TECHNICAL WHITE PAPER Avaya G250 and G350 Media …support.avaya.com/elmodocs2/white_papers/G250_G350_Security.pdfadministrator to a suspected SYN attack as it occurs by sending the

GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and may be registered in certain jurisdictions. All trademarks identified by ® and � are registered

trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks are property of their respective owners.

Avaya G350 Media Gateway Security Features Overview

1

TECHNICAL WHITE PAPER

Avaya G250 and G350 Media Gateway Security Features Overview

Version: 1 Date: November 17, 2005

CID: 115343 Author: Avaya Technology and Consulting

IP Telephony Practice

Abstract: The Avaya G250 and G350 Media Gateway Security Features Overview CID 115343 supersede the earlier Avaya G350 Media Gateways Security Features Overview CID: 102411. This document follows the same template of questions as the earlier aforementioned document and the sister document Avaya G700 Media Gateway Security Features Overview (CID: 102412). The Avaya G250 and G350 Media Gateways as show below provide a variety of features which can be used to enhance security. The goal of this white paper is to summarize the general product documentation and focus on those features.

G350 Firmware Revision - FW: 24.17.0



Avaya G250/G350 Media Gateway

Security Features Overview

2

G250 Firmware Revision - FW: 24.17.0




3

Table of Contents (Click on link to view more detailed information) Access Control Lists / Denial of Service (DOS) Protection/ SYN Protection

1. Access Control List�s 2. Denial of Service 3. SYN Protection Feature

Auditing Transactions / Administration

4. CLI Command Auditing (via Syslog) 5. Show Currently Logged on Administrators

Authentication Credentials / RADIUS/PBNAC 802.1x

6. Default User Accounts 7. Username/Password Characteristics 8. RADIUS Switch Administrator Authentication 9. Enable/Disable PBNAC 802.1x

CLI Inactivity Timeout and Pre/Post Login Banners

10. Idle Timeout 11. Banners

Network Client/Server applications

12. Show Protocol 13. Enable/Disable Network Services 14. Client / Server Network Tools 15. Default Listening Ports (UDP/TCP) 16. SSH/SCP/HTTPS/SNMPv3 Support

SNMP / Syslog Configuration

17. SNMP Defaults 18. Syslog / SNMP Output 19. Allowed Managers





4

PBR and VPN Overview

20. Policy Based Routing 21. VPN Application Support

Appendixes (A) Feature Matrix (B) FIP�s Overview (C) Open Ports List




5

Access Control Lists / Denial of Service (DOS) Protection

1. Access Control Lists The G250/G350 supports Access Control Lists (ACL’s) which provide fine grained control over ingress/egress protocols. In addition, the following capabilities exist: The Ability to Restrict: — ip-fragments-in — applies to incoming packets that contain IP fragments — ip-fragments-out — applies to outgoing packets that contain IP fragments — ip-options-in — applies to incoming packets that contain IP options — ip-options-out — applies to outgoing packets that contain IP options You can configure policy rules to match packets based on one or more of the following for ingress and egress: • Source IP address, or a range of addresses • Destination IP address or a range of addresses • IP protocol, such as TCP, UDP, ICMP, IGMP • Source TCP or UDP port or a range of ports • Destination TCP or UDP port or a range of ports • ICMP type and code

Use IP wildcards to specify a range of source or destination IP addresses. The zero bits in the wildcard correspond to bits in the IP address that remain fixed. The one bits in the wildcard correspond to bits in the IP address that can vary. Note that this is the opposite of how bits are used in a subnet mask. For access control lists, you can require the packet to be part of an established TCP session. If the packet is a request for a new TCP session, the packet does not match the rule. You can also specify whether an access control list accepts packets that have an IP option field.





6

The following table lists the pre-configured entries in the composite operation table for rules in an access control list:

NOTE: You cannot configure additional composite operations for access control lists, since all possible composite operations are pre-configured. Each column represents the following: • No — a number identifying the operation • Name — a name identifying the operation. Use this to attach the operation to a rule. • Access — determines whether the operation forwards (forward) or drops (deny) the packet • Notify — determines whether the operation causes a trap when it drops a packet • Reset Connection — determines whether the operation causes a connection reset To verify access control lists and QoS lists, you can view the configuration of the lists. You can also test the effect of the lists on simulated IP packets. Use the ip simulate command in the context of an interface to test a policy list. The command tests the effect of the policy list on a simulated IP packet in the interface. You must specify the number of a policy list, the direction of the packet (in or out), and a source and destination IP address. You may also specify other parameters. The following command simulates the effect of applying QoS list number 401 to a packet entering the G350 through interface VLAN 2: G350-001(if:Vlan 2)# ip simulate 401 in CoS1 dscp46 10.1.1.1 10.2.2.2 tcp 1182 20 It is possible to define an access control list on the loopback interface of the G350 in which only certain IPs will be allowed to communicate to the G350. This ACL will be applied on all the G350’s interfaces. For example this feature can be used to limit access via telnet to a specific list of IP addresses.

