (For Local Use)
ftpd (FTP Deamon)
kern (Kernel)
alert (Log Alert)
audi (Log Audit)
ntp (NTP sub)
lpr (Printing)
sec (Security)
syslog (System Logging)
uucp (Unix-to-Unix Copy Program)
news (Usenet news)
user (User Process)

Use the show logging server condition command followed by the IP address of the Syslog
server. If you do not specify an IP address, the command displays the status of all
Syslog servers defined for the G250/G350. This command displays whether the server is
enable or disable and lists all filters defined on the server.

Return to Table of Contents

GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview

10
5. Displaying Currently Logged on Administrators

With the G250/G350 gateways there are three primary ways to administer the
gateway, direct connect via the console, Telnet and secure shell (Ssh)
Telnet. To display the current users logged on to the G250/G350 via Ssh or
Telnet issue the following commands below:

Command: show ip ssh

Ssh Engine: Enable


Max Sessions: 2
Key Type: DSA , 768 bit
Listen Port: 22
Ciphers List: 3des-cbc

Session-Id Version Encryption User IP: Port


0 2 3des-cbc root 192.168.1.31:3528

Command: show ip telnet

Telnet Engine: Enable


Max Sessions: 5
Listen Port: 23
Session-Id User: IP: Port
0 root 192.168.1.32:1055

Return to Table of Contents

GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview

11
Authentication Credentials / RADIUS
6. Usernames

By default there is only a single user account, named root, with password
root, which accesses the administrator level. You cannot delete this basic
user account, nor modify its access level. But you can modify its basic
password.

G350-002(super)# show username

User account password access-type


-------------------------------- -------------------------------- ---------
root ***** admin

G350-002(super)#

Return to Table of Contents

7. Username/Password Characteristics

• Username: minimum 4 characters, maximum 31 characters


• Password: minimum 8 characters, maximum 31 characters (all US
printable non white characters from keyboard are valid)
• There can be up to 3 password entry attempts at login before the
session is terminated
• Up to 10 unique “local” usernames can be configured on the G350

When you start to use Avaya G250/G350 Manager or the CLI, you must enter a
username. The username that you enter sets your privilege level. The commands
that are available to you during the session depend on your privilege level.
If you use RADIUS authentication, the RADIUS server sets your privilege
level. It is important to note that if the same username is defined locally
on the gateway and in RADIUS that the local username (ID) will take
precedence over username (ID) created on the RADIUS server.

• You can use Read-only privilege level to view configuration parameters.


• You can use Read-write privilege level to view and change all
configuration parameters except those related to security. For example,
you cannot change a password with Read-write privilege level.
• You can use Admin privilege level to view and change all configuration
parameters, including parameters related to security. Use Admin
privilege level only when you need to change configuration that is
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview

12
related to security, such as adding a new user accounts and setting the
device policy manager access source. An example of the source would be
issuing the no ip telnet command.

Username commands:
---------------------------------------------------------------------------
Usage: username <name> password <passwd> access-type {read-only|read-
write|admin}

• Does the ability exist to force a minimum length username and/or


password (other than default minimum of 4 characters username and 8
characters for password)? No. However, this can be accomplished by
using an external authentication database such as RADIUS.
• Does the configuration file include user account passwords or SNMP
Community Strings? The configuration file does not include SNMP
community strings and user/password data.
• Are there any “undocumented” usernames or SNMP community strings?
No. All "diag" accounts are in-accessible without first logging into
the G350 via a super-user account first. Backdoor password recovery
exists but can only be used via a direct connection to the console
port. It can also be disabled.
• Is there any way to enforce password aging on “local” accounts used
to administer the G350? No. However, this can be accomplished by
using an external authentication database such as RADIUS.
• Is there any way to enforce account "lock-out" after user inactivity
of that account – i.e. user has not logged in for 60 days? No.
However, this can be accomplished by using an external
authentication database such as RADIUS.
• Any way to enforce "lock-out" of accounts after excessive retries?

Yes in addition to a RADIUS external authentication which provides its


own set of options for lock-out, the following global command to set
login authentication lockout parameters for local administers.

G350-002<super>#login authentication lockout?

Login authentication lockout commands:


--------------------------------------------------------------------
Syntax : login authentication lockout <time> attempt <count?
<time> - integer <30..3600> seconds.
Interval of time account lockout is enforced.
0 –No timeout
<count> - integer <1..10>.
Successive number of failures before lockout
0 - NO timeout

Example: login authentication lockout 360 attempt 5

The login authentication command supports the ability to enable local craft
user from services and a password

• Any way for the G350 to prevent simple/dictionary words from being
chosen as passwords? No. However, this can be accomplished by using
an external authentication database such as RADIUS.
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview

13
• Any way to age passwords? And if so, any way for the G350 to prevent
password reuse, and if so how many past passwords are stored? No.
However, this can be accomplished by using an external
authentication database such as RADIUS.

