Documente Academic
Documente Profesional
Documente Cultură
Abstract:
The Avaya G250 and G350 Media Gateway Security Features Overview CID 115343 supersede
the earlier Avaya G350 Media Gateways Security Features Overview CID: 102411. This
document follows the same template of questions as the earlier aforementioned document and
the sister document Avaya G700 Media Gateway Security Features Overview (CID: 102412).
The Avaya G250 and G350 Media Gateways as show below provide a variety of features which
can be used to enhance security. The goal of this white paper is to summarize the general product
documentation and focus on those features.
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G350 Media
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Gateway Security
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Features Overview
are property of their respective owners.
1
G250 Firmware Revision - FW: 24.17.0
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview
2
Table of Contents
(Click on link to view more detailed information)
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G350 Media
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Gateway Security
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Features Overview
are property of their respective owners.
3
PBR and VPN Overview
Appendixes
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview
4
Access Control Lists / Denial of Service (DOS) Protection
1. Access Control Lists
The G250/G350 supports Access Control Lists (ACL’s) which provide fine
grained control over ingress/egress protocols. In addition, the following
capabilities exist:
You can configure policy rules to match packets based on one or more of the
following for ingress and egress:
For access control lists, you can require the packet to be part of an
established TCP session. If the packet is a request for a new TCP session,
the packet does not match the rule. You can also specify whether an
access control list accepts packets that have an IP option field.
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G350 Media
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Gateway Security
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Features Overview
are property of their respective owners.
5
The following table lists the pre-configured entries in the composite
operation table for rules in an access control list:
NOTE:
You cannot configure additional composite operations for access control
lists, since all possible composite operations are pre-configured.
To verify access control lists and QoS lists, you can view the configuration
of the lists. You can also test the effect of the lists on simulated IP
packets. Use the ip simulate command in the context of an interface to test a
policy list. The command tests the effect of the policy list on a simulated
IP packet in the interface. You must specify the number of a policy list, the
direction of the packet (in or out), and a source and destination IP address.
You may also specify other parameters.
The following command simulates the effect of applying QoS list number 401 to
a packet entering the
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview
6
2. DOS
Use the icmp in-echo-limit command to set the maximum number of echo requests
that can be received in one second. Use the no form of the command to set the
limit to its default value. Possible values are [1 – 10000].
G350-002(super)#
3. SYN Protection
Use the tcp syn-cookies command to enable the tcp syn-cookies defense
mechanism against SYN attacks. Use the show version of this command to
display the SYN cookies statistics. The no version of this command disables
the tcp syn-cookies defense mechanism against SYN attacks. Use the clear
version of this command to clear the SYN cookie counters.
When the SYN cookies feature is enabled, the G250/G350 alerts the
administrator to a suspected SYN attack as it occurs by sending the following
syslog message:
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview
7
G350-002(super)# show tcp syn-cookies
Status: Enabled
Statistics:
SYN recd:
Connections established
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview
8
Auditing Transactions / Administration
Config change related SNMP traps will be sent if "config" trap is enabled. It
is enabled by default when typing "set snmp trap enable all". Additionally,
traps can be sent to a log file, console session, telnet session and stored
on the Gateway.
Relevant logs can also be sent to a syslog server by enabling a log server
through the CLI:
The above example will log to the syslog server x.x.x.x every event from the
CLI application with severity "Notification" and above. Other applications
are also available.
Examples:
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview
9
01-13-2004 13:28:55 Local7.Notice 192.168.1.70 JAN 13 13:28:58 192.168.1.70
CliCommand[CLI-Notification: root: exit<000>
The Set logging server facility followed by the name of the output facility
and IP address of the Syslog server to the following list of possible
facilities set logging server facility. A total of 3 syslog servers can be
configured.
The following example defines a FTP Deamon as the output facility for Syslog
reports generated by the Syslog server with an IP address of 168.12.1.15.