Return to Table of Contents





7

2. DOS Use the icmp in-echo-limit command to set the maximum number of echo requests that can be received in one second. Use the no form of the command to set the limit to its default value. Possible values are [1 – 10000]. G350-002(super)# icmp in-echo-limit ? Icmp in-echo-limit commands: --------------------------------------------------------------------------- Syntax : icmp in-echo-limit <size>. Example: icmp in-echo-limit 100. G350-002(super)#

3. SYN Protection The G250/G350 provides various TCP/IP services and is therefore exposed to a myriad of TCP/IP based DoS attacks. DoS (Denial of Service) attacks refers to a wide range of malicious attacks that can cause a denial of one or more services provided by a targeted host. Specifically, a SYN attack is a well-known TCP/IP attack in which a malicious attacker targets a vulnerable device and effectively denies it from establishing new TCP connections. SYN cookies refers to a well-known method of protection against a SYN attack. Use the tcp syn-cookies command to enable the tcp syn-cookies defense mechanism against SYN attacks. Use the show version of this command to display the SYN cookies statistics. The no version of this command disables the tcp syn-cookies defense mechanism against SYN attacks. Use the clear version of this command to clear the SYN cookie counters. G350-002(super)# tcp syn-cookies To enable the tcp syn-cookies, copy the running configuration to the start-up configuration file and reset the device. G350-002(super)# When the SYN cookies feature is enabled, the G250/G350 alerts the administrator to a suspected SYN attack as it occurs by sending the following syslog message: SYN attack suspected! Number of unanswered SYN requests is greater than 20 in last 10 seconds. G350-002(super)# no tcp syn-cookies To disable the tcp syn-cookies, copy the running configuration to the start-up configuration file and reset the device. G350-002(super)# G350-002(super)# clear tcp syn-cookies counters done! G350-002(super)#





8

G350-002(super)# show tcp syn-cookies Status: Enabled Statistics: SYN recd: Connections established Local Address Remote Address State Last ------------------ ------------------ ------------ ------ 192.168.1.254 192.168.1.32 Established 4 G350-002(super)#






9

Auditing Transactions / Administration

4. CLI Command Auditing (via Syslog) Config change related SNMP traps will be sent if "config" trap is enabled. It is enabled by default when typing "set snmp trap enable all". Additionally, traps can be sent to a log file, console session, telnet session and stored on the Gateway. Relevant logs can also be sent to a syslog server by enabling a log server through the CLI: set logging server x.x.x.x set logging server x.x.x.x enable set logging server condition CLI Notification x.x.x.x The above example will log to the syslog server x.x.x.x every event from the CLI application with severity "Notification" and above. Other applications are also available. Examples: 01-13-2004 13:27:23 Local7.Notice 192.168.1.70 JAN 13 13:27:26 192.168.1.70 Cli Command[CLI-Notification: root: session mgc<000> 01-13-2004 13:26:50 Local7.Notice 192.168.1.70 JAN 13 13:26:53 192.168.1.70 CliCommand[CLI-Notification: root: set mediaserver 192.168.1.20 192.168.1.70 5023 sat<000> 01-13-2004 13:26:22 Local7.Notice 192.168.1.70 JAN 13 13:26:25 192.168.1.70 CliCommand[CLI-Notification: root: set mediaserver 192.168.1.70 192.168.1.30 5023 sat<000> 01-13-2004 13:22:26 Local7.Notice 192.168.1.70 JAN 13 13:22:29 192.168.1.70 CliCommand[CLI-Notification: root: copy running-config startup-config <000> 01-13-2004 13:18:55 Local7.Notice 192.168.1.70 JAN 13 13:18:58 192.168.1.70 CliCommand[CLI-Notification: root: dir<000> 01-13-2004 13:18:36 Local7.Notice 192.168.1.70 JAN 13 13:18:38 192.168.1.70 CliCommand[CLI-Notification: root: telnet 192.168.1.1<000> 01-13-2004 13:17:48 Local7.Notice 192.168.1.70 JAN 13 13:17:50 192.168.1.70 CliCommand[CLI-Notification: root: traceroute 131.94.57.51<000> 01-13-2004 13:17:18 Local7.Notice 192.168.1.70 JAN 13 13:17:20 192.168.1.70 CliCommand[CLI-Notification: root: hostname G350<000> 01-13-2004 13:15:44 Local7.Notice 192.168.1.70 JAN 13 13:15:46 192.168.1.70 CliCommand[CLI-Notification: root: ping 192.168.1.1<000> 01-13-2004 13:15:19 Local7.Notice 192.168.1.70 JAN 13 13:15:21 192.168.1.70 CliCommand[CLI-Notification: root: set logging server condition CLI Notification 192.168.1.100<000>





10

01-13-2004 13:28:55 Local7.Notice 192.168.1.70 JAN 13 13:28:58 192.168.1.70 CliCommand[CLI-Notification: root: exit<000> 01-13-2004 13:30:29 Local7.Notice 192.168.1.70 JAN 13 13:30:32 192.168.1.70 CliCommand[CLI-Notification: georgia: exit<000> 01-13-2004 13:30:24 Local7.Notice 192.168.1.70 JAN 13 13:30:27 192.168.1.70 CliCommand[CLI-Notification: georgia: session mgc<000> The Set logging server facility followed by the name of the output facility and IP address of the Syslog server to the following list of possible facilities set logging server facility. A total of 3 syslog servers can be configured. The following example defines a FTP Deamon as the output facility for Syslog reports generated by the Syslog server with an IP address of 168.12.1.15. The G350 and G250 have user logging enabled by default from the factory. Set logging server facility ftpd 168.12.1.15 The available types are listed below: auth (Authorization) deamon (Background System Process) clkd (clock Deamon) clkd2 (Clock Deamon) mail (Electronic Mail) local0-local7 (For Local Use) ftpd (FTP Deamon) kern (Kernel) alert (Log Alert) audi (Log Audit) ntp (NTP sub) lpr (Printing) sec (Security) syslog (System Logging) uucp (Unix-to-Unix Copy Program) news (Usenet news) user (User Process) Use the show logging server condition command followed by the IP address of the Syslog server. If you do not specify an IP address, the command displays the status of all Syslog servers defined for the G250/G350. This command displays whether the server is enable or disable and lists all filters defined on the server.






