manualshive.com logo in svg

Nortel SMC 2450, Implementation Manual

Share
Download
Nortel SMC 2450 Implementation Manual Download Page 211

 Logging

 Page 211 of 260

Secure Multimedia Controller

Implementation Guide

Policy-based logging

You can enable or disable logging for each firewall policy. If enabled, all 
packets that match that policy generate a log message.

Security Log details

This section contains information about two aspects of using the log: the 
concept of self policies, and rule ID mappings. For information about 
Security Log details, see “SMC packet filter log messages” on 

page 251

.

Self policies

The SMC has multiple levels of protection, such as self policies, for traffic 
addressed to itself. Self policies are included in the standard firewall rule 
base; these policies cannot be modified. Self policies can trap for certain 
messages and then send details to the Security Log.

Rule id mappings

Firewall log messages often map to a specific firewall rule, as defined by a 
rule ID listed in the log. An example follows:

Apr 29 20:06:48 172.16.7.225 id=firewall time="2004-04-29 

14:49:48" fw= a10-10-10-10 pri=1 proto=6(tcp) 

src=172.16.8.226 dst=172.16.7.224 mid=2077 mtp=128 

msg="Deny access policy matched, dropping packet Src 45121 

Dst 21 from ext n/w" 

ruleid=23

 agent=Firewall

The mapping of rules to log messages is dynamic. Using the 

Diagnostics > 

Applied Rules

 page in the Web UI, you can map a particular rule ID to the 

type of traffic. You can view inbound, outbound, and self rules generated on 
this page.

Note:

Adding a UNIStim server adds rules to the database as well. These 

rules are called autogenerated rules and are displayed in green on the rule 
mappings page.

Summary of Contents for SMC 2450

Page 1: ...ithout notice The statements configurations technical data and recommendations in this document are believed to be accurate and reliable but are presented without express or implied warranty Users mus...

Page 2: ......

Page 3: ...Page 3 of 260 Secure Multimedia Controller Implementation Guide 4 Revision history May 2006 Standard 1 00 This document is a new NTP It was created to support the Secure Multimedia Controller 2450...

Page 4: ...Page 4 of 260 Revision history 553 3001 225 Standard 1 00 May 2006...

Page 5: ...nformation 19 How to get help 21 Getting help from the Nortel web site 21 Getting help over the telephone from a Nortel Solutions Center 21 Getting help from a specialist by using an Express Routing C...

Page 6: ...ion 57 Deploying a new system 57 Hardware installation 59 Contents 59 Installation package contents 59 SMC physical features 60 Installation 67 Installing the SMC in a rack 69 Installing the SMC on a...

Page 7: ...oip_users and voip_admins 119 Secure UNIStim deployment 121 Contents 121 Introduction 121 Security policy 123 First time deployment 131 Configuring Secure UNIStim 131 Troubleshooting Secure UNIStim 13...

Page 8: ...ce CLI 183 Contents 183 Introduction 183 Accessing the CLI 184 Using the CLI 188 RADIUS authentication 194 Web User Interface UI 197 Contents 197 Introduction 197 Basics of the Web UI 198 Logging 207...

Page 9: ...Contents 221 Hardware and power supply specifications 221 Regulatory specifications 223 Appendix C Regulatory information 225 Contents 225 System approval 225 Electromagnetic compatibility 225 DenAn r...

Page 10: ...Page 10 of 260 Contents 553 3001 225 Standard 1 00 May 2006 Format 251 Log message table 253...

Page 11: ...n a rack 69 Procedure 3 Installing the SMC on a shelf or tabletop 69 Procedure 4 Connecting the power supply 71 Procedure 5 Establishing a console connection 73 Procedure 6 Configuring the initial SMC...

Page 12: ...ation using the Web UI 95 Procedure 16 Enabling TFTP 96 Procedure 17 Saving the current configuration using the CLI 96 Procedure 18 Restoring the current configuration using the Web UI 97 Procedure 19...

Page 13: ...logging 111 Procedure 29 Viewing applied rules 113 Procedure 30 Viewing the system log 114 Procedure 31 Viewing system and host status 114 Procedure 32 Create a customer inbound rule 115 Procedure 33...

Page 14: ...ing the private key 147 Procedure 42 Upgrading SMC software using a package upgrade Web UI 165 Procedure 43 Upgrading SMC software using a package upgrade CLI 167 Procedure 44 Activating the software...

Page 15: ...age 15 of 260 Secure Multimedia Controller Implementation Guide Procedure 50 Enabling Telnet or SSH using the Web UI 186 Procedure 51 Enabling SSH using the CLI 187 Procedure 52 Configuring the SMC fo...

Page 16: ...Page 16 of 260 List of procedures 553 3001 225 Standard 1 00 May 2006...

Page 17: ...s Note on legacy products and releases This NTP contains information about systems components and features that are compatible with Nortel Communication Server 1000 and Nortel Multimedia Communication...

Page 18: ...n see one or more of the following NTPs Communication Server 1000S Upgrade Procedures 553 3031 258 Communication Server 1000E Upgrade Procedures 553 3041 258 Intended audience This document is intende...

Page 19: ...ian 1 PBX 51C Meridian 1 PBX 61C Meridian 1 PBX 61C CP PII Meridian 1 PBX 81 Meridian 1 PBX 81C Meridian 1 PBX 81C CP PII Related information This section lists information sources that relate to this...

Page 20: ...Page 20 of 260 About this document 553 3001 225 Standard 1 00 May 2006...

Page 21: ...products From this site you can download software documentation and product bulletins search the Technical Support Web site and the Nortel Knowledge Base for answers to technical issues sign up for au...

Page 22: ...ess some Nortel Technical Solutions Centers you can use an Express Routing Code ERC to quickly route your call to a specialist in your Nortel product or service To locate the ERC for your product or s...

Page 23: ...C configurations 33 Traffic protection 38 Secure UNIStim proxy 39 Administrative tools 44 Resiliency 46 Campus redundancy 50 Geographic redundancy 52 Engineering impact and limitations 54 Product comp...

