G250 G350 Security PDF

TECHNICAL WHITE PAPER
Avaya G250 and G350 Media Gateway Security Features Overview
Version: 1 Date: November 17, 2005
CID: 115343 Author: Avaya Technology and Consulting

IP Telephony Practice
Abstract:
The Avaya G250 and G350 Media Gateway Security Features Overview CID 115343 supersede
the earlier Avaya G350 Media Gateways Security Features Overview CID: 102411. This
document follows the same template of questions as the earlier aforementioned document and
the sister document Avaya G700 Media Gateway Security Features Overview (CID: 102412).
The Avaya G250 and G350 Media Gateways as show below provide a variety of features which
can be used to enhance security. The goal of this white paper is to summarize the general product
documentation and focus on those features.
G350 Firmware Revision - FW: 24.17.0
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G350 Media
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Gateway Security
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Features Overview
are property of their respective owners.
1
G250 Firmware Revision - FW: 24.17.0
GPW/AMK ©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya logo are trademarks of Avaya Inc. and Avaya G250/G350
may be registered in certain jurisdictions. All trademarks identified by ® and ™ are registered Media Gateway
trademarks or trademarks respectively, of Avaya Inc. All other registered trademarks or trademarks Security Features
are property of their respective owners. Overview
2
Table of Contents
(Click on link to view more detailed information)
Access Control Lists / Denial of Service (DOS) Protection/ SYN Protection
1. Access Control List’s

2. Denial of Service
3. SYN Protection Feature
Auditing Transactions / Administration
4. CLI Command Auditing (via Syslog)

5. Show Currently Logged on Administrators
Authentication Credentials / RADIUS/PBNAC 802.1x
6. Default User Accounts

7. Username/Password Characteristics
8. RADIUS Switch Administrator Authentication
9. Enable/Disable PBNAC 802.1x
CLI Inactivity Timeout and Pre/Post Login Banners
10. Idle Timeout

11. Banners
Network Client/Server applications
12. Show Protocol

13. Enable/Disable Network Services
14. Client / Server Network Tools
15. Default Listening Ports (UDP/TCP)
16. SSH/SCP/HTTPS/SNMPv3 Support
SNMP / Syslog Configuration
17. SNMP Defaults

18. Syslog / SNMP Output
19. Allowed Managers
3
PBR and VPN Overview
20. Policy Based Routing

21. VPN Application Support
Appendixes
(A) Feature Matrix

(B) FIP’s Overview
(C) Open Ports List
4
Access Control Lists / Denial of Service (DOS) Protection
1. Access Control Lists
The G250/G350 supports Access Control Lists (ACL’s) which provide fine
grained control over ingress/egress protocols. In addition, the following
capabilities exist:
The Ability to Restrict:

— ip-fragments-in — applies to incoming packets that contain IP fragments
— ip-fragments-out — applies to outgoing packets that contain IP fragments
— ip-options-in — applies to incoming packets that contain IP options
— ip-options-out — applies to outgoing packets that contain IP options
You can configure policy rules to match packets based on one or more of the
following for ingress and egress:
• Source IP address, or a range of addresses

• Destination IP address or a range of addresses
• IP protocol, such as TCP, UDP, ICMP, IGMP
• Source TCP or UDP port or a range of ports
• Destination TCP or UDP port or a range of ports
• ICMP type and code
Use IP wildcards to specify a range of source or destination IP addresses.

The zero bits in the wildcard correspond to bits in the IP address that
remain fixed. The one bits in the wildcard correspond to bits in the IP
address that can vary. Note that this is the opposite of how bits are used in
a subnet mask.
For access control lists, you can require the packet to be part of an
established TCP session. If the packet is a request for a new TCP session,
the packet does not match the rule. You can also specify whether an
access control list accepts packets that have an IP option field.
5
The following table lists the pre-configured entries in the composite
operation table for rules in an access control list:
NOTE:
You cannot configure additional composite operations for access control
lists, since all possible composite operations are pre-configured.
Each column represents the following:

• No — a number identifying the operation
• Name — a name identifying the operation. Use this to attach the operation
to a rule.
• Access — determines whether the operation forwards (forward) or drops
(deny) the packet
• Notify — determines whether the operation causes a trap when it drops a
packet
• Reset Connection — determines whether the operation causes a connection
reset
To verify access control lists and QoS lists, you can view the configuration
of the lists. You can also test the effect of the lists on simulated IP
packets. Use the ip simulate command in the context of an interface to test a
policy list. The command tests the effect of the policy list on a simulated
IP packet in the interface. You must specify the number of a policy list, the
direction of the packet (in or out), and a source and destination IP address.
You may also specify other parameters.
The following command simulates the effect of applying QoS list number 401 to
a packet entering the
G350 through interface VLAN 2:

G350-001(if:Vlan 2)# ip simulate 401 in CoS1 dscp46 10.1.1.1 10.2.2.2
tcp 1182 20
It is possible to define an access control list on the loopback interface of

the G350 in which only certain IPs will be allowed to communicate to the
G350. This ACL will be applied on all the G350’s interfaces. For example
this feature can be used to limit access via telnet to a specific list of IP
addresses.
Return to Table of Contents
6
2. DOS
Use the icmp in-echo-limit command to set the maximum number of echo requests
that can be received in one second. Use the no form of the command to set the
limit to its default value. Possible values are [1 – 10000].
G350-002(super)# icmp in-echo-limit ?