11

5. Displaying Currently Logged on Administrators

With the G250/G350 gateways there are three primary ways to administer the gateway, direct connect via the console, Telnet and secure shell (Ssh) Telnet. To display the current users logged on to the G250/G350 via Ssh or Telnet issue the following commands below: Command: show ip ssh Ssh Engine: Enable Max Sessions: 2 Key Type: DSA , 768 bit Listen Port: 22 Ciphers List: 3des-cbc Session-Id Version Encryption User IP: Port 0 2 3des-cbc root 192.168.1.31:3528 Command: show ip telnet Telnet Engine: Enable Max Sessions: 5 Listen Port: 23 Session-Id User: IP: Port 0 root 192.168.1.32:1055






12

Authentication Credentials / RADIUS

6. Usernames By default there is only a single user account, named root, with password root, which accesses the administrator level. You cannot delete this basic user account, nor modify its access level. But you can modify its basic password. G350-002(super)# show username User account password access-type -------------------------------- -------------------------------- --------- root ***** admin G350-002(super)#


7. Username/Password Characteristics

• Username: minimum 4 characters, maximum 31 characters • Password: minimum 8 characters, maximum 31 characters (all US

printable non white characters from keyboard are valid) • There can be up to 3 password entry attempts at login before the

session is terminated • Up to 10 unique “local” usernames can be configured on the G350

When you start to use Avaya G250/G350 Manager or the CLI, you must enter a username. The username that you enter sets your privilege level. The commands that are available to you during the session depend on your privilege level. If you use RADIUS authentication, the RADIUS server sets your privilege level. It is important to note that if the same username is defined locally on the gateway and in RADIUS that the local username (ID) will take precedence over username (ID) created on the RADIUS server.

• You can use Read-only privilege level to view configuration parameters. • You can use Read-write privilege level to view and change all

configuration parameters except those related to security. For example, you cannot change a password with Read-write privilege level.

• You can use Admin privilege level to view and change all configuration parameters, including parameters related to security. Use Admin privilege level only when you need to change configuration that is





13

related to security, such as adding a new user accounts and setting the device policy manager access source. An example of the source would be issuing the no ip telnet command.

Username commands: --------------------------------------------------------------------------- Usage: username <name> password <passwd> access-type {read-only|read-write|admin}

• Does the ability exist to force a minimum length username and/or password (other than default minimum of 4 characters username and 8 characters for password)? No. However, this can be accomplished by using an external authentication database such as RADIUS.

• Does the configuration file include user account passwords or SNMP Community Strings? The configuration file does not include SNMP community strings and user/password data.

• Are there any “undocumented” usernames or SNMP community strings? No. All "diag" accounts are in-accessible without first logging into the G350 via a super-user account first. Backdoor password recovery exists but can only be used via a direct connection to the console port. It can also be disabled.

• Is there any way to enforce password aging on “local” accounts used to administer the G350? No. However, this can be accomplished by using an external authentication database such as RADIUS.

• Is there any way to enforce account "lock-out" after user inactivity of that account – i.e. user has not logged in for 60 days? No. However, this can be accomplished by using an external authentication database such as RADIUS.

• Any way to enforce "lock-out" of accounts after excessive retries? Yes in addition to a RADIUS external authentication which provides its own set of options for lock-out, the following global command to set login authentication lockout parameters for local administers.

G350-002<super>#login authentication lockout?

Login authentication lockout commands: --------------------------------------------------------------------Syntax : login authentication lockout <time> attempt <count?

<time> - integer <30..3600> seconds. Interval of time account lockout is enforced. 0 –No timeout <count> - integer <1..10>. Successive number of failures before lockout

0 - NO timeout Example: login authentication lockout 360 attempt 5 The login authentication command supports the ability to enable local craft user from services and a password

• Any way for the G350 to prevent simple/dictionary words from being chosen as passwords? No. However, this can be accomplished by using an external authentication database such as RADIUS.





14

• Any way to age passwords? And if so, any way for the G350 to prevent

password reuse, and if so how many past passwords are stored? No. However, this can be accomplished by using an external authentication database such as RADIUS.






15

8. RADIUS Switch Administrator Authentication If your network has a RADIUS server, you can configure the Avaya G350 Media Gateway to use RADIUS authentication. A RADIUS server provides centralized authentication service for many devices on a network. When you use RADIUS authentication, you do not need to configure usernames and passwords on the G350. When logging into the G350/G250, the G350/G250 searches for your username and password in its own database first. If it does not find them, it activates RADIUS authentication. G350-002(super)# show radius authentication Mode: Enable Primary-server: 192.168.1.205 Secondary-server: 172.16.1.205 Retry-number: 4 Retry-time: 5 UDP-port: 1645 shared-secret: ***** G350-002(super)# The Avaya G250/G350 Media Gateway includes a security mechanism through which the system administrator defines users and assigns each user and username and a password. Each user is assigned a privilege level. The user’s privilege level determines which commands the user can perform. In addition to its basic security mechanism, the G250/G350 supports secure data transfer via SSH and SCP. The G250/G350 can be configured to work with an external RADIUS server to provide user authentication. When RADIUS authentication is enabled on the G250/G350, the RADIUS server operates in conjunction with the G250/G350 security mechanism. When the user enters a does not find the username in its own database, it establishes a connection with the RADIUS server, and the RADIUS server provides the necessary authentication services.

9. Enable/Disable PBNAC 802.1x The G350 also uses the 802.1x protocol in conjunction with EAP within EAPOL and over RADIUS to provide a means for authenticating and authorizing users attached to a LAN port, and for preventing access to that port in cases where the authentication process fails.