The G350 and G250 have user logging enabled by default from the factory.
auth (Authorization)
deamon (Background System Process)
clkd (clock Deamon)
clkd2 (Clock Deamon)
mail (Electronic Mail)
local0-local7 (For Local Use)
ftpd (FTP Deamon)
kern (Kernel)
alert (Log Alert)
audi (Log Audit)
ntp (NTP sub)
lpr (Printing)
sec (Security)
syslog (System Logging)
uucp (Unix-to-Unix Copy Program)
news (Usenet news)
user (User Process)
Use the show logging server condition command followed by the IP address of the Syslog
server. If you do not specify an IP address, the command displays the status of all
Syslog servers defined for the G250/G350. This command displays whether the server is
enable or disable and lists all filters defined on the server.
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview
10
5. Displaying Currently Logged on Administrators
With the G250/G350 gateways there are three primary ways to administer the
gateway, direct connect via the console, Telnet and secure shell (Ssh)
Telnet. To display the current users logged on to the G250/G350 via Ssh or
Telnet issue the following commands below:
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview
11
Authentication Credentials / RADIUS
6. Usernames
By default there is only a single user account, named root, with password
root, which accesses the administrator level. You cannot delete this basic
user account, nor modify its access level. But you can modify its basic
password.
G350-002(super)#
7. Username/Password Characteristics
When you start to use Avaya G250/G350 Manager or the CLI, you must enter a
username. The username that you enter sets your privilege level. The commands
that are available to you during the session depend on your privilege level.
If you use RADIUS authentication, the RADIUS server sets your privilege
level. It is important to note that if the same username is defined locally
on the gateway and in RADIUS that the local username (ID) will take
precedence over username (ID) created on the RADIUS server.
12
related to security, such as adding a new user accounts and setting the
device policy manager access source. An example of the source would be
issuing the no ip telnet command.
Username commands:
---------------------------------------------------------------------------
Usage: username <name> password <passwd> access-type {read-only|read-
write|admin}
The login authentication command supports the ability to enable local craft
user from services and a password
• Any way for the G350 to prevent simple/dictionary words from being
chosen as passwords? No. However, this can be accomplished by using
an external authentication database such as RADIUS.
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview
13
• Any way to age passwords? And if so, any way for the G350 to prevent
password reuse, and if so how many past passwords are stored? No.
However, this can be accomplished by using an external
authentication database such as RADIUS.
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview
14
8. RADIUS Switch Administrator Authentication
If your network has a RADIUS server, you can configure the Avaya G350 Media
Gateway to use RADIUS authentication. A RADIUS server provides centralized
authentication service for many devices on a network. When you use RADIUS
authentication, you do not need to configure usernames and passwords on the
G350. When logging into the G350/G250, the G350/G250 searches for your
username and password in its own database first. If it does not find them, it
activates RADIUS authentication.
Mode: Enable
Primary-server: 192.168.1.205
Secondary-server: 172.16.1.205
Retry-number: 4
Retry-time: 5
UDP-port: 1645
shared-secret: *****
G350-002(super)#
The Avaya G250/G350 Media Gateway includes a security mechanism through which
the system administrator defines users and assigns each user and username and
a password. Each user is assigned a privilege level. The user’s privilege
level determines which commands the user can perform.
In addition to its basic security mechanism, the G250/G350 supports secure
data transfer via SSH and SCP.
The G350 also uses the 802.1x protocol in conjunction with EAP within EAPOL
and over RADIUS to provide a means for authenticating and authorizing users
attached to a LAN port, and for preventing access to that port in cases where
the authentication process fails.
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview
15
Note: The 802.1x protocol is not supported on the G250 as of CM 3.0.
set port dot1x max-req Sets per port the max-req, the maximal
number of times the port tries to
retransmit requests to the Authenticated
Station before the session is terminated
set port dot1x port-control Set dot1x control parameter per port
set port dot1x quiet-period Sets per port the 802.1x quiet period,
minimal idle time between authentication
attempts
set port dot1x re-authentication Set dot1x re-authentication mode per port
set port dot1x server-timeout Sets per port the server-timeout - the
time for the port to wait for a reply
from the Authentication Server
set port dot1x supp-timeout Sets per port the supp-timeout, a time
for the port to wait for a reply from the
Authenticated Station
set port dot1x tx-period Sets per port the transmit period, a time
Interval between attempts to access the
authenticated Station
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview
16
Return to Table of Contents
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview
17
CLI Inactivity Timeout and Pre/Post Login Banners
Use the set logout command to set the number of minutes until the system
automatically disconnects an idle session. The default is 15 minutes.