Page 24: ...l Area Network LAN Wide Area Network WAN and the call servers The SMZ protects the signaling and media infrastructures of the MCS 5100 and CS 1000 product lines All signaling and media traffic enterin...

Page 25: ...used for management and intranet untrusted traffic Two networks are mandatory in each SMC system installation Management subnet The management subnet transmits clustering and synchronization traffic b...

Page 26: ...e location of Call Pilot Symposium and Optivity Telephony Manager MCS LAN subnet The Multimedia Communication Server LAN MCS LAN subnet is the location of the MCS suite of servers Note You can substit...

Page 27: ...Description Page 27 of 260 Secure Multimedia Controller Implementation Guide Figure 1 Basic subnet mappings...

Page 28: ...ndancy Protocol VRRP with both SMCs in a HA configuration a cross over cable to connect the management ports in a HA configuration Management IP address A single cluster management IP MIP address is s...

Page 29: ...access rules The administrator specifies inbound access control rules for traffic that originates in the intranet and flows into a security zone and outbound access control rules for traffic that exi...

Page 30: ...ected to an outbound TLAN policy and then an inbound MCS LAN policy The administrator can customize and configure the rules in each SMZ For example the administrator can add and delete custom rules an...

Page 31: ...er 2 switch The SMC does not support Virtual LANS VLAN therefore a single interface is required for each subnet In VLAN networks multiple devices are connected across routes but are part of the same s...

Page 32: ...r Multi link Trunking MLT networks in which more than a single port is used for a logical trunk an additional switch device is required to work in tandem with the SMC The switch interfaces with the SM...

Page 33: ...configurations Stand alone High Availability HA Stand alone configuration The stand alone configuration contains a management network intranet network and one or more security zones Each of the SMZ n...

Page 34: ...guration The management network needs two IP addresses in the stand alone configuration The first address is the host IP address which is the IP address for the SMC The second IP address is the cluste...

Page 35: ...ia Zones uses the SMC Interface IP addresses as their gateway address For example a CSE 1000 Signaling Server TLAN Gateway address is the SMC TLAN IP address IMPORTANT In a High Availability configura...

Page 36: ...P IP addressing A high availability cluster consists of two SMC devices one SMC acts at the active device and the other acts as the backup device In this scenario only one SMC processes traffic If the...

Page 37: ...shown in Figure 5 on page 37 VRRP requires three IP addresses for each cluster interface two real IP addresses one for each SMC in the cluster a floating IP address owned by the master SMC Figure 5 V...

Page 38: ...ll traffic that originates or terminates on the multimedia devices Stateful filtering is more secure than a simple packet filtering in that stateful filtering keeps track of the protocol s state in ev...

Page 39: ...nes however the first release of the SMC supports only CS 1000 Using UNIStim a UNIStim IP phone communicates with a UNIStim server TPS using the User Datagram Protocol UDP The SMC Secure UNIStim proxy...

Page 40: ...rent proxy the clients communicate directly to the UNIStim signaling servers The clients have no knowledge that the SMC is inserted itself between the server and client and intercepting the signaling...

Page 41: ...public key cryptography system employed in both encryption and authentication Comparison of the public and private keys The private key is 1024 bit RSA key that is associated with a unique public key...

Page 42: ...g Examples 16 characters 9d581d2cca15141b 32 characters 9d581d2cca15141b80623a942a59d7d3 Table 1 RSA key types Key Description Server private key The SMC maintains a 1024 bit RSA private key which is...

Page 43: ...a client runs firmware that supports secure UNIStim but does not have a primary key fingerprint the SMC can automatically update the fingerprint to the client Master key The master key is generated by...

Page 44: ...updates on page 154 Session caching The SMC supports session caching which enhances the performance of the client handshake When the UNIStim IP phone logs in a second time the server reuses the previo...

Page 45: ...dministration Two primary management roles exist on the SMC administrators and operators Administrators can add and delete users modify all aspects of the configuration and update the software Operato...

Page 46: ...l secure UNIStim handshake requires high SMC CPU resource utilization Using the session cache synchronization feature a phone can reconnect and establish a secure connection with much less CPU resourc...

Page 47: ...ty and re register to the backup SMC In secure mode this registration can use session cache synchronization to lessen the resource utilization of many IP phones simultaneously re registering In this s...

Page 48: ...dia channel ceases The intranet phone can re establish the signaling through the new master SMC even while it is off hook during a live call Unistim session state is re established on the new master S...

Page 49: ...guration drops all packets directed to it thereby effectively blocking connectivity IMPORTANT In a branch office failover scenario one UNIStim phone can be redirected to register securely with differe...

Page 50: ...nd registered IP phones To help eliminate any potential system down time configure a pair of CS 1000E CPUs to form a completely redundant IP telephony network You can install the following equipment a...

Page 51: ...Description Page 51 of 260 Secure Multimedia Controller Implementation Guide Figure 7 SMC campus redundancy...

Page 52: ...outer to the intranet To route packets properly to the CS 1000 devices the router must use the Virtual Router IP address of the SMC intranet interface as the gateway IP address The SMS as a router can...

Page 53: ...to the secondary the traffic is redirected to the second SMC cluster The IP phones re establish a secure UNIStim connection with the SMC before access permission is granted to the CS 1000 signaling s...

Page 54: ...stems Nortel estimates that the hardware provides at least 100 megabytes MByte throughput for 100 byte packets or 125 kilo packets per second Kpps This is sufficient to support more than 1000 concurre...

Page 55: ...subnet port 2 for the intranet subnet and ports 3 through 6 for the secure multimedia zones Product compliance For a complete list of supported products Nortel recommends that you refer to the releas...

Page 56: ...Page 56 of 260 Description 553 3001 225 Standard 1 00 May 2006...

Page 57: ...grade an Secure Multimedia Controller SMC you need to understand the overall process This chapter contains the high level information required to deploy a new system or a system upgrade Deploying a ne...

Page 58: ...Turn on Secure UNIStim security for a subset of clients to troubleshoot UNIStim connectivity and populate the secure UNIStim server tables with the redirect information See Secure UNIStim deployment...