Return to Table of Contents

GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview

14
8. RADIUS Switch Administrator Authentication

If your network has a RADIUS server, you can configure the Avaya G350 Media
Gateway to use RADIUS authentication. A RADIUS server provides centralized
authentication service for many devices on a network. When you use RADIUS
authentication, you do not need to configure usernames and passwords on the
G350. When logging into the G350/G250, the G350/G250 searches for your
username and password in its own database first. If it does not find them, it
activates RADIUS authentication.

G350-002(super)# show radius authentication

Mode: Enable
Primary-server: 192.168.1.205
Secondary-server: 172.16.1.205
Retry-number: 4
Retry-time: 5
UDP-port: 1645
shared-secret: *****

G350-002(super)#

The Avaya G250/G350 Media Gateway includes a security mechanism through which
the system administrator defines users and assigns each user and username and
a password. Each user is assigned a privilege level. The user’s privilege
level determines which commands the user can perform.
In addition to its basic security mechanism, the G250/G350 supports secure
data transfer via SSH and SCP.

The G250/G350 can be configured to work with an external RADIUS server to


provide user authentication. When RADIUS authentication is enabled on the
G250/G350, the RADIUS server operates in conjunction with the G250/G350
security mechanism. When the user enters a does not find the username in its
own database, it establishes a connection with the RADIUS server, and the
RADIUS server provides the necessary authentication services.

9. Enable/Disable PBNAC 802.1x

The G350 also uses the 802.1x protocol in conjunction with EAP within EAPOL
and over RADIUS to provide a means for authenticating and authorizing users
attached to a LAN port, and for preventing access to that port in cases where
the authentication process fails.

GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview

15
Note: The 802.1x protocol is not supported on the G250 as of CM 3.0.

G350-002(super)# set port dot1x ?

Set port dot1x commands:


---------------------------------------------------------------------------
set port dot1x initialize Initialize port dot1x

set port dot1x max-req Sets per port the max-req, the maximal
number of times the port tries to
retransmit requests to the Authenticated
Station before the session is terminated

set port dot1x port-control Set dot1x control parameter per port

set port dot1x quiet-period Sets per port the 802.1x quiet period,
minimal idle time between authentication
attempts

set port dot1x re-authenticate Set the port to re-authenticate

set port dot1x re-authentication Set dot1x re-authentication mode per port

set port dot1x re-authperiod Sets per port the re-authentication


period, an idle time between re-
authentication attempts

set port dot1x server-timeout Sets per port the server-timeout - the
time for the port to wait for a reply
from the Authentication Server

set port dot1x supp-timeout Sets per port the supp-timeout, a time
for the port to wait for a reply from the
Authenticated Station

set port dot1x tx-period Sets per port the transmit period, a time
Interval between attempts to access the
authenticated Station

G350-002(super)# show port dot1x ?

Show port dot1x commands:


---------------------------------------------------------------------------
Syntax : show port dot1x [<mod/port>]
Example: show port dot1x 3/2

show port dot1x statistics Shows the port dot1x statistics.

G350-002(super)# clear dot1x ?


Clear dot1x commands:
---------------------------------------------------------------------------
clear dot1x config Resets the 802.1x configuration parameters

GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview

16
Return to Table of Contents

GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview

17
CLI Inactivity Timeout and Pre/Post Login Banners

10. Idle Timeout

Use the set logout command to set the number of minutes until the system
automatically disconnects an idle session. The default is 15 minutes.
Possible valued are [0 – 99]. Setting the value to 0 disables the
automatic disconnection of idle sessions.

G350-002(super)# show logout

CLI timeout is 15 minutes

Return to Table of Contents


11. Banners

The login banner displays before the user is prompted for the login name. The
banners can be modified using the following commands

G350-002(super)# show banner login

Welcome to G350 Media Gateway


FW version 24.17.0

G350-002(super)# banner login


G350-002<super-login># line 5 “ G250_001 “
Done!
G350-002<super-login># line 5 “ Unauthorized access is prohibited“
Done!
G350-002<super-login>#exit
G350-002(super)# show banner login

G250_001
Unauthorized access is prohibited

G350-002(super)#

The post-login banner displays after the user has logged in successfully.

G350-002(super)# show banner post-login

Both the pre/post banner login commands utilize the line command for banner
entry. The line command supports a range of from [1 – 24] lines of text.