Icmp in-echo-limit commands:
---------------------------------------------------------------------------
Syntax : icmp in-echo-limit <size>.
Example: icmp in-echo-limit 100.
G350-002(super)#
3. SYN Protection
The G250/G350 provides various TCP/IP services and is therefore exposed to a

myriad of TCP/IP based DoS attacks. DoS (Denial of Service) attacks refers
to a wide range of malicious attacks that can cause a denial of one or more
services provided by a targeted host. Specifically, a SYN attack is a
well-known TCP/IP attack in which a malicious attacker targets a vulnerable
device and effectively denies it from establishing new TCP connections.
SYN cookies refers to a well-known method of protection against a SYN attack.
Use the tcp syn-cookies command to enable the tcp syn-cookies defense
mechanism against SYN attacks. Use the show version of this command to
display the SYN cookies statistics. The no version of this command disables
the tcp syn-cookies defense mechanism against SYN attacks. Use the clear
version of this command to clear the SYN cookie counters.
G350-002(super)# tcp syn-cookies

To enable the tcp syn-cookies, copy the running configuration to the start-up
configuration file and reset the device.
G350-002(super)#
When the SYN cookies feature is enabled, the G250/G350 alerts the
administrator to a suspected SYN attack as it occurs by sending the following
syslog message:
SYN attack suspected! Number of unanswered SYN requests is greater

than 20 in last 10 seconds.
G350-002(super)# no tcp syn-cookies

To disable the tcp syn-cookies, copy the running configuration to the start-
up configuration file and reset the device.
G350-002(super)#
G350-002(super)# clear tcp syn-cookies counters

done!
G350-002(super)#
7
G350-002(super)# show tcp syn-cookies
Status: Enabled
Statistics:
SYN recd:
Connections established
Local Address Remote Address State Last

------------------ ------------------ ------------ ------
192.168.1.254 192.168.1.32 Established 4
G350-002(super)#
8
Auditing Transactions / Administration
4. CLI Command Auditing (via Syslog)
Config change related SNMP traps will be sent if "config" trap is enabled. It
is enabled by default when typing "set snmp trap enable all". Additionally,
traps can be sent to a log file, console session, telnet session and stored
on the Gateway.
Relevant logs can also be sent to a syslog server by enabling a log server
through the CLI:
set logging server x.x.x.x

set logging server x.x.x.x enable
set logging server condition CLI Notification x.x.x.x
The above example will log to the syslog server x.x.x.x every event from the
CLI application with severity "Notification" and above. Other applications
are also available.
Examples:
01-13-2004 13:27:23 Local7.Notice 192.168.1.70 JAN 13 13:27:26 192.168.1.70 Cli

Command[CLI-Notification: root: session mgc<000>
01-13-2004 13:26:50 Local7.Notice 192.168.1.70 JAN 13 13:26:53 192.168.1.70

CliCommand[CLI-Notification: root: set mediaserver 192.168.1.20 192.168.1.70 5023
sat<000>
01-13-2004 13:26:22 Local7.Notice 192.168.1.70 JAN 13 13:26:25 192.168.1.70

CliCommand[CLI-Notification: root: set mediaserver 192.168.1.70 192.168.1.30 5023
sat<000>
01-13-2004 13:22:26 Local7.Notice 192.168.1.70 JAN 13 13:22:29 192.168.1.70

CliCommand[CLI-Notification: root: copy running-config startup-config <000>
01-13-2004 13:18:55 Local7.Notice 192.168.1.70 JAN 13 13:18:58 192.168.1.70

CliCommand[CLI-Notification: root: dir<000>
01-13-2004 13:18:36 Local7.Notice 192.168.1.70 JAN 13 13:18:38 192.168.1.70

CliCommand[CLI-Notification: root: telnet 192.168.1.1<000>
01-13-2004 13:17:48 Local7.Notice 192.168.1.70 JAN 13 13:17:50 192.168.1.70

CliCommand[CLI-Notification: root: traceroute 131.94.57.51<000>
01-13-2004 13:17:18 Local7.Notice 192.168.1.70 JAN 13 13:17:20 192.168.1.70

CliCommand[CLI-Notification: root: hostname G350<000>
01-13-2004 13:15:44 Local7.Notice 192.168.1.70 JAN 13 13:15:46 192.168.1.70

CliCommand[CLI-Notification: root: ping 192.168.1.1<000>
01-13-2004 13:15:19 Local7.Notice 192.168.1.70 JAN 13 13:15:21 192.168.1.70

CliCommand[CLI-Notification: root: set logging server condition CLI Notification
192.168.1.100<000>
9
01-13-2004 13:28:55 Local7.Notice 192.168.1.70 JAN 13 13:28:58 192.168.1.70
CliCommand[CLI-Notification: root: exit<000>
01-13-2004 13:30:29 Local7.Notice 192.168.1.70 JAN 13 13:30:32 192.168.1.70

CliCommand[CLI-Notification: georgia: exit<000>
01-13-2004 13:30:24 Local7.Notice 192.168.1.70 JAN 13 13:30:27 192.168.1.70

CliCommand[CLI-Notification: georgia: session mgc<000>
The Set logging server facility followed by the name of the output facility
and IP address of the Syslog server to the following list of possible
facilities set logging server facility. A total of 3 syslog servers can be
configured.
The following example defines a FTP Deamon as the output facility for Syslog
reports generated by the Syslog server with an IP address of 168.12.1.15.
The G350 and G250 have user logging enabled by default from the factory.
Set logging server facility ftpd 168.12.1.15
The available types are listed below:
auth (Authorization)
deamon (Background System Process)
clkd (clock Deamon)
clkd2 (Clock Deamon)
mail (Electronic Mail)
local0-local7 (For Local Use)
ftpd (FTP Deamon)
kern (Kernel)
alert (Log Alert)
audi (Log Audit)
ntp (NTP sub)
lpr (Printing)
sec (Security)
syslog (System Logging)
uucp (Unix-to-Unix Copy Program)
news (Usenet news)
user (User Process)
Use the show logging server condition command followed by the IP address of the Syslog
server. If you do not specify an IP address, the command displays the status of all
Syslog servers defined for the G250/G350. This command displays whether the server is
enable or disable and lists all filters defined on the server.
10
5. Displaying Currently Logged on Administrators
With the G250/G350 gateways there are three primary ways to administer the
gateway, direct connect via the console, Telnet and secure shell (Ssh)
Telnet. To display the current users logged on to the G250/G350 via Ssh or
Telnet issue the following commands below:
Command: show ip ssh
Ssh Engine: Enable

Max Sessions: 2
Key Type: DSA , 768 bit
Listen Port: 22
Ciphers List: 3des-cbc
Session-Id Version Encryption User IP: Port

0 2 3des-cbc root 192.168.1.31:3528
Command: show ip telnet
Telnet Engine: Enable