Page 59: ...shelf or tabletop 69 Supplying power to the SMC 70 Setting up terminal access to the SMC 71 Troubleshooting installation 74 Installation package contents Table 2 lists the contents of the SMC 2450 ins...

Page 60: ...ort and power supply access Front panel Figure 9 shows the SMC front panel view Table 3 describes front panel features Console cable To connect the SMC to a personal computer or local terminal Bezel a...

Page 61: ...el release flap Figure 10 2 Grasp the bezel and slide the bezel to the right until disengaged Table 3 Front panel features Indicator or Button Description Amber system status LED On when system needs...

Page 62: ...re installation 553 3001 225 Standard 1 00 May 2006 3 Remove the bezel from the faceplate End of Procedure Figure 10 Bezel removal Figure 11 shows the front panel without the bezel Figure 11 Front pan...

Page 63: ...ion Procedure 1 Attaching the front panel bezel To attach the bezel follow these steps 1 Align the bezel on the faceplate slightly to the right of the front panel 2 With the release flap open engage t...

Page 64: ...er ports Nortel recommends that port 1 be used for the management subnet port 2 for the intranet subnet and ports 3 through 6 for the secure multimedia zones Status LEDs for each port are located abov...

Page 65: ...ght LED is flashing the port is sending or receiving network data The flash frequency varies with the amount of network traffic 100 Mb s Yellow flashing Off Port operates at 100 Mb s Cable connection...

Page 66: ...ction between the port and network device switch hub or router is good 100 Mb s Green Green Port operates at 100 Mb s Cable connection between the port and network device is good 1000 Mb s Red Green P...

Page 67: ...You can rack mount the SMC in a standard 19 inch in rack or install it on a shelf or other flat surface You need the following tools and supplies to install the components 2 Phillips screwdriver stra...

Page 68: ...ck power load is equal to a maximum of eighty percent of the branch circuit rating Power cords are free of obstructions Power cords at plugs convenience receptacles and points of exit from the SMC are...

Page 69: ...four mounting screws through the front brackets and into the rack frame End of Procedure Result you can now connect the power supply See Connecting the power supply on page 71 Installing the SMC on a...

Page 70: ...lat surface Use of both the rear and front power switches is required for full SMC operation Power reliability The SMC is a critical component in the enterprise communications system The SMC does not...

Page 71: ...the front panel The system power LED turns green to indicate that power is supplied End of Procedure Setting up terminal access to the SMC The SMC has a console port for system diagnostics and config...

Page 72: ...nents An ASCII terminal or a computer running ASCII terminal emulation software standard terminal emulation type is VT100 with the parameters shown in Table 7 A console cable male to female with DB 9...

Page 73: ...The standard terminal emulation type is VT100 Procedure 5 Establishing a console connection To establish a console connection follow these steps 1 Using the supplied console cable connect the terminal...

Page 74: ...lation Two situations require troubleshooting The system does not power on correctly The system powers on but shows no display text for initiating a session with the SMC No power If the SMC does not p...

Page 75: ...chnical Support at www nortel com support No display text If the system powers on and no boot messages or console prompt appears perform the following checks Make sure the console cable is securely co...

Page 76: ...Page 76 of 260 Hardware installation 553 3001 225 Standard 1 00 May 2006...

Page 77: ...configurations The SMC supports two types of configurations Stand alone High Availability HA Stand alone configuration The stand alone configuration contains a management network intranet network and...

Page 78: ...iguration the equipment residing on the SMZs uses the SMC Interface IP addresses as their gateway address For example a CSE 1000 Signaling Server TLAN Gateway address is the SMC TLAN IP address IMPORT...

Page 79: ...he gateway router so packets from the Intranet IP clients and Administrators are routed to the SMC which routes to the correct SMZ In a stand alone configuration the static route points to the Intrane...

Page 80: ...t same as first SMC same as first SMC 3 same as first SMC same as first SMC 4 same as first SMC same as first SMC 5 same as first SMC same as first SMC 6 same as first SMC same as first SMC Table 11 O...

Page 81: ...located on the back of the SMC and have the numbering scheme shown in Figure 14 Figure 14 SMC port mappings Port recommendations Nortel recommends that port 1 be used for the management subnet port 2...

Page 82: ...nd alone SMC or the first SMC in a high availability configuration 1 Disconnect the ethernet cable on all SMC ports except the management port 2 Apply power to the SMC The SMC boots from the factory i...

Page 83: ...net b Enter the IP address for this port c Enter the network mask for the entire management subnet d Enter the cluster Management IP MIP address information The cluster MIP address must reside in the...

Page 84: ...SSH host key Note Nortel recommends that you generate a new SSH key to maintain a high level of security when connecting to the SMC using an SSH client For more information about SSH see Using Secure...

Page 85: ...bnet b Enter the port number for the ELAN subnet c Enter the ELAN subnet IP address d Enter the ELAN subnet netmask 16 Configure the CS 1000 TLAN subnet a Enter yes to configure the TLAN subnet b Ente...

Page 86: ...nistration in step 10 of Procedure 6 the access list is updated automatically for Web browsers with IP addresses on the management subnet If you chose not to enable Web administration you must allow a...

Page 87: ...to DHCP usage 6 Enter the network mask Note A mask of 255 255 255 255 will allow only the single IP address identified in step 5 to access the SMC system The Access list prompt is accesslist is displa...

Page 88: ...To enable HTTPS access using SSL enter cfg sys adm web ssl ena 3 Generate a temporary certificate if using HTTPS An SSL server certificate is required for HTTPS access to the Web UI The SMC can genera...

Page 89: ...ou can remotely manage the SMC using Telnet SSH or the Web UI For security purposes access to these features is restricted through the remote access list Using the remote access list you can specify I...

Page 90: ...nds cfg sys accesslist Select access list menu Access List add 201 10 14 7 255 255 255 255 Add single address Access List add 214 139 0 0 255 255 255 0 Add range of addresses 6 Enter base IP address t...