G350-002(super)# banner post-login


G350-002<super-login># line 5 “ G250_001 “
Done!
G350-002<super-login># line 5 “ Unauthorized access is prohibited“
Done!
G350-002<super-login>#exit

Return to Table of Contents


GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview

18
Network Client/Server applications
12. Show Protocol

Use the show protocol command to display the status of a specific


management protocol, or all protocols for the G250/G350. The G250 does
not support a WEB interface. The HTTP protocol is disabled by default on
the G250. SSHv2 is the supported Ssh protocol.

G350-002(super)# show protocol


Protocols Status
------------ --------
SSH-SERVER ON
TELNET-CLIENT OFF
TELENT-SERVER ON
SNMPv1-SERVER ON
SNMPv3-SERVER ON
HTTP-SERVER ON
RECOVERY-PASSWORD ON
DHCP-SERVER OFF
TFTP-SERVER OFF
DNS-CLIENT ON

Non-administrative protocols
--------------------------

FTP-CLIENT
TFTP-CLIENT
SCP-CLIENT

G250-001(super)# show protocol


Protocols Status
------------ --------
SSH-SERVER ON
TELNET-CLIENT OFF
TELENT-SERVER OFF
SNMPv1-SERVER ON
SNMPv3-SERVER ON
HTTP-SERVER ON
RECOVERY-PASSWORD ON
DHCP-SERVER ON
TFTP-SERVER ON
DNS-CLIENT ON

Non-administrative protocols
--------------------------

FTP-CLIENT
TFTP-CLIENT
SCP-CLIENT

G350-002(super)#

GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview

19
Return to Table of Contents
13. Enable/Disable Services (use no form of command to disable: no ip
http)

G350-002(super)# ip http
Done!
G350-002(super)# ip telnet
Done!
G350-002(super)# ip telnet-client
This command can be called only from console port

• Note: The telnet-client on the G250/G350 is disabled by default and can


only be enabled when connected via the local console port.
• The G250/G350 internal Telnet server supports up to 5 incoming
concurrent sessions.
• The G250/G350 internal Telnet client supports up to 6 outgoing
concurrent sessions. One outgoing Telnet session for each incoming
Telnet session, and one for the console port

Toggle ICMP redirects by issuing the command: [no] ip redirect (under


interface context)
Toggle SNMP: [no] ip snmp disables SNMPv1 and SNMPv3 {global command}
Toggle FTP client: Not possible. But it is possible to block TCP 21 port in
outgoing ACL for interface loopback
Toggle recovery password: set terminal recovery password enable/disable
To disable only SNMPv1 use the no snmp server community command.

Return to Table of Contents

GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview

20
14. Client / Server Network Tools

Telnet Client – Disabled by Default (requires Console Access to enable)


Telnet Server – Enabled By Default
HTTP Server – Enabled By Default on G350 (not supported on G250)
SNMPv1 and SNMPv3 Agent – Enabled By Default (Read, Read-Write, Trap)

Return to Table of Contents

GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview

21
15. Default Listen Ports

The output below is the result of an NMAP TCP and UDP port scan on the G350.
[root@scsradius ~]# nmap -sT 135.148.208.78. Please see Appendix C for
additional information open ports in the G250/G350 gateways.

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-09-14 16:40 EDT


Interesting ports on 135.148.208.78:
(The 1660 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
80/tcp open http
MAC Address: 00:04:0D:29:CA:6D (Avaya)

Nmap finished: 1 IP address (1 host up) scanned in 33.360 seconds


[admin@scsradius ~]$ nmap -sU 135.148.208.78

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-09-14 16:40 EDT


Interesting ports on 135.148.208.78:
(The 1477 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
161/udp open|filtered snmp
MAC Address: 00:04:0D:29:CA:6D (Avaya)

Nmap finished: 1 IP address (1 host up) scanned in 137.319 seconds


[admin@scsradius ~]$

Return to Table of Contents

GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview

22
16. SSH/SCP/SNMPv3

SSH, SCP and SNMPv3 are supported in G250/G350. SSHv2, SNMPv1 and SNMPv3 can
be globally enabled and disabled. The community strings for SNMPv1 can be
disabled.

G350-002(super)# Show SNMP

Authentication trap disabled

Community-Access Community-String
---------------- ----------------

read-only ******
read-write ******

SNMPv3 Notification Status


--------------------------

Traps: enabled
Informs: enabled Retries: 3 Timeout: 3 seconds

SNMP-Rec-Address Model Level Notification Trap/Inform User name


---------------- ----- ----- ------------- -------------- -----------
192.168.1.30 v1 noauth all trap ReadCommN
UDP port: 162 DM

The SCP client is enabled by default and can not be disabled. HTTP is
disabled and not support by the G250. The HTTP server is enabled by default
on the G350 and can be disabled.

The SSH server can be enabled/disabled with the ip ssh command and the no ip
ssh command.