Max Sessions: 5
Listen Port: 23
Session-Id User: IP: Port
0 root 192.168.1.32:1055
11
Authentication Credentials / RADIUS
6. Usernames
By default there is only a single user account, named root, with password
root, which accesses the administrator level. You cannot delete this basic
user account, nor modify its access level. But you can modify its basic
password.
G350-002(super)# show username
User account password access-type

-------------------------------- -------------------------------- ---------
root ***** admin
G350-002(super)#
7. Username/Password Characteristics
• Username: minimum 4 characters, maximum 31 characters

• Password: minimum 8 characters, maximum 31 characters (all US
printable non white characters from keyboard are valid)
• There can be up to 3 password entry attempts at login before the
session is terminated
• Up to 10 unique “local” usernames can be configured on the G350
When you start to use Avaya G250/G350 Manager or the CLI, you must enter a
username. The username that you enter sets your privilege level. The commands
that are available to you during the session depend on your privilege level.
If you use RADIUS authentication, the RADIUS server sets your privilege
level. It is important to note that if the same username is defined locally
on the gateway and in RADIUS that the local username (ID) will take
precedence over username (ID) created on the RADIUS server.
• You can use Read-only privilege level to view configuration parameters.

• You can use Read-write privilege level to view and change all
configuration parameters except those related to security. For example,
you cannot change a password with Read-write privilege level.
• You can use Admin privilege level to view and change all configuration
parameters, including parameters related to security. Use Admin
privilege level only when you need to change configuration that is
12
related to security, such as adding a new user accounts and setting the
device policy manager access source. An example of the source would be
issuing the no ip telnet command.
Username commands:
---------------------------------------------------------------------------
Usage: username <name> password <passwd> access-type {read-only|read-
write|admin}
• Does the ability exist to force a minimum length username and/or

password (other than default minimum of 4 characters username and 8
characters for password)? No. However, this can be accomplished by
using an external authentication database such as RADIUS.
• Does the configuration file include user account passwords or SNMP
Community Strings? The configuration file does not include SNMP
community strings and user/password data.
• Are there any “undocumented” usernames or SNMP community strings?
No. All "diag" accounts are in-accessible without first logging into
the G350 via a super-user account first. Backdoor password recovery
exists but can only be used via a direct connection to the console
port. It can also be disabled.
• Is there any way to enforce password aging on “local” accounts used
to administer the G350? No. However, this can be accomplished by
using an external authentication database such as RADIUS.
• Is there any way to enforce account "lock-out" after user inactivity
of that account – i.e. user has not logged in for 60 days? No.
However, this can be accomplished by using an external
authentication database such as RADIUS.
• Any way to enforce "lock-out" of accounts after excessive retries?
Yes in addition to a RADIUS external authentication which provides its

own set of options for lock-out, the following global command to set
login authentication lockout parameters for local administers.
G350-002<super>#login authentication lockout?
Login authentication lockout commands:

--------------------------------------------------------------------
Syntax : login authentication lockout <time> attempt <count?
<time> - integer <30..3600> seconds.
Interval of time account lockout is enforced.
0 –No timeout
<count> - integer <1..10>.
Successive number of failures before lockout
0 - NO timeout
Example: login authentication lockout 360 attempt 5
The login authentication command supports the ability to enable local craft
user from services and a password
• Any way for the G350 to prevent simple/dictionary words from being
chosen as passwords? No. However, this can be accomplished by using
an external authentication database such as RADIUS.
13
• Any way to age passwords? And if so, any way for the G350 to prevent
password reuse, and if so how many past passwords are stored? No.
However, this can be accomplished by using an external
authentication database such as RADIUS.
14
8. RADIUS Switch Administrator Authentication
If your network has a RADIUS server, you can configure the Avaya G350 Media
Gateway to use RADIUS authentication. A RADIUS server provides centralized
authentication service for many devices on a network. When you use RADIUS
authentication, you do not need to configure usernames and passwords on the
G350. When logging into the G350/G250, the G350/G250 searches for your
username and password in its own database first. If it does not find them, it
activates RADIUS authentication.
G350-002(super)# show radius authentication
Mode: Enable
Primary-server: 192.168.1.205
Secondary-server: 172.16.1.205
Retry-number: 4
Retry-time: 5
UDP-port: 1645
shared-secret: *****
G350-002(super)#
The Avaya G250/G350 Media Gateway includes a security mechanism through which
the system administrator defines users and assigns each user and username and
a password. Each user is assigned a privilege level. The user’s privilege
level determines which commands the user can perform.
In addition to its basic security mechanism, the G250/G350 supports secure
data transfer via SSH and SCP.
The G250/G350 can be configured to work with an external RADIUS server to

provide user authentication. When RADIUS authentication is enabled on the
G250/G350, the RADIUS server operates in conjunction with the G250/G350
security mechanism. When the user enters a does not find the username in its
own database, it establishes a connection with the RADIUS server, and the
RADIUS server provides the necessary authentication services.
9. Enable/Disable PBNAC 802.1x
The G350 also uses the 802.1x protocol in conjunction with EAP within EAPOL
and over RADIUS to provide a means for authenticating and authorizing users
attached to a LAN port, and for preventing access to that port in cases where
the authentication process fails.
15
Note: The 802.1x protocol is not supported on the G250 as of CM 3.0.
G350-002(super)# set port dot1x ?
Set port dot1x commands:

---------------------------------------------------------------------------
set port dot1x initialize Initialize port dot1x
set port dot1x max-req Sets per port the max-req, the maximal
number of times the port tries to
retransmit requests to the Authenticated
Station before the session is terminated
set port dot1x port-control Set dot1x control parameter per port
set port dot1x quiet-period Sets per port the 802.1x quiet period,
minimal idle time between authentication
attempts
set port dot1x re-authenticate Set the port to re-authenticate
set port dot1x re-authentication Set dot1x re-authentication mode per port
set port dot1x re-authperiod Sets per port the re-authentication

period, an idle time between re-
authentication attempts
set port dot1x server-timeout Sets per port the server-timeout - the
time for the port to wait for a reply
from the Authentication Server
set port dot1x supp-timeout Sets per port the supp-timeout, a time
for the port to wait for a reply from the
Authenticated Station
set port dot1x tx-period Sets per port the transmit period, a time
Interval between attempts to access the
authenticated Station
G350-002(super)# show port dot1x ?
Show port dot1x commands:

---------------------------------------------------------------------------
Syntax : show port dot1x [<mod/port>]
Example: show port dot1x 3/2
show port dot1x statistics Shows the port dot1x statistics.
G350-002(super)# clear dot1x ?