16

Note: The 802.1x protocol is not supported on the G250 as of CM 3.0. G350-002(super)# set port dot1x ? Set port dot1x commands: --------------------------------------------------------------------------- set port dot1x initialize Initialize port dot1x set port dot1x max-req Sets per port the max-req, the maximal

number of times the port tries to retransmit requests to the Authenticated Station before the session is terminated

set port dot1x port-control Set dot1x control parameter per port set port dot1x quiet-period Sets per port the 802.1x quiet period,

minimal idle time between authentication attempts

set port dot1x re-authenticate Set the port to re-authenticate set port dot1x re-authentication Set dot1x re-authentication mode per port set port dot1x re-authperiod Sets per port the re-authentication

period, an idle time between re-authentication attempts

set port dot1x server-timeout Sets per port the server-timeout - the

time for the port to wait for a reply from the Authentication Server

set port dot1x supp-timeout Sets per port the supp-timeout, a time

for the port to wait for a reply from the Authenticated Station

set port dot1x tx-period Sets per port the transmit period, a time

Interval between attempts to access the authenticated Station

G350-002(super)# show port dot1x ? Show port dot1x commands: --------------------------------------------------------------------------- Syntax : show port dot1x [<mod/port>] Example: show port dot1x 3/2 show port dot1x statistics Shows the port dot1x statistics. G350-002(super)# clear dot1x ? Clear dot1x commands: --------------------------------------------------------------------------- clear dot1x config Resets the 802.1x configuration parameters





17






18

CLI Inactivity Timeout and Pre/Post Login Banners

10. Idle Timeout Use the set logout command to set the number of minutes until the system automatically disconnects an idle session. The default is 15 minutes. Possible valued are [0 – 99]. Setting the value to 0 disables the automatic disconnection of idle sessions. G350-002(super)# show logout CLI timeout is 15 minutes


11. Banners The login banner displays before the user is prompted for the login name. The banners can be modified using the following commands G350-002(super)# show banner login Welcome to G350 Media Gateway FW version 24.17.0 G350-002(super)# banner login G350-002<super-login># line 5 “ G250_001 “ Done! G350-002<super-login># line 5 “ Unauthorized access is prohibited“ Done! G350-002<super-login>#exit G350-002(super)# show banner login G250_001 Unauthorized access is prohibited G350-002(super)# The post-login banner displays after the user has logged in successfully. G350-002(super)# show banner post-login Both the pre/post banner login commands utilize the line command for banner entry. The line command supports a range of from [1 – 24] lines of text. G350-002(super)# banner post-login G350-002<super-login># line 5 “ G250_001 “ Done! G350-002<super-login># line 5 “ Unauthorized access is prohibited“ Done! G350-002<super-login>#exit






19

Network Client/Server applications

12. Show Protocol

Use the show protocol command to display the status of a specific management protocol, or all protocols for the G250/G350. The G250 does not support a WEB interface. The HTTP protocol is disabled by default on the G250. SSHv2 is the supported Ssh protocol.

G350-002(super)# show protocol Protocols Status ------------ -------- SSH-SERVER ON TELNET-CLIENT OFF TELENT-SERVER ON SNMPv1-SERVER ON SNMPv3-SERVER ON HTTP-SERVER ON RECOVERY-PASSWORD ON DHCP-SERVER OFF TFTP-SERVER OFF DNS-CLIENT ON Non-administrative protocols -------------------------- FTP-CLIENT TFTP-CLIENT SCP-CLIENT G250-001(super)# show protocol Protocols Status ------------ -------- SSH-SERVER ON TELNET-CLIENT OFF TELENT-SERVER OFF SNMPv1-SERVER ON SNMPv3-SERVER ON HTTP-SERVER ON RECOVERY-PASSWORD ON DHCP-SERVER ON TFTP-SERVER ON DNS-CLIENT ON Non-administrative protocols -------------------------- FTP-CLIENT TFTP-CLIENT SCP-CLIENT G350-002(super)#





20


13. Enable/Disable Services (use no form of command to disable: no ip http)

G350-002(super)# ip http Done! G350-002(super)# ip telnet Done! G350-002(super)# ip telnet-client This command can be called only from console port

• Note: The telnet-client on the G250/G350 is disabled by default and can only be enabled when connected via the local console port.

• The G250/G350 internal Telnet server supports up to 5 incoming concurrent sessions.

• The G250/G350 internal Telnet client supports up to 6 outgoing concurrent sessions. One outgoing Telnet session for each incoming Telnet session, and one for the console port

Toggle ICMP redirects by issuing the command: [no] ip redirect (under interface context) Toggle SNMP: [no] ip snmp disables SNMPv1 and SNMPv3 {global command} Toggle FTP client: Not possible. But it is possible to block TCP 21 port in outgoing ACL for interface loopback Toggle recovery password: set terminal recovery password enable/disable To disable only SNMPv1 use the no snmp server community command.






21

14. Client / Server Network Tools

Telnet Client – Disabled by Default (requires Console Access to enable) Telnet Server – Enabled By Default HTTP Server – Enabled By Default on G350 (not supported on G250) SNMPv1 and SNMPv3 Agent – Enabled By Default (Read, Read-Write, Trap)






22

15. Default Listen Ports The output below is the result of an NMAP TCP and UDP port scan on the G350. [root@scsradius ~]# nmap -sT 135.148.208.78. Please see Appendix C for additional information open ports in the G250/G350 gateways. Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-09-14 16:40 EDT Interesting ports on 135.148.208.78: (The 1660 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 22/tcp open ssh 23/tcp open telnet 80/tcp open http MAC Address: 00:04:0D:29:CA:6D (Avaya) Nmap finished: 1 IP address (1 host up) scanned in 33.360 seconds [admin@scsradius ~]$ nmap -sU 135.148.208.78 Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-09-14 16:40 EDT Interesting ports on 135.148.208.78: (The 1477 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 161/udp open|filtered snmp MAC Address: 00:04:0D:29:CA:6D (Avaya) Nmap finished: 1 IP address (1 host up) scanned in 137.319 seconds [admin@scsradius ~]$