G350-002(super)# clear ssh-client ?


Clear ssh-client commands:
---------------------------------------------------------------------------
clear ssh-client known-hosts
clears the ssh known-host file content. Used to
unlock man-in-the-middle attack prevention
mechanism and allow scp server authentication
after scp server public key change
Return to Table of Contents

GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview

23
SNMP / Syslog Configuration

17. SNMP Defaults

G350-002(super)# show snmp

Authentication trap disabled

Community-Access Community-String
---------------- ----------------
read-only *****
read-write *****

SNMPv3 Notifications Status


-----------------------------
Traps: Enabled
Informs: Enabled Retries: 3 Timeout: 3 seconds

SNMP-Rec-Address Model Level Notification Trap/Inform User name


---------------- ----- ------- --------------- ----------- ------------------
-

0.0.0.0 v1 noauth all trap ReadCommN


UDP port: 162 DM

G350-002(super)#

G350-002(super)# set snmp ?

Set snmp commands:


---------------------------------------------------------------------------
set snmp community Set SNMP community string
set snmp retries Set The SNMP Retries Number
set snmp timeout Set The SNMP Timeout
set snmp trap Set snmp trap, use 'set snmp trap help' for
more
info

G350-002(super)#

G350-002(super)# set snmp community ?


Set snmp community commands:
---------------------------------------------------------------------------
Usage: set snmp community <access_type> [community string]
(access_type = read-only | read-write )

GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview

24
G350-???(super)# no snmp ?
No snmp commands:
---------------------------------------------------------------------------
no snmp community Disable SNMPv1 service (community based)
no snmp dynamic-trap-manager
Toggles off notification type filters from
dynamic trap manager instance

no snmp engineID Set the SNMPv3 engineID to default


no snmp group Delete SNMPv3 group (vacm mib)
no snmp host Remove SNMP notification (trap or inform)
receiver
or filters
no snmp notifications Disable sending SNMPv3 notification (trap and
inform)
no snmp remote-user Delete SNMPv3 remote user (usm and vacm mib)
no snmp user Delete SNMPv3 user (usm and vacm mib)
no snmp view Delete SNMPv3 view (vacm mib)

G350-???(super)# show snmp ?


Show snmp commands:
---------------------------------------------------------------------------
Usage: show snmp

show snmp engineID Show SNMPv3 engineID


show snmp group Show SNMPv3 groups
show snmp retries Show SNMP Retries Number
show snmp timeout Show SNMP Timeout
show snmp user Show SNMPv3 users
show snmp userToGroup Show the mapping table between SNMPv3 users and
groups
show snmp view Shows SNMPv3 views

G350-002(super)#

G350-002(super)# show snmp view

View Name: iso


Subtree Oid: 1
Subtree Mask:
View Type: include
Storage Type: nonVolatile
Status: active

View Name: restricted


Subtree Oid: 1.3.6.1.2.1.1
Subtree Mask:
View Type: include
Storage Type: nonVolatile
Status: active

GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview

25
View Name: restricted
Subtree Oid: 1.3.6.1.2.1.11
Subtree Mask:
View Type: include
Storage Type: nonVolatile
Status: active
--type q to quit or space key to continue--

View Name: restricted


Subtree Oid: 1.3.6.1.6.3.10.2.1
Subtree Mask:
View Type: include
Storage Type: nonVolatile
Status: active

View Name: restricted


Subtree Oid: 1.3.6.1.6.3.11.2.1
Subtree Mask:
View Type: include
Storage Type: nonVolatile
Status: active

View Name: restricted


Subtree Oid: 1.3.6.1.6.3.15.1.1
Subtree Mask:
View Type: include
Storage Type: nonVolatile
--type q to quit or space key to continue--
Status: active

View Name: snmpv1View


Subtree Oid: 1
Subtree Mask:
View Type: include
Storage Type: nonVolatile
Status: active

View Name: snmpv1View


Subtree Oid: 1.3.6.1.6
Subtree Mask:
View Type: exclude
Storage Type: nonVolatile
Status: active

View Name: snmpv1View


Subtree Oid: 1.3.6.1.6.3.1
Subtree Mask:
View Type: include
--type q to quit or space key to continue--
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview

26
Storage Type: nonVolatile
Status: active

View Name: snmpv1View


Subtree Oid: 1.3.6.1.6.3.12
Subtree Mask:
View Type: include
Storage Type: nonVolatile
Status: active

View Name: snmpv1View


Subtree Oid: 1.3.6.1.6.3.13
Subtree Mask:
View Type: include
Storage Type: nonVolatile
Status: active

View Name: v3configView


Subtree Oid: 1
Subtree Mask:
--type q to quit or space key to continue--
View Type: include
Storage Type: nonVolatile
Status: active