Clear dot1x commands:
---------------------------------------------------------------------------
clear dot1x config Resets the 802.1x configuration parameters
16
17
CLI Inactivity Timeout and Pre/Post Login Banners
10. Idle Timeout
Use the set logout command to set the number of minutes until the system
automatically disconnects an idle session. The default is 15 minutes.
Possible valued are [0 – 99]. Setting the value to 0 disables the
automatic disconnection of idle sessions.
G350-002(super)# show logout
CLI timeout is 15 minutes

11. Banners
The login banner displays before the user is prompted for the login name. The
banners can be modified using the following commands
G350-002(super)# show banner login
Welcome to G350 Media Gateway

FW version 24.17.0
G350-002(super)# banner login

G350-002<super-login># line 5 “ G250_001 “
Done!
G350-002<super-login># line 5 “ Unauthorized access is prohibited“
Done!
G350-002<super-login>#exit
G350-002(super)# show banner login
G250_001
Unauthorized access is prohibited
G350-002(super)#
The post-login banner displays after the user has logged in successfully.
G350-002(super)# show banner post-login
Both the pre/post banner login commands utilize the line command for banner
entry. The line command supports a range of from [1 – 24] lines of text.
G350-002(super)# banner post-login

G350-002<super-login># line 5 “ G250_001 “
Done!
G350-002<super-login># line 5 “ Unauthorized access is prohibited“
Done!
G350-002<super-login>#exit

18
Network Client/Server applications
12. Show Protocol
Use the show protocol command to display the status of a specific

management protocol, or all protocols for the G250/G350. The G250 does
not support a WEB interface. The HTTP protocol is disabled by default on
the G250. SSHv2 is the supported Ssh protocol.
G350-002(super)# show protocol

Protocols Status
------------ --------
SSH-SERVER ON
TELNET-CLIENT OFF
TELENT-SERVER ON
SNMPv1-SERVER ON
SNMPv3-SERVER ON
HTTP-SERVER ON
RECOVERY-PASSWORD ON
DHCP-SERVER OFF
TFTP-SERVER OFF
DNS-CLIENT ON
Non-administrative protocols
--------------------------
FTP-CLIENT
TFTP-CLIENT
SCP-CLIENT
G250-001(super)# show protocol

Protocols Status
------------ --------
SSH-SERVER ON
TELNET-CLIENT OFF
TELENT-SERVER OFF
SNMPv1-SERVER ON
SNMPv3-SERVER ON
HTTP-SERVER ON
RECOVERY-PASSWORD ON
DHCP-SERVER ON
TFTP-SERVER ON
DNS-CLIENT ON
Non-administrative protocols
--------------------------
FTP-CLIENT
TFTP-CLIENT
SCP-CLIENT
G350-002(super)#
19
13. Enable/Disable Services (use no form of command to disable: no ip
http)
G350-002(super)# ip http
Done!
G350-002(super)# ip telnet
Done!
G350-002(super)# ip telnet-client
This command can be called only from console port
• Note: The telnet-client on the G250/G350 is disabled by default and can

only be enabled when connected via the local console port.
• The G250/G350 internal Telnet server supports up to 5 incoming
concurrent sessions.
• The G250/G350 internal Telnet client supports up to 6 outgoing
concurrent sessions. One outgoing Telnet session for each incoming
Telnet session, and one for the console port
Toggle ICMP redirects by issuing the command: [no] ip redirect (under

interface context)
Toggle SNMP: [no] ip snmp disables SNMPv1 and SNMPv3 {global command}
Toggle FTP client: Not possible. But it is possible to block TCP 21 port in
outgoing ACL for interface loopback
Toggle recovery password: set terminal recovery password enable/disable
To disable only SNMPv1 use the no snmp server community command.
20
14. Client / Server Network Tools
Telnet Client – Disabled by Default (requires Console Access to enable)

Telnet Server – Enabled By Default
HTTP Server – Enabled By Default on G350 (not supported on G250)
SNMPv1 and SNMPv3 Agent – Enabled By Default (Read, Read-Write, Trap)
21
15. Default Listen Ports
The output below is the result of an NMAP TCP and UDP port scan on the G350.
[root@scsradius ~]# nmap -sT 135.148.208.78. Please see Appendix C for
additional information open ports in the G250/G350 gateways.
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-09-14 16:40 EDT

Interesting ports on 135.148.208.78:
(The 1660 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
80/tcp open http
MAC Address: 00:04:0D:29:CA:6D (Avaya)
Nmap finished: 1 IP address (1 host up) scanned in 33.360 seconds

[admin@scsradius ~]$ nmap -sU 135.148.208.78
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-09-14 16:40 EDT

Interesting ports on 135.148.208.78:
(The 1477 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
161/udp open|filtered snmp
MAC Address: 00:04:0D:29:CA:6D (Avaya)
Nmap finished: 1 IP address (1 host up) scanned in 137.319 seconds

[admin@scsradius ~]$
22
16. SSH/SCP/SNMPv3
SSH, SCP and SNMPv3 are supported in G250/G350. SSHv2, SNMPv1 and SNMPv3 can
be globally enabled and disabled. The community strings for SNMPv1 can be
disabled.
G350-002(super)# Show SNMP
Authentication trap disabled
Community-Access Community-String
---------------- ----------------
read-only ******
read-write ******
SNMPv3 Notification Status

--------------------------
Traps: enabled
Informs: enabled Retries: 3 Timeout: 3 seconds
SNMP-Rec-Address Model Level Notification Trap/Inform User name

---------------- ----- ----- ------------- -------------- -----------
192.168.1.30 v1 noauth all trap ReadCommN
UDP port: 162 DM
The SCP client is enabled by default and can not be disabled. HTTP is
disabled and not support by the G250. The HTTP server is enabled by default
on the G350 and can be disabled.
The SSH server can be enabled/disabled with the ip ssh command and the no ip
ssh command.
G350-002(super)# clear ssh-client ?