23

16. SSH/SCP/SNMPv3 SSH, SCP and SNMPv3 are supported in G250/G350. SSHv2, SNMPv1 and SNMPv3 can be globally enabled and disabled. The community strings for SNMPv1 can be disabled. G350-002(super)# Show SNMP Authentication trap disabled Community-Access Community-String ---------------- ---------------- read-only ****** read-write ****** SNMPv3 Notification Status -------------------------- Traps: enabled Informs: enabled Retries: 3 Timeout: 3 seconds SNMP-Rec-Address Model Level Notification Trap/Inform User name ---------------- ----- ----- ------------- -------------- ----------- 192.168.1.30 v1 noauth all trap ReadCommN UDP port: 162 DM The SCP client is enabled by default and can not be disabled. HTTP is disabled and not support by the G250. The HTTP server is enabled by default on the G350 and can be disabled. The SSH server can be enabled/disabled with the ip ssh command and the no ip ssh command. G350-002(super)# clear ssh-client ? Clear ssh-client commands: --------------------------------------------------------------------------- clear ssh-client known-hosts clears the ssh known-host file content. Used to unlock man-in-the-middle attack prevention mechanism and allow scp server authentication after scp server public key change






24

SNMP / Syslog Configuration

17. SNMP Defaults G350-002(super)# show snmp Authentication trap disabled Community-Access Community-String ---------------- ---------------- read-only ***** read-write ***** SNMPv3 Notifications Status ----------------------------- Traps: Enabled Informs: Enabled Retries: 3 Timeout: 3 seconds SNMP-Rec-Address Model Level Notification Trap/Inform User name ---------------- ----- ------- --------------- ----------- ------------------- 0.0.0.0 v1 noauth all trap ReadCommN UDP port: 162 DM G350-002(super)# G350-002(super)# set snmp ? Set snmp commands: --------------------------------------------------------------------------- set snmp community Set SNMP community string set snmp retries Set The SNMP Retries Number set snmp timeout Set The SNMP Timeout set snmp trap Set snmp trap, use 'set snmp trap help' for more info G350-002(super)# G350-002(super)# set snmp community ? Set snmp community commands: --------------------------------------------------------------------------- Usage: set snmp community <access_type> [community string] (access_type = read-only | read-write )





25

G350-???(super)# no snmp ? No snmp commands: --------------------------------------------------------------------------- no snmp community Disable SNMPv1 service (community based) no snmp dynamic-trap-manager

Toggles off notification type filters from dynamic trap manager instance

no snmp engineID Set the SNMPv3 engineID to default no snmp group Delete SNMPv3 group (vacm mib) no snmp host Remove SNMP notification (trap or inform) receiver or filters no snmp notifications Disable sending SNMPv3 notification (trap and inform) no snmp remote-user Delete SNMPv3 remote user (usm and vacm mib) no snmp user Delete SNMPv3 user (usm and vacm mib) no snmp view Delete SNMPv3 view (vacm mib) G350-???(super)# show snmp ? Show snmp commands: --------------------------------------------------------------------------- Usage: show snmp show snmp engineID Show SNMPv3 engineID show snmp group Show SNMPv3 groups show snmp retries Show SNMP Retries Number show snmp timeout Show SNMP Timeout show snmp user Show SNMPv3 users show snmp userToGroup Show the mapping table between SNMPv3 users and groups show snmp view Shows SNMPv3 views G350-002(super)# G350-002(super)# show snmp view View Name: iso Subtree Oid: 1 Subtree Mask: View Type: include Storage Type: nonVolatile Status: active View Name: restricted Subtree Oid: 1.3.6.1.2.1.1 Subtree Mask: View Type: include Storage Type: nonVolatile Status: active





26

View Name: restricted Subtree Oid: 1.3.6.1.2.1.11 Subtree Mask: View Type: include Storage Type: nonVolatile Status: active --type q to quit or space key to continue-- View Name: restricted Subtree Oid: 1.3.6.1.6.3.10.2.1 Subtree Mask: View Type: include Storage Type: nonVolatile Status: active View Name: restricted Subtree Oid: 1.3.6.1.6.3.11.2.1 Subtree Mask: View Type: include Storage Type: nonVolatile Status: active View Name: restricted Subtree Oid: 1.3.6.1.6.3.15.1.1 Subtree Mask: View Type: include Storage Type: nonVolatile --type q to quit or space key to continue-- Status: active View Name: snmpv1View Subtree Oid: 1 Subtree Mask: View Type: include Storage Type: nonVolatile Status: active View Name: snmpv1View Subtree Oid: 1.3.6.1.6 Subtree Mask: View Type: exclude Storage Type: nonVolatile Status: active View Name: snmpv1View Subtree Oid: 1.3.6.1.6.3.1 Subtree Mask: View Type: include --type q to quit or space key to continue--





27

Storage Type: nonVolatile Status: active View Name: snmpv1View Subtree Oid: 1.3.6.1.6.3.12 Subtree Mask: View Type: include Storage Type: nonVolatile Status: active View Name: snmpv1View Subtree Oid: 1.3.6.1.6.3.13 Subtree Mask: View Type: include Storage Type: nonVolatile Status: active View Name: v3configView Subtree Oid: 1 Subtree Mask: --type q to quit or space key to continue-- View Type: include Storage Type: nonVolatile Status: active View Name: v3configView Subtree Oid: 1.3.6.1.6 Subtree Mask: View Type: exclude Storage Type: nonVolatile Status: active View Name: v3configView Subtree Oid: 1.3.6.1.6.3.10.2.1 Subtree Mask: View Type: include Storage Type: nonVolatile Status: active View Name: v3configView Subtree Oid: 1.3.6.1.6.3.11.2.1 --type q to quit or space key to continue-- Subtree Mask: View Type: include Storage Type: nonVolatile Status: active