Page 91: ...make sure JavaScript is enabled Starting the Web UI Procedure 10 Starting the Web UI 1 Start a Web browser on a PC that is using an IP address included in the Access List created in Procedure 9 on pa...

Page 92: ...he account name and password for the system administrator or operator account For more login and password information see Users and passwords on page 162 Note Expect a delay of a few seconds while the...

Page 93: ...ections provide useful information that can help you as you continue the deployment process For an overview of Web UI tasks see Global command buttons on page 93 To learn how to save and restore the S...

Page 94: ...uration 1 Select the appropriate menu item and sub page 2 Modify fields in the appropriate forms display areas 3 Click Update to submit the changes to the pending configuration End of Procedure Proced...

Page 95: ...Click Submit End of Procedure Saving and restoring the SMC configuration Periodically it is necessary to upgrade or reinstall the SMC software Before doing so Nortel recommends that you save the exis...

Page 96: ...at location specified You can view the configuration using a standard text editor Procedure 16 Enabling TFTP TFTP and FTP are disabled by default If you want to use TFTP or FTP to save or restore the...

Page 97: ...Web UI 1 Using a Web browser enter the URL to the Web UI The SMC login prompt appears 2 Enter the administrator account and password 3 On the left side of page click Operation The Operation Menu expan...

Page 98: ...n is now active Installing the redundant SMC To set up a High Availability SMC cluster using a redundant SMC the following conditions are required Install and configure the primary SMC with basic para...

Page 99: ...ministration Access List Procedure 20 Installing the redundant SMC 1 Make sure that the first SMC is on and operational 2 Rack mount the redundant SMC hardware See Hardware installation on page 59 3 C...

Page 100: ...mple in this procedures shows how to set the IP address of the physical interfaces and virtual IP on the intranet zone All three addresses need to be in the same subnet Each zone further needs to have...

Page 101: ...d The join process can take several minutes to complete End of Procedure Result The SMCs are joined Because the system is now an SMC cluster all configuration is shared across both SMCs So redundant S...

Page 102: ...er is running VRRP CLI info net vrrp status Web UI Main System Page at the top of left hand menu End of Procedure Result The SMC cluster is now in High Availability Mode All packets are now be directe...

Page 103: ...guration although the diagrams show a HA system See High Availability HA configuration on page 78 to review the configuration required to set up a high availability cluster Additional chapters in this...

Page 104: ...evices on either side of the SMC so that traffic is directed through the SMC The routing updates affect the VoIP equipment in the multimedia zones and the router that interfaces to the intranet Figure...

Page 105: ...at the firewalls are unhooked view the firewall status on the initial System page in the Web UI Note You can add and update firewall rules while the firewall is unhooked however the rules do not go in...

Page 106: ...does not affect current network functionality Hooking the firewall After you verify the SMC placement you can turn the firewall on If the firewall rules are properly configured the traffic and service...

Page 107: ...the SMC such as Call Pilot or OTM sessions are terminated and required to recreate a session even if there is an applicable rule for the connection Current Telnet and Secure Shell SSH connections are...

Page 108: ...e 18 HTTPS and UNIStim traffic flow Use the following methods to troubleshoot firewall problems Allowing ping If the end to end connectivity between the client and the server is in question it is help...

Page 109: ...lect ICMP as the protocol 6 Select the appropriate Source and Destination for the client and server 7 Set Action to allow 8 Click Update 9 The rule will be added to the end of the current list 10 Clic...

Page 110: ...earch The latest firewall log messages are displayed 4 Enter the IP address of the client or server of the problem machine 5 Click Search End of Procedure Result All logs for that machine are now list...

Page 111: ...or a particular installation Procedure 28 Enabling unavailable policy logging 1 Log on to the Web UI 2 Navigate to Multimedia Security Security Settings Log Messages 3 Enable Unavailable Policies 4 Cl...

Page 112: ...ny rule is hit by a packet Mar 1 13 21 14 127 0 0 1 id firewall time 2006 03 01 13 21 14 fw a10 10 10 10 pri 1 proto 6 tcp src 2 2 2 100 32808 dst 3 3 3 200 22 mid 2077 mtp 7 msg Deny access policy ma...

Page 113: ...nostics Applied Rules Note The Applied Rules page defines all currently applied rules on the firewall not just the rules specified in the configuration inbound outbound lists Additional rules are list...

Page 114: ...he system log 1 Log on to the Web UI 2 Navigate to Logs System Log 3 Click Search 4 Click Next Page to step through the log messages End of Procedure System and host status You can view the system sta...

Page 115: ...inbound rule to allow this traffic through The rule should map the source and destination networks for the traffic the protocol either TCP UDP SVP or ICMP and the port if not ICMP or SVP Procedure 32...

Page 116: ...n specify an ICMP rule to allow the Desktop Messaging Client to communicate with the CallPilot Server Flow control is used to limit the number of ICMP packets transmitted per second Before starting ga...

Page 117: ...9 Click Finish 10 Click Apply End of Procedure Result The CallPilot Desktop Messaging Wizard creates a new network for the Desktop Messaging Servers and adds an appropriate rule to the designated Sec...

Page 118: ...Server and single SWC Server they are generally collocated Some deployments have multiple Symposium Servers use a single SWC Server Note 2 Optionally Symposium components can use unicast in place of m...

Page 119: ...reation The networks are fully customizable and have no relevance other than as placeholders voip_users The voip_users network refers to user level access that is access by IP phones and other devices...

Page 120: ...Page 120 of 260 Firewall deployment 553 3001 225 Standard 1 00 May 2006...

Page 121: ...131 Configuring the IP clients 139 Managing the keys 146 Signaling servers 147 IP client firmware management 151 Private key updates 154 Licensing 155 Troubleshooting 156 Scenarios 156 Client policy a...

Page 122: ...m The proxy is transparent meaning that neither the client nor the server recognize the SMC is handling the connection The client talks directly to the server and the server communicates with the clie...

Page 123: ...t security Allows only secure sessions and denies all insecure sessions Enable session caching Provides a quicker handshake if the phone restarts Nortel recommends session caching Key renewal Specifie...