Clear ssh-client commands:
---------------------------------------------------------------------------
clear ssh-client known-hosts
clears the ssh known-host file content. Used to
unlock man-in-the-middle attack prevention
mechanism and allow scp server authentication
after scp server public key change
23
SNMP / Syslog Configuration
17. SNMP Defaults
G350-002(super)# show snmp
Authentication trap disabled
Community-Access Community-String
---------------- ----------------
read-only *****
read-write *****
SNMPv3 Notifications Status

-----------------------------
Traps: Enabled
Informs: Enabled Retries: 3 Timeout: 3 seconds
SNMP-Rec-Address Model Level Notification Trap/Inform User name

---------------- ----- ------- --------------- ----------- ------------------
-
0.0.0.0 v1 noauth all trap ReadCommN

UDP port: 162 DM
G350-002(super)#
G350-002(super)# set snmp ?
Set snmp commands:

---------------------------------------------------------------------------
set snmp community Set SNMP community string
set snmp retries Set The SNMP Retries Number
set snmp timeout Set The SNMP Timeout
set snmp trap Set snmp trap, use 'set snmp trap help' for
more
info
G350-002(super)#
G350-002(super)# set snmp community ?

Set snmp community commands:
---------------------------------------------------------------------------
Usage: set snmp community <access_type> [community string]
(access_type = read-only | read-write )
24
G350-???(super)# no snmp ?
No snmp commands:
---------------------------------------------------------------------------
no snmp community Disable SNMPv1 service (community based)
no snmp dynamic-trap-manager
Toggles off notification type filters from
dynamic trap manager instance
no snmp engineID Set the SNMPv3 engineID to default

no snmp group Delete SNMPv3 group (vacm mib)
no snmp host Remove SNMP notification (trap or inform)
receiver
or filters
no snmp notifications Disable sending SNMPv3 notification (trap and
inform)
no snmp remote-user Delete SNMPv3 remote user (usm and vacm mib)
no snmp user Delete SNMPv3 user (usm and vacm mib)
no snmp view Delete SNMPv3 view (vacm mib)
G350-???(super)# show snmp ?

Show snmp commands:
---------------------------------------------------------------------------
Usage: show snmp
show snmp engineID Show SNMPv3 engineID

show snmp group Show SNMPv3 groups
show snmp retries Show SNMP Retries Number
show snmp timeout Show SNMP Timeout
show snmp user Show SNMPv3 users
show snmp userToGroup Show the mapping table between SNMPv3 users and
groups
show snmp view Shows SNMPv3 views
G350-002(super)#
G350-002(super)# show snmp view
View Name: iso

Subtree Oid: 1
Subtree Mask:
View Type: include
Storage Type: nonVolatile
Status: active
View Name: restricted

Subtree Oid: 1.3.6.1.2.1.1
Subtree Mask:
View Type: include
Status: active
25
Subtree Oid: 1.3.6.1.2.1.11
Subtree Mask:
View Type: include
Status: active
--type q to quit or space key to continue--

Subtree Oid: 1.3.6.1.6.3.10.2.1
Subtree Mask:
View Type: include
Status: active

Subtree Oid: 1.3.6.1.6.3.11.2.1
Subtree Mask:
View Type: include
Status: active

Subtree Oid: 1.3.6.1.6.3.15.1.1
Subtree Mask:
View Type: include
Status: active
View Name: snmpv1View

Subtree Oid: 1
Subtree Mask:
View Type: include
Status: active

Subtree Oid: 1.3.6.1.6
Subtree Mask:
View Type: exclude
Status: active

Subtree Oid: 1.3.6.1.6.3.1
Subtree Mask:
View Type: include
26
Status: active

Subtree Oid: 1.3.6.1.6.3.12
Subtree Mask:
View Type: include
Status: active

Subtree Oid: 1.3.6.1.6.3.13
Subtree Mask:
View Type: include
Status: active
View Name: v3configView

Subtree Oid: 1
Subtree Mask:
View Type: include
Status: active

Subtree Mask:
View Type: exclude
Status: active

Subtree Oid: 1.3.6.1.6.3.10.2.1
Subtree Mask:
View Type: include
Status: active

Subtree Oid: 1.3.6.1.6.3.11.2.1
Subtree Mask:
View Type: include
Status: active
27
Subtree Oid: 1.3.6.1.6.3.15.1.1
Subtree Mask:
View Type: include
Status: active

Subtree Oid: 1.3.6.1.6.3.15.1.2.2.1.7
Subtree Mask:
View Type: include
Status: active

Subtree Oid: 1.3.6.1.6.3.15.1.2.2.1.10
Subtree Mask:
View Type: include
Status: active

Subtree Oid: 1.3.6.1.4.1.1751.2.53.1.2.1.3.0.2
Subtree Mask: ff:fa
View Type: exclude
Status: active

Subtree Oid: 1.3.6.1.4.1.1751.2.53.1.2.1.3.0.5
Subtree Mask: ff:fa
View Type: exclude
Status: active

View Name: snmpv1WriteView
Subtree Oid: 1
Subtree Mask:
View Type: include
Status: active
28
Subtree Mask:
View Type: exclude
Status: active

Subtree Oid: 1.3.6.1.6.3.1
Subtree Mask:
View Type: include
Status: active

Subtree Oid: 1.3.6.1.6.3.12
Subtree Mask:
View Type: include
Status: active

Subtree Oid: 1.3.6.1.6.3.13
Subtree Mask:
View Type: include
Status: active

Subtree Oid: 1.3.6.1.6.3.18
Subtree Mask:
View Type: include
Status: active
G350-002(super)# show snmp group
Group Name: initial

Security Model: v3
Security Level: noauth
Read View: restricted
Write View: restricted
Notify View: restricted
Status: active
29
Group Name: ReadCommG
Security Model: v1
Read View: snmpv1View
Write View:
Notify View: snmpv1View
Status: active
Group Name: ReadCommG