28

View Name: v3configView Subtree Oid: 1.3.6.1.6.3.15.1.1 Subtree Mask: View Type: include Storage Type: nonVolatile Status: active View Name: v3configView Subtree Oid: 1.3.6.1.6.3.15.1.2.2.1.7 Subtree Mask: View Type: include Storage Type: nonVolatile Status: active View Name: v3configView --type q to quit or space key to continue-- Subtree Oid: 1.3.6.1.6.3.15.1.2.2.1.10 Subtree Mask: View Type: include Storage Type: nonVolatile Status: active View Name: v3configView Subtree Oid: 1.3.6.1.4.1.1751.2.53.1.2.1.3.0.2 Subtree Mask: ff:fa View Type: exclude Storage Type: nonVolatile Status: active View Name: v3configView Subtree Oid: 1.3.6.1.4.1.1751.2.53.1.2.1.3.0.5 Subtree Mask: ff:fa View Type: exclude Storage Type: nonVolatile Status: active --type q to quit or space key to continue-- View Name: snmpv1WriteView Subtree Oid: 1 Subtree Mask: View Type: include Storage Type: nonVolatile Status: active





29

View Name: snmpv1WriteView Subtree Oid: 1.3.6.1.6 Subtree Mask: View Type: exclude Storage Type: nonVolatile Status: active View Name: snmpv1WriteView Subtree Oid: 1.3.6.1.6.3.1 Subtree Mask: View Type: include Storage Type: nonVolatile Status: active View Name: snmpv1WriteView Subtree Oid: 1.3.6.1.6.3.12 Subtree Mask: View Type: include Storage Type: nonVolatile Status: active View Name: snmpv1WriteView Subtree Oid: 1.3.6.1.6.3.13 Subtree Mask: View Type: include Storage Type: nonVolatile Status: active View Name: snmpv1WriteView Subtree Oid: 1.3.6.1.6.3.18 Subtree Mask: View Type: include Storage Type: nonVolatile Status: active G350-002(super)# show snmp group Group Name: initial Security Model: v3 Security Level: noauth Read View: restricted Write View: restricted Notify View: restricted Status: active





30

Group Name: ReadCommG Security Model: v1 Security Level: noauth Read View: snmpv1View Write View: Notify View: snmpv1View Status: active Group Name: ReadCommG --type q to quit or space key to continue-- Security Model: v2c Security Level: noauth Read View: snmpv1View Write View: Notify View: snmpv1View Status: active Group Name: WriteCommG Security Model: v1 Security Level: noauth Read View: snmpv1WriteView Write View: snmpv1WriteView Notify View: snmpv1WriteView Status: active Group Name: WriteCommG Security Model: v2c Security Level: noauth Read View: snmpv1WriteView --type q to quit or space key to continue-- Write View: snmpv1WriteView Notify View: snmpv1WriteView Status: active Group Name: v3ReadOnlyG Security Model: v3 Security Level: auth Read View: v3configView Write View: Notify View: v3configView Status: active





31

Group Name: v3AdminViewG Security Model: v3 Security Level: priv Read View: iso Write View: iso Notify View: iso Status: active Group Name: v3ReadWriteG Security Model: v3 Security Level: auth Read View: v3configView Write View: v3configView Notify View: v3configView Status: active G350-002(super)#






32

18. Syslog /SNMP Output * When trying to log in via Telnet using Invalid Credentials JAN 5 09:12:32 192.168.1.70 lntUnAuthAccessEvent[SECURITY-Warning: Unauthorized Access from IP address = 192.168.1.100, User = root, Protocol = 23<000> 0010 0B 2B 06 01 04 01 B5 69 01 2D 67 02 40 04 C0 A8 .+.....i.-g.@... 0020 01 46 02 01 06 02 01 44 43 03 36 43 4F 30 36 30 .F.....DC.6CO060 0030 11 06 09 2B 06 01 04 01 51 26 0E 03 04 04 72 6F ...+....Q&....ro 0040 6F 74 30 11 06 09 2B 06 01 04 01 51 26 0E 04 40 ot0...+....Q&..@ 0050 04 C0 A8 01 64 30 0E 06 09 2B 06 01 04 01 51 26 ....d0...+....Q& 0060 0E 05 02 01 17 ..... Frame Length: 101 bytes Community: public OID: .1.3.6.1.4.1.6889.1.45.103.2 Address: 192.168.1.70 sysUpTime: 0 days, 09:52:41 Generic: 6 - Enterprise Specific Specific: 68 OID: .1.3.6.1.4.1.81.38.14.3 ASN1 Type: Octet String 0x04 (4) Value: root OID: .1.3.6.1.4.1.81.38.14.4 ASN1 Type: IP Address 0x40 (64) Value: 192.168.1.100 OID: .1.3.6.1.4.1.81.38.14.5 ASN1 Type: Integer32 0x02 (2) Value: 23 * When trying to log in via HTTP using Invalid Credentials JAN 5 15:52:22 192.168.1.70 lntUnAuthAccessEvent[SECURITY-Warning: Unauthorized Access from IP address = 127.1.1.127, User = root, Protocol = 80<000> 0010 0B 2B 06 01 04 01 B5 69 01 2D 67 02 40 04 C0 A8 .+.....i.-g.@... 0020 01 46 02 01 06 02 01 44 43 03 36 12 81 30 36 30 .F.....DC.6..060 0030 11 06 09 2B 06 01 04 01 51 26 0E 03 04 04 72 6F ...+....Q&....ro 0040 6F 74 30 11 06 09 2B 06 01 04 01 51 26 0E 04 40 ot0...+....Q&..@ 0050 04 7F 01 01 7F 30 0E 06 09 2B 06 01 04 01 51 26 .�..�0...+....Q& 0060 0E 05 02 01 50 ....P Frame Length: 101 bytes Community: public OID: .1.3.6.1.4.1.6889.1.45.103.2 Address: 192.168.1.70 sysUpTime: 0 days, 09:50:36 Generic: 6 - Enterprise Specific Specific: 68 OID: .1.3.6.1.4.1.81.38.14.3 ASN1 Type: Octet String 0x04 (4) Value: root OID: .1.3.6.1.4.1.81.38.14.4 ASN1 Type: IP Address 0x40 (64)