View Name: v3configView


Subtree Oid: 1.3.6.1.6
Subtree Mask:
View Type: exclude
Storage Type: nonVolatile
Status: active

View Name: v3configView


Subtree Oid: 1.3.6.1.6.3.10.2.1
Subtree Mask:
View Type: include
Storage Type: nonVolatile
Status: active

View Name: v3configView


Subtree Oid: 1.3.6.1.6.3.11.2.1
--type q to quit or space key to continue--
Subtree Mask:
View Type: include
Storage Type: nonVolatile
Status: active

GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview

27
View Name: v3configView
Subtree Oid: 1.3.6.1.6.3.15.1.1
Subtree Mask:
View Type: include
Storage Type: nonVolatile
Status: active

View Name: v3configView


Subtree Oid: 1.3.6.1.6.3.15.1.2.2.1.7
Subtree Mask:
View Type: include
Storage Type: nonVolatile
Status: active

View Name: v3configView


--type q to quit or space key to continue--
Subtree Oid: 1.3.6.1.6.3.15.1.2.2.1.10
Subtree Mask:
View Type: include
Storage Type: nonVolatile
Status: active

View Name: v3configView


Subtree Oid: 1.3.6.1.4.1.1751.2.53.1.2.1.3.0.2
Subtree Mask: ff:fa
View Type: exclude
Storage Type: nonVolatile
Status: active

View Name: v3configView


Subtree Oid: 1.3.6.1.4.1.1751.2.53.1.2.1.3.0.5
Subtree Mask: ff:fa
View Type: exclude
Storage Type: nonVolatile
Status: active

--type q to quit or space key to continue--


View Name: snmpv1WriteView
Subtree Oid: 1
Subtree Mask:
View Type: include
Storage Type: nonVolatile
Status: active

GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview

28
View Name: snmpv1WriteView
Subtree Oid: 1.3.6.1.6
Subtree Mask:
View Type: exclude
Storage Type: nonVolatile
Status: active

View Name: snmpv1WriteView


Subtree Oid: 1.3.6.1.6.3.1
Subtree Mask:
View Type: include
Storage Type: nonVolatile
Status: active

View Name: snmpv1WriteView


Subtree Oid: 1.3.6.1.6.3.12
Subtree Mask:
View Type: include
Storage Type: nonVolatile
Status: active

View Name: snmpv1WriteView


Subtree Oid: 1.3.6.1.6.3.13
Subtree Mask:
View Type: include
Storage Type: nonVolatile
Status: active

View Name: snmpv1WriteView


Subtree Oid: 1.3.6.1.6.3.18
Subtree Mask:
View Type: include
Storage Type: nonVolatile
Status: active

G350-002(super)# show snmp group

Group Name: initial


Security Model: v3
Security Level: noauth
Read View: restricted
Write View: restricted
Notify View: restricted
Status: active

GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview

29
Group Name: ReadCommG
Security Model: v1
Security Level: noauth
Read View: snmpv1View
Write View:
Notify View: snmpv1View
Status: active

Group Name: ReadCommG


--type q to quit or space key to continue--
Security Model: v2c
Security Level: noauth
Read View: snmpv1View
Write View:
Notify View: snmpv1View
Status: active

Group Name: WriteCommG


Security Model: v1
Security Level: noauth
Read View: snmpv1WriteView
Write View: snmpv1WriteView
Notify View: snmpv1WriteView
Status: active

Group Name: WriteCommG


Security Model: v2c
Security Level: noauth
Read View: snmpv1WriteView
--type q to quit or space key to continue--
Write View: snmpv1WriteView
Notify View: snmpv1WriteView
Status: active

Group Name: v3ReadOnlyG


Security Model: v3
Security Level: auth
Read View: v3configView
Write View:
Notify View: v3configView
Status: active

GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview

30
Group Name: v3AdminViewG
Security Model: v3
Security Level: priv
Read View: iso
Write View: iso
Notify View: iso
Status: active

Group Name: v3ReadWriteG


Security Model: v3
Security Level: auth
Read View: v3configView
Write View: v3configView
Notify View: v3configView
Status: active

G350-002(super)#

Return to Table of Contents

GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview

31
18. Syslog /SNMP Output

* When trying to log in via Telnet using Invalid Credentials


JAN 5 09:12:32 192.168.1.70 lntUnAuthAccessEvent[SECURITY-Warning:
Unauthorized Access from IP address = 192.168.1.100, User = root, Protocol =
23<000>

0010 0B 2B 06 01 04 01 B5 69 01 2D 67 02 40 04 C0 A8 .+.....i.-g.@...
0020 01 46 02 01 06 02 01 44 43 03 36 43 4F 30 36 30 .F.....DC.6CO060
0030 11 06 09 2B 06 01 04 01 51 26 0E 03 04 04 72 6F ...+....Q&....ro
0040 6F 74 30 11 06 09 2B 06 01 04 01 51 26 0E 04 40 ot0...+....Q&..@
0050 04 C0 A8 01 64 30 0E 06 09 2B 06 01 04 01 51 26 ....d0...+....Q&
0060 0E 05 02 01 17 .....