Page 124: ...ng server The default rule in the SMC maps a network called voip_users to a nonsecure Policy The Client Rules can be viewed in the Web UI at Multimedia Security UNIStim Security Client Rules Security...

Page 125: ...roup of IP clients the subnet they are on and the SMC network name that has been given to those clients Figure 22 on page 126 shows in the Web UI how the IP client network is tied to the policy and Fi...

Page 126: ...Page 126 of 260 Secure UNIStim deployment 553 3001 225 Standard 1 00 May 2006 Figure 22 Sample policy page...

Page 127: ...gure 23 Sample rules page Security in External Redirections feature When an IP phone is redirected to a server that is not located in an SMZ protected by the current SMC the Security in External Redir...

Page 128: ...prompted when it is redirected to make a secure connection to the external server If the external server is not protected by an SMC the phone connection fails with a security error As illustrated in...

Page 129: ...re Multimedia Controller Implementation Guide Figure 24 Virtual Office redirection scenario Note Even if both servers are protected by SMCs the redirection may still fail if the IP phone does not have...

Page 130: ...ions feature so that the IP phones are redirected insecurely to CS 1000 Remote and they can establish connectivity however this methodology is not fully secure To support a fully secure Virtual Office...

Page 131: ...rs to be proxied IMPORTANT Prior to deploying Secure UNIStim install the supported firmware image on all IP phones served by the SMC Turn on the default Secure UNIStim policies for an initial deployme...

Page 132: ...ith a letter and consist of letters and numbers Since the fingerprint for this key is stored on all IP phones export and store this key after the wizard has completed 8 Click Next 9 Select Yes to add...

Page 133: ...called if it is first in the list You will need to re order the Rule list to place the new more restrictive Rule first 14 Extract the private key to a secure location a Navigate to the Multimedia Sec...

Page 134: ...dministration Monitor UNIStim Security Server page This page displays both primary servers and secondary servers separately for each SMC in a HA cluster 17 To examine the clients navigate to the Admin...

Page 135: ...an IP Client is programmed to communicate with each Primary UNIStim server in the servers list When this IP Client is redirected to the various secondary servers those servers are added to the SMC Dyn...

Page 136: ...ss The MAC address internally maps to port 1 b Obtain the license from Nortel c Paste the license into the New License window and save it Repeat this step for each SMC for each host in a HA cluster It...

Page 137: ...ne connection Using the Web UI you can check whether a phone is connected in secure or non secure mode Procedure 37 Verifying the IP phone connection 1 Log on the Web UI 2 Navigate to the Administrati...

Page 138: ...nd ready to operate Note The 4100 7300 5100 port numbers are factory default When secure UNIStim is disabled and phones are operating normally the phones operate in the final state as identified in st...

Page 139: ...sharing the various TPS servers are discovered to push all phones immediately during a maintenance window reset all phones through Element Manager on all TPS servers Configuring the IP clients Table 1...

Page 140: ...y on the SMC for the server to which the client connects For more information about UNIStim see Secure UNIStim deployment on page 121 WLAN handset 2211 No Yes Polycom Yes Yes IMPORTANT All IP clients...

Page 141: ...t appears 3 Change the action byte from 1 insecure to 6 secure 4 Set the RSA public key fingerprint using the 16 byte fingerprint corresponding to the public private key pair stored on the SMC Note Th...

Page 142: ...ay appear this way during the configuration Instead the two allowed fingerprints are treated as a pool of fingerprints either one can authenticate S1 or S2 WARNING The automatic update feature is avai...

Page 143: ...cter fingerprint is 8a166e6cc08be496 Key in the numerals 0 9 using the phone keypad Key in the letters using the convention of the pound key plus the corresponding number For example 1 a and 6 f 6 If...

Page 144: ...C the fingerprint currently in use is overwritten DHCP Using DHCP you can initially configure IP phones and then the IP phones dynamically retrieve their configuration when they are turned on You can...

Page 145: ...limited in flexibility DHCP recommendations Nortel recommends that you initially keep the action byte at 1 in DHCP and on the IP phones so that the automatic fingerprint update can work correctly and...

Page 146: ...rting the private key Using the Web UI you can generate private keys on the SMC device or import private keys The SMC supports 1024 bit RSA keys Import of the key is facilitated by the use of PEM enco...

Page 147: ...generates firewall rules for the different security zones that it protects however you can customize the firewall rules By default the autogenerated rules allow UNIStim traffic through the SMC for bot...

Page 148: ...s or signaling servers that perform load balancing such as TPS Update server database When secure UNIStim is enabled in an environment with IP phones already communicating on port 5100 through a firew...

Page 149: ...ORTANT Secondary servers are propagated to the backup SMC HA configuration and stored persistently The initial database priming is performed only at installation or when the internal server mappings c...

Page 150: ...eterministic such is the case when one server re directs to multiple other servers such as for load balancing If the IP phones have not been registered with the SMC Nortel recommends that you reset th...

Page 151: ...mage UNIStim security support is present but limited To protect against phone firmware issues you can specify which firmware types fully support Secure UNIStim and what level that support includes You...

Page 152: ...ware checking older firmware images that support security in a limited fashion are upgraded along with phones running the officially supported phone firmware Nortel recommends you disable firmware che...

Page 153: ...he Secure UNIStim client policy You can view the IP client firmware table in the Web UI at the following page Multimedia Security UNIStim Security IP Client Firmware Using the firmware checking featur...

Page 154: ...as been compromised or as part of standard security policy to limit the period an individual key is in use After a private key update all IMPORTANT Clients with images that do not support security are...

Page 155: ...nts replaced when they change their session keys Licensing The SMC requires a license to support the total number of Secure UNIStim users Without a license key the SMC supports 50 Secure UNIStim users...

Page 156: ...a proxied server and that pass through the firewall insecurely using a firewall rule are not included in these counts Statistics View the UNIStim proxy statistics at the Statistics UNIStim Proxy page...

Page 157: ...nt firmware version and client policies based on client IP address and subnet information These policies impact client connectivity in the following ways allow or deny a client non secure register req...