33

Value: 127.1.1.127 OID: .1.3.6.1.4.1.81.38.14.5 ASN1 Type: Integer32 0x02 (2) Value: 80

• In order to receive syslog messages for SNMP events using the wrong community strings the following command has to be entered: set logging server condition security notification x.x.x.x (x.x.x.x = IP Address of syslog server)

G350-002(super)# show logging server condition ****************************************************** *** Message logging configuration of SYSLOG sink *** Sink Is Disabled Sink default severity: Warning Server name: 192.168.1.100 Server facility: local7 Server access level: read-write G350-002(super)#

• When trying to query SNMP agent using incorrect community string 01-13-2004 12:46:26 Local7.Notice 192.168.1.70 JAN 13 12:46:27 192.168.1.70 authenticFailure[SECURITY-Notification: AuthenticationFailure<000>

0000 30 2D 02 01 00 04 06 70 75 62 6C 69 63 A4 20 06 0-.....public. . 0010 0B 2B 06 01 04 01 B5 69 01 2D 67 02 40 04 C0 A8 .+.....i.-g.@... 0020 01 46 02 01 04 02 01 00 43 03 00 AE 55 30 00 .F......C...U0. Frame Length: 47 bytes Community: public OID: .1.3.6.1.4.1.6889.1.45.103.2 Address: 192.168.1.70 sysUpTime: 0 days, 00:07:26 Generic: 4 - Authentication Failure Specific: 0 * There are two different trap notifications- standard Authentication Failure which is sent on a bad SNMPv1 community and the Avaya proprietary trap lntUnAuthAccessEvent. The lntUnAuthAccessEvent trap is controlled on a per trap receiver. G350-002(super)# show snmp ?






34

19. Allowed Managers

There is no equivalent command on the G250/G350 to the G700 set allowed managers. However, it is possible to define an access control list on the loopback interface in which only certain IPs will be allowed to communicate to the G250/G350. This ACL will be applied on all the G250/G350 interfaces.

20. Policy Based Routing Overview Policy-based routing allows you to configure a routing scheme based on traffic’s source IP address, destination IP address, IP protocol, and other characteristics. You can use policy-based routing (PBR) lists to determine the routing of packets that match the rules defined in the list. Each PBR list includes a set of rules, and each rule includes a next hop list. Each next hop list contains up to 20 next hop destinations to which the G250/G350 sends packets that match the rule. A destination can be either an IP address or an interface. Policy-based routing takes place only when the packet enters the interface, not when it leaves. Policy-based routing takes place after the packet is processed by the Ingress Access Control. Thus, the PBR list evaluates the packet after the packet’s DSCP field has been modified by the Ingress QoS List. The most common application for policy-based routing is to provide for separate routing of voice and data traffic. It can also be used as a means to provide backup routes for defined traffic types. Although there are many possible applications for policy-based routing, the most common application is to create separate routing for voice and data traffic. For more information please see the Administration for the G250 and G350 Gateways user documentation located at support.avaya.com web site.

20. VPN Applications

VPN (Virtual Private Network) defines a private secure connection between two nodes on a public network such as the Internet. VPN at the IP level is deployed using IPSec. IPSec (IP Security) is a standards-based set of protocols defined by the IETF that provide privacy, integrity, and authenticity to information transferred across IP networks. The standard key exchange method employed by IPSec uses the IKE (Internet Key Exchange) protocol to exchange key information between the two nodes (called peers). Each peer maintains SAs (security associations) to maintain the private secure connection. IKE operates in two phases: ● The Phase-1 exchange negotiates an IKE SA. ● The IKE SA created in Phase-1 secures the subsequent Phase-2 exchanges, which in turn generate IPSec SAs. IPSec SAs secure the actual traffic between the protected networks behind the peers, while the





35

IKE SA only secures the key exchanges that generate the IPSec SAs between the peers. The G250/G350 IPSec VPN feature is designed to support site-to-site topologies, in which the two peers are Gateways. For additional information on the VPN features of G250 and G350 gateways, please see the VPN application note titled G350 and G250 R3.0 IPsec VPN. The application note is located on the support.avaya.com. and can be located by selecting user guides in the right hand column from the main support page. Then select download by product name and click on the letter G and choose either G250 or G350. At the product page click on view all documents in the left hand column. From the view all documents page scroll down the page and select the following application note.

Application & Technical Notes : English - U.S.