Frame Length: 101 bytes


Community: public
OID: .1.3.6.1.4.1.6889.1.45.103.2
Address: 192.168.1.70
sysUpTime: 0 days, 09:52:41
Generic: 6 - Enterprise Specific
Specific: 68
OID: .1.3.6.1.4.1.81.38.14.3
ASN1 Type: Octet String 0x04 (4)
Value: root
OID: .1.3.6.1.4.1.81.38.14.4
ASN1 Type: IP Address 0x40 (64)
Value: 192.168.1.100
OID: .1.3.6.1.4.1.81.38.14.5
ASN1 Type: Integer32 0x02 (2)
Value: 23

* When trying to log in via HTTP using Invalid Credentials


JAN 5 15:52:22 192.168.1.70 lntUnAuthAccessEvent[SECURITY-Warning:
Unauthorized Access from IP address = 127.1.1.127, User = root, Protocol =
80<000>

0010 0B 2B 06 01 04 01 B5 69 01 2D 67 02 40 04 C0 A8 .+.....i.-g.@...
0020 01 46 02 01 06 02 01 44 43 03 36 12 81 30 36 30 .F.....DC.6..060
0030 11 06 09 2B 06 01 04 01 51 26 0E 03 04 04 72 6F ...+....Q&....ro
0040 6F 74 30 11 06 09 2B 06 01 04 01 51 26 0E 04 40 ot0...+....Q&..@
0050 04 7F 01 01 7F 30 0E 06 09 2B 06 01 04 01 51 26 . .. 0...+....Q&
0060 0E 05 02 01 50 ....P

Frame Length: 101 bytes


Community: public
OID: .1.3.6.1.4.1.6889.1.45.103.2
Address: 192.168.1.70
sysUpTime: 0 days, 09:50:36
Generic: 6 - Enterprise Specific
Specific: 68
OID: .1.3.6.1.4.1.81.38.14.3
ASN1 Type: Octet String 0x04 (4)
Value: root
OID: .1.3.6.1.4.1.81.38.14.4
ASN1 Type: IP Address 0x40 (64)
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview

32
Value: 127.1.1.127
OID: .1.3.6.1.4.1.81.38.14.5
ASN1 Type: Integer32 0x02 (2)
Value: 80

• In order to receive syslog messages for SNMP events using the wrong
community strings the following command has to be entered: set logging
server condition security notification x.x.x.x (x.x.x.x = IP Address of
syslog server)

G350-002(super)# show logging server condition

******************************************************
*** Message logging configuration of SYSLOG sink ***

Sink Is Disabled
Sink default severity: Warning

Server name: 192.168.1.100


Server facility: local7
Server access level: read-write
G350-002(super)#

• When trying to query SNMP agent using incorrect community string

01-13-2004 12:46:26 Local7.Notice 192.168.1.70 JAN 13 12:46:27


192.168.1.70 authenticFailure[SECURITY-Notification:
AuthenticationFailure<000>

0000 30 2D 02 01 00 04 06 70 75 62 6C 69 63 A4 20 06 0-.....public. .
0010 0B 2B 06 01 04 01 B5 69 01 2D 67 02 40 04 C0 A8 .+.....i.-g.@...
0020 01 46 02 01 04 02 01 00 43 03 00 AE 55 30 00 .F......C...U0.

Frame Length: 47 bytes


Community: public
OID: .1.3.6.1.4.1.6889.1.45.103.2
Address: 192.168.1.70
sysUpTime: 0 days, 00:07:26
Generic: 4 - Authentication Failure
Specific: 0

* There are two different trap notifications- standard Authentication Failure


which is sent on a bad SNMPv1 community and the Avaya proprietary trap
lntUnAuthAccessEvent. The lntUnAuthAccessEvent trap is controlled on a per
trap receiver.

G350-002(super)# show snmp ?

Return to Table of Contents


GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview

33
19. Allowed Managers

There is no equivalent command on the G250/G350 to the G700 set allowed


managers. However, it is possible to define an access control list on the
loopback interface in which only certain IPs will be allowed to communicate
to the G250/G350. This ACL will be applied on all the G250/G350 interfaces.