Security Model: v2c
Read View: snmpv1View
Write View:
Notify View: snmpv1View
Status: active
Group Name: WriteCommG

Security Model: v1
Read View: snmpv1WriteView
Write View: snmpv1WriteView
Notify View: snmpv1WriteView
Status: active
Group Name: WriteCommG

Security Model: v2c
Read View: snmpv1WriteView
Write View: snmpv1WriteView
Notify View: snmpv1WriteView
Status: active
Group Name: v3ReadOnlyG

Security Model: v3
Security Level: auth
Read View: v3configView
Write View:
Notify View: v3configView
Status: active
30
Group Name: v3AdminViewG
Security Model: v3
Security Level: priv
Read View: iso
Write View: iso
Notify View: iso
Status: active
Group Name: v3ReadWriteG

Security Model: v3
Security Level: auth
Read View: v3configView
Write View: v3configView
Notify View: v3configView
Status: active
G350-002(super)#
31
18. Syslog /SNMP Output
* When trying to log in via Telnet using Invalid Credentials

JAN 5 09:12:32 192.168.1.70 lntUnAuthAccessEvent[SECURITY-Warning:
Unauthorized Access from IP address = 192.168.1.100, User = root, Protocol =
23<000>
0010 0B 2B 06 01 04 01 B5 69 01 2D 67 02 40 04 C0 A8 .+.....i.-g.@...
0020 01 46 02 01 06 02 01 44 43 03 36 43 4F 30 36 30 .F.....DC.6CO060
0030 11 06 09 2B 06 01 04 01 51 26 0E 03 04 04 72 6F ...+....Q&....ro
0040 6F 74 30 11 06 09 2B 06 01 04 01 51 26 0E 04 40 ot0...+....Q&..@
0050 04 C0 A8 01 64 30 0E 06 09 2B 06 01 04 01 51 26 ....d0...+....Q&
0060 0E 05 02 01 17 .....
Frame Length: 101 bytes

Community: public
OID: .1.3.6.1.4.1.6889.1.45.103.2
Address: 192.168.1.70
sysUpTime: 0 days, 09:52:41
Generic: 6 - Enterprise Specific
Specific: 68
OID: .1.3.6.1.4.1.81.38.14.3
ASN1 Type: Octet String 0x04 (4)
Value: root
OID: .1.3.6.1.4.1.81.38.14.4
ASN1 Type: IP Address 0x40 (64)
Value: 192.168.1.100
OID: .1.3.6.1.4.1.81.38.14.5
ASN1 Type: Integer32 0x02 (2)
Value: 23
* When trying to log in via HTTP using Invalid Credentials

JAN 5 15:52:22 192.168.1.70 lntUnAuthAccessEvent[SECURITY-Warning:
Unauthorized Access from IP address = 127.1.1.127, User = root, Protocol =
80<000>
0010 0B 2B 06 01 04 01 B5 69 01 2D 67 02 40 04 C0 A8 .+.....i.-g.@...
0020 01 46 02 01 06 02 01 44 43 03 36 12 81 30 36 30 .F.....DC.6..060
0030 11 06 09 2B 06 01 04 01 51 26 0E 03 04 04 72 6F ...+....Q&....ro
0040 6F 74 30 11 06 09 2B 06 01 04 01 51 26 0E 04 40 ot0...+....Q&..@
0050 04 7F 01 01 7F 30 0E 06 09 2B 06 01 04 01 51 26 . .. 0...+....Q&
0060 0E 05 02 01 50 ....P

Community: public
OID: .1.3.6.1.4.1.6889.1.45.103.2
Address: 192.168.1.70
Generic: 6 - Enterprise Specific
Specific: 68
OID: .1.3.6.1.4.1.81.38.14.3
ASN1 Type: Octet String 0x04 (4)
Value: root
OID: .1.3.6.1.4.1.81.38.14.4
ASN1 Type: IP Address 0x40 (64)
32
Value: 127.1.1.127
OID: .1.3.6.1.4.1.81.38.14.5
ASN1 Type: Integer32 0x02 (2)
Value: 80
• In order to receive syslog messages for SNMP events using the wrong
community strings the following command has to be entered: set logging
server condition security notification x.x.x.x (x.x.x.x = IP Address of
syslog server)
G350-002(super)# show logging server condition
******************************************************
*** Message logging configuration of SYSLOG sink ***
Sink Is Disabled
Sink default severity: Warning
Server name: 192.168.1.100

Server facility: local7
Server access level: read-write
G350-002(super)#
• When trying to query SNMP agent using incorrect community string
01-13-2004 12:46:26 Local7.Notice 192.168.1.70 JAN 13 12:46:27

192.168.1.70 authenticFailure[SECURITY-Notification:
AuthenticationFailure<000>
0000 30 2D 02 01 00 04 06 70 75 62 6C 69 63 A4 20 06 0-.....public. .
0010 0B 2B 06 01 04 01 B5 69 01 2D 67 02 40 04 C0 A8 .+.....i.-g.@...
0020 01 46 02 01 04 02 01 00 43 03 00 AE 55 30 00 .F......C...U0.

Community: public
OID: .1.3.6.1.4.1.6889.1.45.103.2
Address: 192.168.1.70
Generic: 4 - Authentication Failure
Specific: 0
* There are two different trap notifications- standard Authentication Failure

which is sent on a bad SNMPv1 community and the Avaya proprietary trap
lntUnAuthAccessEvent. The lntUnAuthAccessEvent trap is controlled on a per
trap receiver.
G350-002(super)# show snmp ?