Page 158: ...connect in secure mode and IP phones without secure capability get rejected Policy setting upgrade y Security y Example 3 The client subnet consists of IP phones running the newer firmware as well as...

Page 159: ...irmware policy for 0602B75 cache deny IMPORTANT Once firmware checking is enabled you must ensure that all firmware versions that need to run secure UNIStim are present in the firmware database The SM...

Page 160: ...Page 160 of 260 Secure UNIStim deployment 553 3001 225 Standard 1 00 May 2006...

Page 161: ...required for collecting system information configuring system parameters beyond initial setup establishing security policies and monitoring policy effectiveness Management tools The SMC provides the f...

Page 162: ...emented on the SMC The default usernames and password for each access level are listed in Table 14 Usernames and passwords are case sensitive Note Nortel recommends that you change all the default pas...

Page 163: ...ernal access to the operating system and software Root access is NOT RECOMMENDED unless under the direction of Nortel support personnel CAUTION Service Interruption The root login on this system is on...

Page 164: ...his upgrade process DOES NOT retain the current configuration so the configuration must be saved prior to the upgrade Use this upgrade when there is concern that the SMC application software may be co...

Page 165: ...es 4 Click Packages A screen appears listing the Installed Packages and providing an option to upload the new package 5 Click Browse to locate the package you wish to upload to SMC Note The package fi...

Page 166: ...ent indicating that it is now the active version The pervious package has a status of old with an Activate button in the Actions column of the page The Activate button provides the option to revert to...

Page 167: ...ish the connection Result The SMC login prompt appears 3 Log on with the admin user and password 4 Enter cur to verify the current versions of the software 5 Choose one of the following 4 Enter cur to...

Page 168: ...e the boot software cur command When a new version of the software is downloaded to the SMC the software package is automatically decompressed and marked as unpacked After you activate the unpacked so...

Page 169: ...mpt and then wait two more minutes for the SMC to be reinitialized 5 Enter info clu to check that the SMC is running 6 Log on to the SMC 7 Enter boot software cur to check the software status The soft...

Page 170: ...sult When the upgrade is completed the configuration for at least one network interface must be added so the configuration can be downloaded using FTP TFTP Reinstalling the software Reinstalling the s...

Page 171: ...ROM If the CD ROM is correctly burned and inserted you will see the following message Loading OS from CDROM 5 When prompted log on to the console as the root user No password is required 6 Enter insta...

Page 172: ...on the network The host name or IP address of the FTP SCP SFTP server The name of the IMG file This process assumes that FTP and TFTP are enabled on the SMC See Procedure 16 on page 96 Note You can pr...

Page 173: ...fg to restore the configuration from the TFTP server 15 Reboot the SMC to apply the restored configuration file End of Procedure Resetting the SMC to factory defaults Procedure 48 Resetting the SMC to...

Page 174: ...h SMC owns the MIP in the following manner CLI info summary Web UI System page ii Delete the machine not currently logged on connectivity is not lost CLI cfg sys cluster host n delete Web UI Operation...

Page 175: ...goes down and comes back up VRRP does not support preferred master The SMC does not work with Spanning Tree Protocol STP because STP interferes with VRRP When STP is enabled the SMC host with the hig...

Page 176: ...added to the first SMC Only two SMCs can reside in a cluster The general procedure for joining the SMCs is presented in Installing the redundant SMC on page 98 Clustered SMCs act as virtual routers in...

Page 177: ...ster continuously broadcasts advertisement packets at regular intervals as defined by the advertisement interval adint value If advertisement packets are not received within the advertisement interval...

Page 178: ...failover based on links Link failures decrement the internal priority value that VRRP maintains for both SMCs A link failure is defined as a loss of link at the VRRP interface At initialization VRRP...

Page 179: ...heck Active Standby The active standby parameter enables Active Standby which is also referred to as HA You can apply Active Standby only when there are two SMCs in the cluster Advertisement interval...

Page 180: ...t their ARP entries for the virtual router Increasing the Gratuitous Broadcast value cuts down on the GARP traffic but lengthens the interval between end host ARP cache updates VRRP interface Define t...

Page 181: ...he vrid and virtual router addresses at the VRRP Interface menu on the same interface as the virtual router interface The virtual router IP address and the subaddresses must be unique but all three IP...

Page 182: ...Page 182 of 260 Maintenance 553 3001 225 Standard 1 00 May 2006...

Page 183: ...view the text based CLI using a basic terminal The CLI commands are grouped into a series of menus and submenus Each menu displays a list of commands and or submenus along with a summary of what each...

Page 184: ...n you can manage the SMC from any workstation connected to the network Telnet access provides the same management options as those available through the local serial port By default Telnet access is d...

Page 185: ...H or the Web UI there is no need to perform step 5 End of Procedure Starting the Telnet session Remote Telnet access requires a workstation with Telnet client software To establish a Telnet session ru...

Page 186: ...50 Enabling Telnet or SSH using the Web UI 1 Using a Web browser access the Web UI 2 Log on using the administrator account and password 3 Click Administration Telnet SSH A page is displayed that sho...

Page 187: ...nds that you select the option to generate new SSH host keys This is required to maintain a high level of security when connecting to the SMC using an SSH client If you fear that the SSH host keys are...

Page 188: ...the following manner 1 From a series of menu and submenu items modify parameters to create the desired configuration 2 Use the global cur command to view the current settings for the commands in the...

Page 189: ...ime out parameter as shown in the following command cfg sys adm idle time out period where the time out period is specified as an integer from 300 to 3600 seconds Or you can specify time out in minute...

Page 190: ...nt menu or up Goes up one level in the menu structure If placed at the beginning of a command goes to the Main Menu Otherwise separates multiple commands placed on the same line apply Applies and save...

Page 191: ...ved configuration dump file that includes encrypted private keys ping address tries delay Verifies station to station connectivity across the network pwd Displays the command path used to reach the cu...

Page 192: ...use this command multiple times to navigate backward through the last 10 commands Ctrl n or the down arrow key Recalls the next command from the history list You can use this command multiple times to...