20. Policy Based Routing Overview

Policy-based routing allows you to configure a routing scheme based on


traffic’s source IP address, destination IP address, IP protocol, and other
characteristics. You can use policy-based routing (PBR) lists to determine
the routing of packets that match the rules defined in the list. Each PBR
list includes a set of rules, and each rule includes a next hop list. Each
next hop list contains up to 20 next hop destinations to which the G250/G350
sends packets that match the rule. A destination can be either an IP address
or an interface. Policy-based routing takes place only when the packet enters
the interface, not when it leaves. Policy-based routing takes place after the
packet is processed by the Ingress Access Control. Thus, the PBR list
evaluates the packet after the packet’s DSCP field has been modified by the
Ingress QoS List.

The most common application for policy-based routing is to provide for


separate routing of voice and data traffic. It can also be used as a means to
provide backup routes for defined traffic types.

Although there are many possible applications for policy-based routing, the
most common application is to create separate routing for voice and data
traffic. For more information please see the Administration for the G250 and
G350 Gateways user documentation located at support.avaya.com web site.

20. VPN Applications

VPN (Virtual Private Network) defines a private secure connection between two
nodes on a public network such as the Internet. VPN at the IP level is
deployed using IPSec. IPSec (IP Security) is a standards-based set of
protocols defined by the IETF that provide privacy, integrity, and
authenticity to information transferred across IP networks.

The standard key exchange method employed by IPSec uses the IKE (Internet Key
Exchange) protocol to exchange key information between the two nodes (called
peers). Each peer maintains SAs (security associations) to maintain the
private secure connection. IKE operates in two phases:

● The Phase-1 exchange negotiates an IKE SA.

● The IKE SA created in Phase-1 secures the subsequent Phase-2 exchanges,


which in turn generate IPSec SAs. IPSec SAs secure the actual traffic between
the protected networks behind the peers, while the
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview

34
IKE SA only secures the key exchanges that generate the IPSec SAs between the
peers.

The G250/G350 IPSec VPN feature is designed to support site-to-site


topologies, in which the two peers are Gateways.

For additional information on the VPN features of G250 and G350 gateways,
please see the VPN application note titled G350 and G250 R3.0 IPsec VPN. The
application note is located on the support.avaya.com. and can be located by
selecting user guides in the right hand column from the main support page.
Then select download by product name and click on the letter G and choose
either G250 or G350. At the product page click on view all documents in the
left hand column. From the view all documents page scroll down the page and
select the following application note.

Application & Technical Notes : English - U.S.

Date Title Doc ID

Jul-05 Application Note: G350 and G250 R3.0 IPSec VPN

Return to Table of Contents

***END***

GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview

35
Appendix A

Feature Matrix by Release

Release Security Features


CM2.1 • Policy based routing (PBR)
• SNMPv3
• SSH and SCP
• Sniffer application - sniffing of all packets that go
in/out of G350/G250 Gateways’ CPU interface

CM2.2 • IPsec VPN


• FIPS 140-2 for G350
• Enforcement minimum password length to 8
characters
• User account Lockout after number of failed login
attempts (login authentication [lockout <time> |
attempt <count> ])
• Audit of login requests to Syslog
CM3.0 • PBNAC 802.1x support
• CM3.0 VPN enhancements
• FIPS 140-2 for G250
• Open ports plugging (shutting unintended or
unnecessary TCP/UDP ports)

GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview

36
Appendix B

FIPS 140-2 Overview

The Federal Information Processing Standard 140-2(FIPS 140-2) is a standard that describes US
Federal government requirements that IT products should meet for Sensitive, but Unclassified
(SBU) use. The standard was published by the National Institute of Standards and Technology
(NIST), has been adopted by the Canadian government's Communication Security Establishment
(CSE).

The G250, G250-BRI, and G350 are Level 1 compliant, multi-chip stand-alone cryptographic
modules in commercial grade metal cases. When operating in FIPS compliant mode modules
provide:

● VPN, Voice over Internet Protocol (VoIP) media-gateway services, Ethernet switching, IP
routing, and data security for IP traffic

● Status output via LEDs and logs available through the module’s management interface

● Network interfaces for data input and output

● A console port

The cryptographic boundary includes all of the components within the physical enclosure of the
branch gateway chassis, without any expansion modules. However, the media Modules for
voice and Wide Area Connectivity which are supported in G350/G250 do not execute any crypto
processing. Therefore, the media modules can be installed in the gateway without invalidating
FISP 140-2 requisites. This does not apply to S8300 module.

Additional information on the G350 FIPS compliance can be obtained from NIST site
(http://csrc.nist.gov/cryptval/140-1/140sp/140sp519.pdf) The G250 is now in final stage of
compliance evaluation and its security policy will be available within few weeks. G350
certificate is available from http://csrc.nist.gov/cryptval/140-1/140crt/140crt519.pdf

GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview

37
Appendix C

Open ports on G350/G250/G700 products

The list of protocols supported by gateways and should be reported by the port scan tools.