Possible valued are [0 – 99]. Setting the value to 0 disables the
automatic disconnection of idle sessions.
The login banner displays before the user is prompted for the login name. The
banners can be modified using the following commands
G250_001
Unauthorized access is prohibited
G350-002(super)#
The post-login banner displays after the user has logged in successfully.
Both the pre/post banner login commands utilize the line command for banner
entry. The line command supports a range of from [1 – 24] lines of text.
18
Network Client/Server applications
12. Show Protocol
Non-administrative protocols
--------------------------
FTP-CLIENT
TFTP-CLIENT
SCP-CLIENT
Non-administrative protocols
--------------------------
FTP-CLIENT
TFTP-CLIENT
SCP-CLIENT
G350-002(super)#
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview
19
Return to Table of Contents
13. Enable/Disable Services (use no form of command to disable: no ip
http)
G350-002(super)# ip http
Done!
G350-002(super)# ip telnet
Done!
G350-002(super)# ip telnet-client
This command can be called only from console port
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview
20
14. Client / Server Network Tools
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview
21
15. Default Listen Ports
The output below is the result of an NMAP TCP and UDP port scan on the G350.
[root@scsradius ~]# nmap -sT 135.148.208.78. Please see Appendix C for
additional information open ports in the G250/G350 gateways.
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview
22
16. SSH/SCP/SNMPv3
SSH, SCP and SNMPv3 are supported in G250/G350. SSHv2, SNMPv1 and SNMPv3 can
be globally enabled and disabled. The community strings for SNMPv1 can be
disabled.
Community-Access Community-String
---------------- ----------------
read-only ******
read-write ******
Traps: enabled
Informs: enabled Retries: 3 Timeout: 3 seconds
The SCP client is enabled by default and can not be disabled. HTTP is
disabled and not support by the G250. The HTTP server is enabled by default
on the G350 and can be disabled.
The SSH server can be enabled/disabled with the ip ssh command and the no ip
ssh command.
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview
23
SNMP / Syslog Configuration
Community-Access Community-String
---------------- ----------------
read-only *****
read-write *****
G350-002(super)#
G350-002(super)#
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview
24
G350-???(super)# no snmp ?
No snmp commands:
---------------------------------------------------------------------------
no snmp community Disable SNMPv1 service (community based)
no snmp dynamic-trap-manager
Toggles off notification type filters from
dynamic trap manager instance
G350-002(super)#
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview
25
View Name: restricted
Subtree Oid: 1.3.6.1.2.1.11
Subtree Mask:
View Type: include
Storage Type: nonVolatile
Status: active
--type q to quit or space key to continue--
26
Storage Type: nonVolatile
Status: active
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview
27
View Name: v3configView
Subtree Oid: 1.3.6.1.6.3.15.1.1
Subtree Mask:
View Type: include
Storage Type: nonVolatile
Status: active
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview
28
View Name: snmpv1WriteView
Subtree Oid: 1.3.6.1.6
Subtree Mask:
View Type: exclude
Storage Type: nonVolatile
Status: active
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview
29
Group Name: ReadCommG
Security Model: v1
Security Level: noauth
Read View: snmpv1View
Write View:
Notify View: snmpv1View
Status: active
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview
30
Group Name: v3AdminViewG
Security Model: v3
Security Level: priv
Read View: iso
Write View: iso
Notify View: iso
Status: active
G350-002(super)#
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview
31
18. Syslog /SNMP Output
0010 0B 2B 06 01 04 01 B5 69 01 2D 67 02 40 04 C0 A8 .+.....i.-g.@...