33
19. Allowed Managers
There is no equivalent command on the G250/G350 to the G700 set allowed

managers. However, it is possible to define an access control list on the
loopback interface in which only certain IPs will be allowed to communicate
to the G250/G350. This ACL will be applied on all the G250/G350 interfaces.
20. Policy Based Routing Overview
Policy-based routing allows you to configure a routing scheme based on

traffic’s source IP address, destination IP address, IP protocol, and other
characteristics. You can use policy-based routing (PBR) lists to determine
the routing of packets that match the rules defined in the list. Each PBR
list includes a set of rules, and each rule includes a next hop list. Each
next hop list contains up to 20 next hop destinations to which the G250/G350
sends packets that match the rule. A destination can be either an IP address
or an interface. Policy-based routing takes place only when the packet enters
the interface, not when it leaves. Policy-based routing takes place after the
packet is processed by the Ingress Access Control. Thus, the PBR list
evaluates the packet after the packet’s DSCP field has been modified by the
Ingress QoS List.
The most common application for policy-based routing is to provide for

separate routing of voice and data traffic. It can also be used as a means to
provide backup routes for defined traffic types.
Although there are many possible applications for policy-based routing, the
most common application is to create separate routing for voice and data
traffic. For more information please see the Administration for the G250 and
G350 Gateways user documentation located at support.avaya.com web site.
20. VPN Applications
VPN (Virtual Private Network) defines a private secure connection between two
nodes on a public network such as the Internet. VPN at the IP level is
deployed using IPSec. IPSec (IP Security) is a standards-based set of
protocols defined by the IETF that provide privacy, integrity, and
authenticity to information transferred across IP networks.
The standard key exchange method employed by IPSec uses the IKE (Internet Key
Exchange) protocol to exchange key information between the two nodes (called
peers). Each peer maintains SAs (security associations) to maintain the
private secure connection. IKE operates in two phases:
● The Phase-1 exchange negotiates an IKE SA.
● The IKE SA created in Phase-1 secures the subsequent Phase-2 exchanges,

which in turn generate IPSec SAs. IPSec SAs secure the actual traffic between
the protected networks behind the peers, while the
34
IKE SA only secures the key exchanges that generate the IPSec SAs between the
peers.
The G250/G350 IPSec VPN feature is designed to support site-to-site

topologies, in which the two peers are Gateways.
For additional information on the VPN features of G250 and G350 gateways,
please see the VPN application note titled G350 and G250 R3.0 IPsec VPN. The
application note is located on the support.avaya.com. and can be located by
selecting user guides in the right hand column from the main support page.
Then select download by product name and click on the letter G and choose
either G250 or G350. At the product page click on view all documents in the
left hand column. From the view all documents page scroll down the page and
select the following application note.
Application & Technical Notes : English - U.S.
Date Title Doc ID
Jul-05 Application Note: G350 and G250 R3.0 IPSec VPN
***END***
35
Appendix A
Feature Matrix by Release
Release Security Features

CM2.1 • Policy based routing (PBR)
• SNMPv3
• SSH and SCP
• Sniffer application - sniffing of all packets that go
in/out of G350/G250 Gateways’ CPU interface
CM2.2 • IPsec VPN

• FIPS 140-2 for G350
• Enforcement minimum password length to 8
characters
• User account Lockout after number of failed login
attempts (login authentication [lockout <time> |
attempt <count> ])
• Audit of login requests to Syslog
CM3.0 • PBNAC 802.1x support
• CM3.0 VPN enhancements
• FIPS 140-2 for G250
• Open ports plugging (shutting unintended or
unnecessary TCP/UDP ports)
36
Appendix B
FIPS 140-2 Overview
The Federal Information Processing Standard 140-2(FIPS 140-2) is a standard that describes US
Federal government requirements that IT products should meet for Sensitive, but Unclassified
(SBU) use. The standard was published by the National Institute of Standards and Technology
(NIST), has been adopted by the Canadian government's Communication Security Establishment
(CSE).
The G250, G250-BRI, and G350 are Level 1 compliant, multi-chip stand-alone cryptographic
modules in commercial grade metal cases. When operating in FIPS compliant mode modules
provide:
● VPN, Voice over Internet Protocol (VoIP) media-gateway services, Ethernet switching, IP
routing, and data security for IP traffic
● Status output via LEDs and logs available through the module’s management interface
● Network interfaces for data input and output
● A console port
The cryptographic boundary includes all of the components within the physical enclosure of the
branch gateway chassis, without any expansion modules. However, the media Modules for
voice and Wide Area Connectivity which are supported in G350/G250 do not execute any crypto
processing. Therefore, the media modules can be installed in the gateway without invalidating
FISP 140-2 requisites. This does not apply to S8300 module.
Additional information on the G350 FIPS compliance can be obtained from NIST site
(http://csrc.nist.gov/cryptval/140-1/140sp/140sp519.pdf) The G250 is now in final stage of
compliance evaluation and its security policy will be available within few weeks. G350
certificate is available from http://csrc.nist.gov/cryptval/140-1/140crt/140crt519.pdf
37
Appendix C
Open ports on G350/G250/G700 products
The list of protocols supported by gateways and should be reported by the port scan tools.
Protocol Protocol description Supported by Gateways Notes - lists command

number that enables/disables
applications
1 ICMP protocol All - G350/G250/G700 Always on
6 TCP protocol All Always on
17 UDP datagram protocols All Always on
47 GRE General Routing Encapsulation G350/G250 Always on
(VPN-PPTP)
50 ESP Encapsulating Security Payload G350/G250 Enabled by VPN
license installation
Disabled by default
89 OSPF Open Shortest Path First G350/G250 [no] route ospf
Disabled by default
112 VRRP protocol G350/G250 [no] route vrrp
Disabled by default
Table 1 – input/output IP protocols
For all other protocols Gateways will respond with ICMP protocol unreachable message
The Gateway listens on the following TCP or UDP ports:
Port Number Application Supporte Behavior in CM 3.0 Behavior in