Protocol Protocol description Supported by Gateways Notes - lists command


number that enables/disables
applications
1 ICMP protocol All - G350/G250/G700 Always on
6 TCP protocol All Always on
17 UDP datagram protocols All Always on
47 GRE General Routing Encapsulation G350/G250 Always on
(VPN-PPTP)
50 ESP Encapsulating Security Payload G350/G250 Enabled by VPN
license installation
Disabled by default
89 OSPF Open Shortest Path First G350/G250 [no] route ospf
Disabled by default
112 VRRP protocol G350/G250 [no] route vrrp
Disabled by default
Table 1 – input/output IP protocols
For all other protocols Gateways will respond with ICMP protocol unreachable message
The Gateway listens on the following TCP or UDP ports:

Port Number Application Supporte Behavior in CM 3.0 Behavior in


description d by G350 CM2.1
Gateways and CM2.2
21/tcp FTP server All The FTP server normally keeps the Same as in 3.0
port closed. The port should be seen
as open for short window during
announcement file transfer.
22/tcp SSH server G350 [no] ip ssh Always open
G250
Default: enabled
23/tcp Telnet server All [no] ip telnet Always open
Default: enabled
67/udp DHCP/BOOTP G350 [no] ip bootp-dhcp Always open
relay G250
Default: disabled

GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview

38
Port Number Application Supporte Behavior in CM 3.0 Behavior in
description d by G350 CM2.1
Gateways and CM2.2
68/udp DHCP server G350 [no] ip dhcp-server Default: Always Open
G250 disabled in CM2.2
Not supported
in CM2.1
69/udp TFTP Server G350 [no] ip tftp-server Always Open
G250 in CM2.2
Default: disabled
Not supported
in CM2.1
80/tcp HTTP server G700, [no] ip http Default: enabled Always open
G350
161/udp SNMP all [no] ip snmp Always open
Default: enabled
500/udp isakmp G350 Enabled by license installation Always Open
G250 in CM2.2
copy [tftp|scp|ftp] license-file
Not supported
Default: disabled
in CM2.1
520/udp RIP-2 routing G350 Always open
protocol G250
Default: disabled
1030/udp ???? All Seems to be dynamic port – cannot Always open
determine application that opens this
port (in other scans it was 1031/udp).
1039/TCP Secure H.248 all set survivable-call-engine [ disable | Not supported
protocol for SLS enable]
Default: disabled
1718/udp Unicast G250 set survivable-call-engine [ disable | Not supported
Gatekeeper enable]
Discovery H.245
Default: disabled
(RAS)
1719/udp Registration H.245 G250 set survivable-call-engine [ disable | Not supported
(RAS) enable]
Default: disabled
1720/tcp Call Setup H.245 G250 set survivable-call-engine [ disable | Not supported
(RAS) enable]
Default: disabled
1812/udp Radius client all set radius authentication Always open
Default: disabled
2020/UDP VoIP engine all Always Closed Always open
statistics

GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview

39
Port Number Application Supporte Behavior in CM 3.0 Behavior in
description d by G350 CM2.1
Gateways and CM2.2
2050/UDP Avaya EMB all Uncontrolled, always open Same as in
Config Port CM3.0
(*) Will be closed in CM3.1
`2070/UDP NAT-T G350 Enabled by license installation Always Open
G250 in CM2.2
copy [tftp|scp|ftp] license-file
Not supported
Default: disabled
in CM2.1
2945/TCP Unencrypted G250 set survivable-call-engine [ disable | Not supported
H.248 port of SLS enable]
Default: disabled
4500/UDP NAT-P G350 Enabled by license installation Always Open
G250 in CM2.2
copy [tftp|scp|ftp] license-file
Not supported
Default: disabled
in CM2.1
5012/TCP CHIA Port all Always closed Always Open
in CM2.2
Not supported
in CM2.1
5050/TCP SerialNum all Always open on emb-vlan Same in
CM2.2
[no] ip license- server
Not supported
Default: Closed on external interface
in CM2.1
Always open (uncontrolled) in G700
2048 to RTP traffic all Dynamically opened for active RTP
65534/UDP sessions
50002/UDP CNA test plug G350 [no] cna-testplug-services Not supported
control port G250
Default: disabled
50003/UDP CNA test plug G350 [no] cna-testplug-services Not supported
echo port G250
Default: disabled
This port is open for short periods of
time

For all other UDP application, Gateways will respond with port unreachable message.
For all other TCP applications, Gateways will respond with TCP packet with RST flag set

GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview

40