Page 193: ...s in the same menu or submenu For example you can enter the preceding command as follows Main c s acc Tab completion Enter the first letter of a command at any menu prompt and press Tab to display all...

Page 194: ...t The SMC login prompt appears 3 Enter admin for the default login name 4 Enter admin for the default password 5 Set a password a Enter edit xxxx where xxx represents the name of the user b Enter pass...

Page 195: ...IUS authentication 9 Enter apply to apply the configuration End of Procedure You can set the RADIUS server up in an HA configuration The console session in the current master takes over and login is p...

Page 196: ...Page 196 of 260 The Command Line Interface CLI 553 3001 225 Standard 1 00 May 2006...

Page 197: ...Controller SMC system management features from your web browser Characteristics of the Web UI Following are the characteristics of the Web UI installation not required the Web UI is part of the SMC op...

Page 198: ...ipt is not the same as Java Please ensure that JavaScript is enabled in your web browser End of Procedure Using the VRRP virtual IP address to access the SMC Web UI To use the VRRP virtual IP address...

Page 199: ...eveal its associated sub categories Config The Config tab is the default tab for the Web UI main page and provides access to all of the monitoring and configuration functions SMC Config main menu tree...

Page 200: ...for each form Global command buttons The global command buttons are always available at the top of each form These commands summon forms used for saving examining or canceling configuration changes lo...

Page 201: ...e set of parameters concurrently the latest applied changes take precedence Pending change exceptions After submission most changes are considered pending and are not immediately put into effect or pe...

Page 202: ...without submitting the information to the pending configuration Click the Update or Submit button on the form to submit changes to the pending configuration Pending changes are also discarded if they...

Page 203: ...Changes When selected this command updates the SMC with any pending configuration changes Pending changes are first validated for correctness see Validate Configuration on page 24 If no problems are f...

Page 204: ...lists users configured with default passwords that require change Submit button Click to perform the action selected in the Apply Changes pull down list Back button Click to return to the previously v...

Page 205: ...out form to terminate the current user session The global Logout form includes the following items Logout button Click the Logout button to terminate the current user session TIP Any un applied config...

Page 206: ...e menu Click Pages to display Help for the selected form Click Tasks to activate the task based Help system see Figure 13 Task topic menu Select from a list of tasks using the menu on the left side of...

Page 207: ...tion The SMC has an extensive logging infrastructure which includes three primary types of logs system security and UNIStim This chapter discusses each type of log file and details how logging can pot...

Page 208: ...tim security information and errors generated by the Secure UNIStim proxy You can view the UNIStim log in the Web UI at the Logs UNIStim Proxy Log page Log configuration Remote logging You can configu...

Page 209: ...ecurity Settings Log Messages page you can enable or disable logging for certain types of messages such as particular attacks globally allowed packets and globally denied packets Limit by count You ca...

Page 210: ...he previous option not all messages are logged however because uses sampling one does not get the large blocks of messages discarded Logging thresholds For better performance you can configure the SMC...

Page 211: ...lf policies can trap for certain messages and then send details to the Security Log Rule id mappings Firewall log messages often map to a specific firewall rule as defined by a rule ID listed in the l...

Page 212: ...Page 212 of 260 Logging 553 3001 225 Standard 1 00 May 2006...

Page 213: ...plementation Guide 216 Limits and Scaling Contents This section contains information about the following topics Configuration limits 214 Firewall limits 214 Engineering limitations 214 Secure UNIStim...

Page 214: ...sentially zero packet loss This throughput is sufficient to support approximately 1000 concurrent calls assuming 50 100 pps call in each direction It is important to note that this applies to packet t...

Page 215: ...a certain limit connections are dropped due to CPU over utilization and SMC latency If the sessions have a master key cached on the SMC the full RSA handshake can be bypassed and the successful rate...

Page 216: ...te signaling conditions The testing was performed with loads as high as 12500 simultaneous secure UNIStim connections and the CPU remained far within acceptable limitations when steady state was achie...

Page 217: ...configuration is added and enabled or an SMC is added to the cluster but not responding perform the following 1 Check the cabling and that all the ports have link traffic LED indication as expected 2...

Page 218: ...tch of the fingerprints That is the currently configured client fingerprint does not match either the primary or secondary fingerprint For more information about fingerprints see Managing the keys on...

Page 219: ...client perform the following steps 1 On the IP client set the Action Byte must to 1 for non secure mode 2 On the SMC configure a client policy default policy with the following rules Upgrade y Securit...

Page 220: ...requires clients from this subnet to run Secure UNIStim The failed clients receives a Service Unreachable error message To resolve this error change SMC policy to Upgrade y and Security n Then the pol...

Page 221: ...ions for each characteristic of the SMC Table 20 Hardware specifications Characteristic Measurement Form Factor 1U high custom base chassis Dimensions H x W x D 1 72 inches 44 millimeters x 16 9 inche...

Page 222: ...Base TX GB E IDE PCI card PWLA8492MT Console port Console port DCE DB9 F RS 232C see Table 8 on page 73 System management Thermal voltage and fan monitoring Light emitting diodes LED power green disk...

Page 223: ...s Table 24 on page 224 lists certification marks Table 22 Safety specifications Compliance Country UL60950 USA CSA22 2 No 60950 Canada EN60950 Europe IEC60950 Europe Table 23 Emissions specifications...

Page 224: ...260 Appendix B Specifications 553 3001 225 Standard 1 00 May 2006 Table 24 Certification marks Compliance Country cULus USA Canada CE Europe Gost Russia NOM Mexico S Mark Argentina TUV GS Germany Euro...

Page 225: ...ecure Multimedia Controller SMC has approvals to be sold in many global markets The regulatory labels on the back of system equipment contain national and international regulatory information Electrom...

Page 226: ...24 Information technology equipment Immunity characteristics Limits and methods of measurement EN 6100 3 2 Limits for harmonic current emissions equipment input current 16 A per phase EN 6100 3 3 Limi...

Page 227: ...uency energy and if not installed and used in accordance with the instruction manual can cause harmful interference to radio communications Operation of this equipment in a residential area is likely...