description d by G350 CM2.1
Gateways and CM2.2
21/tcp FTP server All The FTP server normally keeps the Same as in 3.0
port closed. The port should be seen
as open for short window during
announcement file transfer.
22/tcp SSH server G350 [no] ip ssh Always open
G250
Default: enabled
23/tcp Telnet server All [no] ip telnet Always open
Default: enabled
67/udp DHCP/BOOTP G350 [no] ip bootp-dhcp Always open
relay G250
Default: disabled
38
Gateways and CM2.2
68/udp DHCP server G350 [no] ip dhcp-server Default: Always Open
G250 disabled in CM2.2
Not supported
in CM2.1
69/udp TFTP Server G350 [no] ip tftp-server Always Open
G250 in CM2.2
Default: disabled
Not supported
in CM2.1
80/tcp HTTP server G700, [no] ip http Default: enabled Always open
G350
161/udp SNMP all [no] ip snmp Always open
Default: enabled
500/udp isakmp G350 Enabled by license installation Always Open
G250 in CM2.2
copy [tftp|scp|ftp] license-file
Not supported
Default: disabled
in CM2.1
520/udp RIP-2 routing G350 Always open
protocol G250
Default: disabled
1030/udp ???? All Seems to be dynamic port – cannot Always open
determine application that opens this
port (in other scans it was 1031/udp).
1039/TCP Secure H.248 all set survivable-call-engine [ disable | Not supported
protocol for SLS enable]
Default: disabled
1718/udp Unicast G250 set survivable-call-engine [ disable | Not supported
Gatekeeper enable]
Discovery H.245
Default: disabled
(RAS)
1719/udp Registration H.245 G250 set survivable-call-engine [ disable | Not supported
(RAS) enable]
Default: disabled
1720/tcp Call Setup H.245 G250 set survivable-call-engine [ disable | Not supported
(RAS) enable]
Default: disabled
1812/udp Radius client all set radius authentication Always open
Default: disabled
2020/UDP VoIP engine all Always Closed Always open
statistics
39
Gateways and CM2.2
2050/UDP Avaya EMB all Uncontrolled, always open Same as in
Config Port CM3.0
(*) Will be closed in CM3.1
`2070/UDP NAT-T G350 Enabled by license installation Always Open
G250 in CM2.2
Not supported
Default: disabled
in CM2.1
2945/TCP Unencrypted G250 set survivable-call-engine [ disable | Not supported
H.248 port of SLS enable]
Default: disabled
4500/UDP NAT-P G350 Enabled by license installation Always Open
G250 in CM2.2
Not supported
Default: disabled
in CM2.1
5012/TCP CHIA Port all Always closed Always Open
in CM2.2
Not supported
in CM2.1
5050/TCP SerialNum all Always open on emb-vlan Same in
CM2.2
[no] ip license- server
Not supported
Default: Closed on external interface
in CM2.1
Always open (uncontrolled) in G700
2048 to RTP traffic all Dynamically opened for active RTP
65534/UDP sessions
50002/UDP CNA test plug G350 [no] cna-testplug-services Not supported
control port G250
Default: disabled
50003/UDP CNA test plug G350 [no] cna-testplug-services Not supported
echo port G250
Default: disabled
This port is open for short periods of
time
For all other UDP application, Gateways will respond with port unreachable message.
For all other TCP applications, Gateways will respond with TCP packet with RST flag set
40

G250 G350 Security PDF

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

G250 G350 Security PDF

Încărcat de

Drepturi de autor:

Formate disponibile

TECHNICAL WHITE PAPER

Avaya G250 and G350 Media Gateway Security Features Overview

Version: 1 Date: November 17, 2005

CID: 115343 Author: Avaya Technology and Consulting

G350 Firmware Revision - FW: 24.17.0

Access Control Lists / Denial of Service (DOS) Protection/ SYN Protection

1. Access Control List’s

Auditing Transactions / Administration

4. CLI Command Auditing (via Syslog)

Authentication Credentials / RADIUS/PBNAC 802.1x

6. Default User Accounts

CLI Inactivity Timeout and Pre/Post Login Banners

10. Idle Timeout

Network Client/Server applications

12. Show Protocol

SNMP / Syslog Configuration

17. SNMP Defaults

20. Policy Based Routing

(A) Feature Matrix

The Ability to Restrict:

• Source IP address, or a range of addresses

Use IP wildcards to specify a range of source or destination IP addresses.

Each column represents the following:

G350 through interface VLAN 2:

It is possible to define an access control list on the loopback interface of

Return to Table of Contents

G350-002(super)# icmp in-echo-limit ?

The G250/G350 provides various TCP/IP services and is therefore exposed to a

G350-002(super)# tcp syn-cookies

SYN attack suspected! Number of unanswered SYN requests is greater

G350-002(super)# no tcp syn-cookies

G350-002(super)# clear tcp syn-cookies counters

Local Address Remote Address State Last

Return to Table of Contents

4. CLI Command Auditing (via Syslog)

set logging server x.x.x.x

01-13-2004 13:27:23 Local7.Notice 192.168.1.70 JAN 13 13:27:26 192.168.1.70 Cli

01-13-2004 13:26:50 Local7.Notice 192.168.1.70 JAN 13 13:26:53 192.168.1.70

01-13-2004 13:26:22 Local7.Notice 192.168.1.70 JAN 13 13:26:25 192.168.1.70

01-13-2004 13:22:26 Local7.Notice 192.168.1.70 JAN 13 13:22:29 192.168.1.70

01-13-2004 13:18:55 Local7.Notice 192.168.1.70 JAN 13 13:18:58 192.168.1.70

01-13-2004 13:18:36 Local7.Notice 192.168.1.70 JAN 13 13:18:38 192.168.1.70

01-13-2004 13:17:48 Local7.Notice 192.168.1.70 JAN 13 13:17:50 192.168.1.70

01-13-2004 13:17:18 Local7.Notice 192.168.1.70 JAN 13 13:17:20 192.168.1.70

01-13-2004 13:15:44 Local7.Notice 192.168.1.70 JAN 13 13:15:46 192.168.1.70

01-13-2004 13:15:19 Local7.Notice 192.168.1.70 JAN 13 13:15:21 192.168.1.70

01-13-2004 13:30:29 Local7.Notice 192.168.1.70 JAN 13 13:30:32 192.168.1.70

01-13-2004 13:30:24 Local7.Notice 192.168.1.70 JAN 13 13:30:27 192.168.1.70

Set logging server facility ftpd 168.12.1.15

The available types are listed below:

Return to Table of Contents

Command: show ip ssh

Ssh Engine: Enable

Session-Id Version Encryption User IP: Port

Command: show ip telnet

Telnet Engine: Enable

Return to Table of Contents

G350-002(super)# show username

User account password access-type

Return to Table of Contents

• Username: minimum 4 characters, maximum 31 characters

• You can use Read-only privilege level to view configuration parameters.

• Does the ability exist to force a minimum length username and/or