Date Title Doc ID

Jul-05 Application Note: G350 and G250 R3.0 IPSec VPN


***END***





36

Appendix A Feature Matrix by Release

Release Security Features CM2.1 • Policy based routing (PBR)

• SNMPv3 • SSH and SCP • Sniffer application - sniffing of all packets that go

in/out of G350/G250 Gateways� CPU interface

CM2.2 • IPsec VPN • FIPS 140-2 for G350 • Enforcement minimum password length to 8

characters • User account Lockout after number of failed login

attempts (login authentication [lockout <time> | attempt <count> ])

• Audit of login requests to Syslog CM3.0 • PBNAC 802.1x support

• CM3.0 VPN enhancements • FIPS 140-2 for G250 • Open ports plugging (shutting unintended or

unnecessary TCP/UDP ports)





37

Appendix B

FIPS 140-2 Overview

The Federal Information Processing Standard 140-2(FIPS 140-2) is a standard that describes US Federal government requirements that IT products should meet for Sensitive, but Unclassified (SBU) use. The standard was published by the National Institute of Standards and Technology (NIST), has been adopted by the Canadian government's Communication Security Establishment (CSE). The G250, G250-BRI, and G350 are Level 1 compliant, multi-chip stand-alone cryptographic modules in commercial grade metal cases. When operating in FIPS compliant mode modules provide: ● VPN, Voice over Internet Protocol (VoIP) media-gateway services, Ethernet switching, IP routing, and data security for IP traffic ● Status output via LEDs and logs available through the module�s management interface ● Network interfaces for data input and output ● A console port The cryptographic boundary includes all of the components within the physical enclosure of the branch gateway chassis, without any expansion modules. However, the media Modules for voice and Wide Area Connectivity which are supported in G350/G250 do not execute any crypto processing. Therefore, the media modules can be installed in the gateway without invalidating FISP 140-2 requisites. This does not apply to S8300 module. Additional information on the G350 FIPS compliance can be obtained from NIST site (http://csrc.nist.gov/cryptval/140-1/140sp/140sp519.pdf) The G250 is now in final stage of compliance evaluation and its security policy will be available within few weeks. G350 certificate is available from http://csrc.nist.gov/cryptval/140-1/140crt/140crt519.pdf





38

Appendix C Open ports on G350/G250/G700 products The list of protocols supported by gateways and should be reported by the port scan tools.

Protocol number

Protocol description Supported by Gateways Notes - lists command that enables/disables applications

1 ICMP protocol All - G350/G250/G700 Always on

6 TCP protocol All Always on

17 UDP datagram protocols All Always on

47 GRE General Routing Encapsulation (VPN-PPTP)

G350/G250 Always on

50 ESP Encapsulating Security Payload G350/G250 Enabled by VPN license installation

Disabled by default

89 OSPF Open Shortest Path First G350/G250 [no] route ospf

Disabled by default

112 VRRP protocol G350/G250 [no] route vrrp

Disabled by default

Table 1 – input/output IP protocols For all other protocols Gateways will respond with ICMP protocol unreachable message

The Gateway listens on the following TCP or UDP ports:

Port Number Application

description Supported by Gateways

Behavior in CM 3.0 Behavior in G350 CM2.1 and CM2.2

21/tcp FTP server All The FTP server normally keeps the port closed. The port should be seen as open for short window during announcement file transfer.

Same as in 3.0

22/tcp SSH server G350 G250

[no] ip ssh

Default: enabled

Always open

23/tcp Telnet server All [no] ip telnet

Default: enabled

Always open

67/udp DHCP/BOOTP relay

G350 G250

[no] ip bootp-dhcp

Default: disabled

Always open





39

Port Number Application description

Supported by Gateways


68/udp DHCP server G350 G250

[no] ip dhcp-server Default: disabled

Always Open in CM2.2

Not supported in CM2.1

69/udp TFTP Server G350 G250

[no] ip tftp-server

Default: disabled



80/tcp HTTP server G700, G350

[no] ip http Default: enabled Always open

161/udp SNMP all [no] ip snmp

Default: enabled

Always open

500/udp isakmp G350 G250

Enabled by license installation

copy [tftp|scp|ftp] license-file

Default: disabled



520/udp RIP-2 routing protocol

G350 G250

Default: disabled

Always open

1030/udp

???? All Seems to be dynamic port � cannot determine application that opens this port (in other scans it was 1031/udp).

Always open

1039/TCP Secure H.248 protocol for SLS

all set survivable-call-engine [ disable | enable]

Default: disabled

Not supported

1718/udp Unicast Gatekeeper Discovery H.245 (RAS)

G250 set survivable-call-engine [ disable | enable]

Default: disabled

Not supported

1719/udp Registration H.245 (RAS)


Default: disabled

Not supported

1720/tcp Call Setup H.245 (RAS)


Default: disabled

Not supported

1812/udp Radius client all set radius authentication

Default: disabled

Always open

2020/UDP VoIP engine statistics

all Always Closed Always open





40

Port Number Application description

Supported by Gateways


2050/UDP Avaya EMB Config Port

all Uncontrolled, always open

(*) Will be closed in CM3.1

Same as in CM3.0

`2070/UDP NAT-T G350 G250



Default: disabled



2945/TCP Unencrypted H.248 port of SLS


Default: disabled

Not supported

4500/UDP NAT-P G350 G250



Default: disabled



5012/TCP CHIA Port all Always closed Always Open in CM2.2


5050/TCP SerialNum all Always open on emb-vlan

[no] ip license- server

Default: Closed on external interface

Always open (uncontrolled) in G700

Same in CM2.2


2048 to 65534/UDP

RTP traffic all Dynamically opened for active RTP sessions

50002/UDP CNA test plug control port

G350 G250

[no] cna-testplug-services

Default: disabled

Not supported

50003/UDP CNA test plug echo port

G350 G250

[no] cna-testplug-services

Default: disabled

This port is open for short periods of time

Not supported

For all other UDP application, Gateways will respond with port unreachable message.

For all other TCP applications, Gateways will respond with TCP packet with RST flag set

Documents

TECHNICAL WHITE PAPER Avaya G250 and G350 Media …support.avaya.com/elmodocs2/white_papers/G250_G350_Security.pdfadministrator to a suspected SYN attack as it occurs by sending the