0020 01 46 02 01 06 02 01 44 43 03 36 43 4F 30 36 30 .F.....DC.6CO060
0030 11 06 09 2B 06 01 04 01 51 26 0E 03 04 04 72 6F ...+....Q&....ro
0040 6F 74 30 11 06 09 2B 06 01 04 01 51 26 0E 04 40 ot0...+....Q&..@
0050 04 C0 A8 01 64 30 0E 06 09 2B 06 01 04 01 51 26 ....d0...+....Q&
0060 0E 05 02 01 17 .....
0010 0B 2B 06 01 04 01 B5 69 01 2D 67 02 40 04 C0 A8 .+.....i.-g.@...
0020 01 46 02 01 06 02 01 44 43 03 36 12 81 30 36 30 .F.....DC.6..060
0030 11 06 09 2B 06 01 04 01 51 26 0E 03 04 04 72 6F ...+....Q&....ro
0040 6F 74 30 11 06 09 2B 06 01 04 01 51 26 0E 04 40 ot0...+....Q&..@
0050 04 7F 01 01 7F 30 0E 06 09 2B 06 01 04 01 51 26 . .. 0...+....Q&
0060 0E 05 02 01 50 ....P
32
Value: 127.1.1.127
OID: .1.3.6.1.4.1.81.38.14.5
ASN1 Type: Integer32 0x02 (2)
Value: 80
• In order to receive syslog messages for SNMP events using the wrong
community strings the following command has to be entered: set logging
server condition security notification x.x.x.x (x.x.x.x = IP Address of
syslog server)
******************************************************
*** Message logging configuration of SYSLOG sink ***
Sink Is Disabled
Sink default severity: Warning
0000 30 2D 02 01 00 04 06 70 75 62 6C 69 63 A4 20 06 0-.....public. .
0010 0B 2B 06 01 04 01 B5 69 01 2D 67 02 40 04 C0 A8 .+.....i.-g.@...
0020 01 46 02 01 04 02 01 00 43 03 00 AE 55 30 00 .F......C...U0.
33
19. Allowed Managers
Although there are many possible applications for policy-based routing, the
most common application is to create separate routing for voice and data
traffic. For more information please see the Administration for the G250 and
G350 Gateways user documentation located at support.avaya.com web site.
VPN (Virtual Private Network) defines a private secure connection between two
nodes on a public network such as the Internet. VPN at the IP level is
deployed using IPSec. IPSec (IP Security) is a standards-based set of
protocols defined by the IETF that provide privacy, integrity, and
authenticity to information transferred across IP networks.
The standard key exchange method employed by IPSec uses the IKE (Internet Key
Exchange) protocol to exchange key information between the two nodes (called
peers). Each peer maintains SAs (security associations) to maintain the
private secure connection. IKE operates in two phases:
34
IKE SA only secures the key exchanges that generate the IPSec SAs between the
peers.
For additional information on the VPN features of G250 and G350 gateways,
please see the VPN application note titled G350 and G250 R3.0 IPsec VPN. The
application note is located on the support.avaya.com. and can be located by
selecting user guides in the right hand column from the main support page.
Then select download by product name and click on the letter G and choose
either G250 or G350. At the product page click on view all documents in the
left hand column. From the view all documents page scroll down the page and
select the following application note.
***END***
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview
35
Appendix A
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview
36
Appendix B
The Federal Information Processing Standard 140-2(FIPS 140-2) is a standard that describes US
Federal government requirements that IT products should meet for Sensitive, but Unclassified
(SBU) use. The standard was published by the National Institute of Standards and Technology
(NIST), has been adopted by the Canadian government's Communication Security Establishment
(CSE).
The G250, G250-BRI, and G350 are Level 1 compliant, multi-chip stand-alone cryptographic
modules in commercial grade metal cases. When operating in FIPS compliant mode modules
provide:
● VPN, Voice over Internet Protocol (VoIP) media-gateway services, Ethernet switching, IP
routing, and data security for IP traffic
● Status output via LEDs and logs available through the module’s management interface
● A console port
The cryptographic boundary includes all of the components within the physical enclosure of the
branch gateway chassis, without any expansion modules. However, the media Modules for
voice and Wide Area Connectivity which are supported in G350/G250 do not execute any crypto
processing. Therefore, the media modules can be installed in the gateway without invalidating
FISP 140-2 requisites. This does not apply to S8300 module.