Page 228: ...Page 228 of 260 Appendix C Regulatory information 553 3001 225 Standard 1 00 May 2006 DenAn regulatory notice for Japan...

Page 229: ...re Licence The Apache Software License Version 1 1 Copyright c 2000 The Apache Software Foundation All rights reserved Redistribution and use in source and binary forms with or without modification ar...

Page 230: ...SSED OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION O...

Page 231: ...e following disclaimer in the documentation and or other materials provided with the distribution 3 All advertising materials mentioning features or use of this software must display the following ack...

Page 232: ...ED OF THE POSSIBILITY OF SUCH DAMAGE OpenSSL and SSLeay Licenses LICENSE ISSUES The OpenSSL toolkit stays under a dual license i e both the conditions of the OpenSSL License and the original SSLeay li...

Page 233: ...is product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit http www openssl org THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT AS IS AND ANY EXPRESSED OR IMPLIED WA...

Page 234: ...that the holder is Tim Hudson tjh cryptsoft com Copyright remains Eric Young s and as such any Copyright notices in the code are not to be removed If this package is used in a product Eric Young shou...

Page 235: ...ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTO...

Page 236: ...laimer in the documentation and or other associated materials 3 the copyright holder s name is not used to endorse products built using this software without specific written permission ALTERNATIVELY...

Page 237: ...ary form must reproduce the copyright notice in the documentation and or other materials provided with the distribution 3 A copy of any bugfixes or enhancements made must be provided to the author pgu...

Page 238: ...number Once covered code has been published under a particular version of the license you may always continue to use it under the terms of that version You may also choose to use such covered code un...

Page 239: ...IABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE This software consists of voluntary contribution...

Page 240: ...but the software remains copyrighted by the author Don t intermix this with the general meaning of Public Domain software or such a derivated distribution label The author reserves the right to distri...

Page 241: ...translate to certain responsibilities for you if you distribute copies of the software or if you modify it For example if you distribute copies of such a program whether gratis or for a fee you must g...

Page 242: ...ing the Program is not restricted and the output from the Program is covered only if its contents constitute a work based on the Program independent of having been made by running the Program Whether...

Page 243: ...required to print an announcement These requirements apply to the modified work as a whole If identifiable sections of that work are not derived from the Program and can be reasonably considered inde...

Page 244: ...rce code This alternative is allowed only for non commercial distribution and only if you received the program in object code or executable form with such an offer in accord with Subsection b above Th...

Page 245: ...the Program subject to these terms and conditions You may not impose any further restrictions on the recipients exercise of the rights granted herein You are not responsible for enforcing compliance...

Page 246: ...incorporates the limitation as if written in the body of this License 11 The Free Software Foundation may publish revised and or new versions of the General Public License from time to time Such new...

Page 247: ...OPYRIGHT HOLDER OR ANY OTHER PARTY WHO MAY MODIFY AND OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE BE LIABLE TO YOU FOR DAMAGES INCLUDING ANY GENERAL SPECIAL INCIDENTAL OR CONSEQUENTIAL DAMAGES ARIS...

Page 248: ...GNU General Public License for more details You should have received a copy of the GNU General Public License along with this program if not write to the Free Software Foundation Inc 59 Temple Place S...

Page 249: ...aims all copyright interest in the program Gnomovision which makes passes at compilers written by James Hacker signature of Ty Coon 1 April 1989 Ty Coon President of Vice This General Public License d...

Page 250: ...Page 250 of 260 Appendix D Software licenses 553 3001 225 Standard 1 00 May 2006...

Page 251: ...Format SMC firewall logs use the industry standard Webtrends Extended Log Format WELF for logging network activity A sample of a log message in WELF generated by syslog is shown here Apr 18 04 25 52 1...

Page 252: ...e event Id Identifies the type of record time Shows the date and time of the event in terms of local time fw Identifies the SMC that generated the log record pri Identifies the priority of the event p...

Page 253: ...rce Limit Reached This log message indicates that respective direction s connection table to be reached and no additional connections can be made in that direction Apr 29 20 07 53 172 16 7 225 id fire...

Page 254: ...width Reached This log message indicates that the maximum bandwidth to pass is reached and further packets are dropped Apr 29 19 52 41 172 16 7 225 id firewall time 2004 04 29 14 35 41 fw a10 10 10 10...

Page 255: ...there is no policy configured for the packet to traverse the SMC Apr 29 20 14 11 172 16 7 225 id firewall time 2004 04 29 14 57 11 fw a10 10 10 10 pri 4 proto 6 tcp src 172 16 8 226 dst 172 16 8 225...

Page 256: ...9 10 fw a10 10 10 10 pri 1 proto 197 src 89 128 155 52 dst 172 16 7 224 mid 2031 mtp 2048 msg Unable to find route for source from ext n w agent Firewall IP Reassembly This log message is generated wh...

Page 257: ...erated when the SMC detects an invalid sequence number Apr 15 05 23 31 172 16 1 250 id firewall time 2002 04 15 17 04 45 fw a10 10 10 10 pri 1 proto 6 tcp src 172 16 2 244 dst 172 16 2 249 msg Invalid...

Page 258: ...g of Death This log message is generated when the SMC detects a Ping of death attack Apr 15 05 01 59 172 16 1 250 id firewall time 2002 04 15 16 43 17 fw a10 10 10 10 pri 1 proto 1 icmp src 172 16 1 1...

Page 259: ...6 8 226 dst 172 16 8 225 mid 2086 mtp 32768 msg Connection closed Bytes transferred 22837 Src 36636 Dst 80 from ext n w ruleid 3 agent Firewall Connection Terminated This log message is generated when...

Page 260: ...Page 260 of 260 Appendix E SMC packet filter log messages 553 3001 225 Standard 1 00 May 2006...

Page 261: ......

Page 262: ...atements configurations technical data and recommendations in this document are believed to be accurate and reliable but are presented without express or implied warranty Users must take full responsi...

Reviews:

No comments

Brands by name

Popular brands

Load more brands