Additional information on the G350 FIPS compliance can be obtained from NIST site
(http://csrc.nist.gov/cryptval/140-1/140sp/140sp519.pdf) The G250 is now in final stage of
compliance evaluation and its security policy will be available within few weeks. G350
certificate is available from http://csrc.nist.gov/cryptval/140-1/140crt/140crt519.pdf
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview
37
Appendix C
The list of protocols supported by gateways and should be reported by the port scan tools.
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview
38
Port Number Application Supporte Behavior in CM 3.0 Behavior in
description d by G350 CM2.1
Gateways and CM2.2
68/udp DHCP server G350 [no] ip dhcp-server Default: Always Open
G250 disabled in CM2.2
Not supported
in CM2.1
69/udp TFTP Server G350 [no] ip tftp-server Always Open
G250 in CM2.2
Default: disabled
Not supported
in CM2.1
80/tcp HTTP server G700, [no] ip http Default: enabled Always open
G350
161/udp SNMP all [no] ip snmp Always open
Default: enabled
500/udp isakmp G350 Enabled by license installation Always Open
G250 in CM2.2
copy [tftp|scp|ftp] license-file
Not supported
Default: disabled
in CM2.1
520/udp RIP-2 routing G350 Always open
protocol G250
Default: disabled
1030/udp ???? All Seems to be dynamic port – cannot Always open
determine application that opens this
port (in other scans it was 1031/udp).
1039/TCP Secure H.248 all set survivable-call-engine [ disable | Not supported
protocol for SLS enable]
Default: disabled
1718/udp Unicast G250 set survivable-call-engine [ disable | Not supported
Gatekeeper enable]
Discovery H.245
Default: disabled
(RAS)
1719/udp Registration H.245 G250 set survivable-call-engine [ disable | Not supported
(RAS) enable]
Default: disabled
1720/tcp Call Setup H.245 G250 set survivable-call-engine [ disable | Not supported
(RAS) enable]
Default: disabled
1812/udp Radius client all set radius authentication Always open
Default: disabled
2020/UDP VoIP engine all Always Closed Always open
statistics
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview
39
Port Number Application Supporte Behavior in CM 3.0 Behavior in
description d by G350 CM2.1
Gateways and CM2.2
2050/UDP Avaya EMB all Uncontrolled, always open Same as in
Config Port CM3.0
(*) Will be closed in CM3.1
`2070/UDP NAT-T G350 Enabled by license installation Always Open
G250 in CM2.2
copy [tftp|scp|ftp] license-file
Not supported
Default: disabled
in CM2.1
2945/TCP Unencrypted G250 set survivable-call-engine [ disable | Not supported
H.248 port of SLS enable]
Default: disabled
4500/UDP NAT-P G350 Enabled by license installation Always Open
G250 in CM2.2
copy [tftp|scp|ftp] license-file
Not supported
Default: disabled
in CM2.1
5012/TCP CHIA Port all Always closed Always Open
in CM2.2
Not supported
in CM2.1
5050/TCP SerialNum all Always open on emb-vlan Same in
CM2.2
[no] ip license- server
Not supported
Default: Closed on external interface
in CM2.1
Always open (uncontrolled) in G700
2048 to RTP traffic all Dynamically opened for active RTP
65534/UDP sessions
50002/UDP CNA test plug G350 [no] cna-testplug-services Not supported
control port G250
Default: disabled
50003/UDP CNA test plug G350 [no] cna-testplug-services Not supported
echo port G250
Default: disabled
This port is open for short periods of
time
For all other UDP application, Gateways will respond with port unreachable message.
For all other TCP applications, Gateways will respond with TCP packet with RST flag set
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview
40