[Top][Contents][Prev][Next][Last]Search

Getting Started: Basic Security Measures

This chapter describes how to set up basic security on the MAX. The chapter covers the following topics:
Introducing Security profiles
Understanding basic security measures
Activating the Full Access profile
Changing the Full Access password
Setting the Default profile for read-only access
Changing the SNMP read-write community string
Assigning a Telnet password
Requiring profiles for incoming connections
Turning off ICMP redirects
Specifying the number of retry attempts
Retrieving configuration updates from RADIUS

Introducing Security profiles

Security profiles consist of parameters you configure to control access to the MAX. All Security profiles are located below the Security menu of the System profile in the MAX configuration interface.

00-300 Security

>00-301 Default

  00-302

  00-303

  00-304

  00-305

  00-306

  00-307

  00-308

  00-309 Full Access
All MAX units provide two special profiles:

Profile

Description
Full Access

 Provides full access to the MAX. This is the superuser profile that enables you to configure your system, dial remote locations, reset the unit, and upgrade system software.

Any user who knows the password for the Full Access profile can perform any operation on the MAX. The default Full Access password is Ascend. To maintain security, you should change the Full Access password from its default value. For details, see "Changing the Full Access password" on page 1-3.

Default

The MAX assigns the Default profile to every user who logs in via Telnet, the Control port, and remote management. The MAX activates the Default profile when the MAX powers on or resets. The privileges set in the Default profile are available to all users. You cannot change the name of the Default profile or assign a password to it. However, you can change its settings to make the profile more restrictive. For details, see "Setting the Default profile for read-only access" on page 1-4.

Note: Follow the instructions in "Changing the Full Access password" on page 1-3 and "Setting the Default profile for read-only access" on page 1-4. These instructions result in two security levels, one that is totally open (Full Access) and one that is very restrictive (Default).

If you are the only user who must configure the MAX or perform administrative tasks, you do not need to create any Security profiles in addition to the Default and Full Access profiles. However, you can define additional security levels allowing specific users to perform a subset of administrative functions. You can create up to seven additional Security profiles. For more information about these tasks, see Chapter 2, "Setting Up Security Profiles."

Understanding basic security measures

When you first receive the MAX, all levels are set with full privileges. Initially, you can activate only the Default and Full Access profiles. Before you can activate one of the other Security Profiles, you must assign it a name. The default security settings of the Full Access profile enable you to configure and set up the MAX without any restrictions. Before you make the MAX generally accessible, you should protect the configured unit from unauthorized access. Proceed as follows:

  1. Activate the Full Access profile.

  2. Change the Full Access password.

  3. Set the Default profile for read-only access.

  4. Change the SNMP read-write community string.

  5. Assign a Telnet password.

  6. Require profiles for incoming connections.

  7. Turn off ICMP redirects.

  8. Specify the number of times the MAX retries a connection.

  9. Retrieving configuration updates from RADIUS.

Activating the Full Access profile

You must activate the Full Access profile for your own use in performing the rest of the basic security measures. To activate the Full Access profile, proceed as follows:

  1. From any VT100 menu, press <Ctrl> D.

    The DO menu appears. For example:

  2. Press P or select P=Password.

    A menu appears listing all security profiles:

    Security profile...?
    >00-301 Default
    00-302 test
    00-303
    00-304
    00-305
    00-306
    00-307
    00-308
    00-309 Full Access

  3. Select Full Access.

    The MAX displays a password prompt.

  4. Enter the password assigned to the Full Access security profile.

    If you enter the correct password, the MAX displays the message Password accepted. Using new security level. If you enter the incorrect password, the MAX prompts you again for the password.

Changing the Full Access password

The Full Access Security profile is the super-user profile that enables you to configure your system, dial remote locations, reset the unit, and upgrade system software. Because this profile allows complete access, all privileges are set to Yes. The default password assigned to the profile is Ascend. A user who knows the password for the Full Access profile can perform any operation on the MAX.

Change the default password as soon as possible.

To assign a password protecting the Full Access profile, proceed as follows:

  1. From any VT100 menu, press Ctrl-D.

    The DO menu appears. For example:

  2. Press P or select P=Password.

    A menu appears listing all security profiles:

    Security profile...?
    >00-301 Default
    00-302 test
    00-303
    00-304
    00-305
    00-306
    00-307
    00-308
    00-309 Full Access

  3. Select Full Access.

    The MAX displays a password prompt.

  4. Enter the password assigned to the Full Access security profile.

    If you enter the correct password, the MAX displays the message Password accepted. Using new security level. If you enter the incorrect password, the MAX prompts you again for the password.

  5. Open the System > Security > Full Access profile.

  6. Select the Passwd parameter and press Enter to open a text field.

  7. Type a new password, and press Enter.

  8. Exit the Full Access profile, and select the Exit and Accept option to save your changes.

Setting the Default profile for read-only access

The first profile in the Security menu is called Default. It has no password, and you cannot modify the profile's name or create a password. The MAX activates this profile whenever you power on or reset the unit, and whenever a user begins a new login session.

Although the Default profile is set initially with full privileges, it is intended to be very restrictive. Every user who logs in via Telnet, the Control port, or remote management is granted the privileges specified there.

To make the Default profile appropriately restrictive, proceed as follows:

  1. Open the System > Security menu.

  2. Open the Default profile.

    The first two parameters in the Default profile cannot be changed. The name is always Default and the password is always null.

  3. Set Operations=No.

    All other parameters are set to N/A when Operations=No.

    Users who access the MAX terminal server cannot make any changes to its configuration or to perform restricted operations. For all users with the Default security level, passwords (including the null password) are hidden by the string *SECURE* in the MAX unit's user interface.

  4. Exit the Full Access profile, and select the Exit and Accept option to save your changes.

Changing the SNMP read-write community string

An SNMP community string is an identifier that an SNMP manager application must specify before it can access the MIB (Management Information Base). The MAX has two community strings:

String

Function
Read Comm

 The read community string has the value public by default. It enables an SNMP manager to perform read commands (get and get next) in order to request specific information.

R/W Comm

 The read-write community string has the value write by default. It enables an SNMP manager to perform both read and write commands (get, get next, and set). Using the commands, the application can access management information, set alarm thresholds, and change settings on the MAX.

You cannot turn off SNMP write, so you must change the default read-write string to secure the MAX against unauthorized SNMP access. To change the read-write community string, proceed as follows:

  1. Open the Ethernet > Mod Config > SNMP Options menu.

  2. For the R/W Comm parameter, specify a text string containing up to 16 characters.

    For example, you can specify this setting:

  3. Close the SNMP Options menu, and select the Exit and Accept option to save your changes.

Assigning a Telnet password

Until you assign a Telnet password, any local user who knows the MAX unit's IP address can start a Telnet session with the MAX. When you assign a password, all users requesting incoming Telnet sessions, whether locally or from across the WAN, must enter the password.

To assign a Telnet password, proceed as follows:

  1. Open the Ethernet > Mod Config > Ether Options menu.

  2. For the Telnet PW parameter, specify a password containing up to 20 characters.

    For example, you might enter this setting:

  3. Close the Ether Options menu, and select the Exit and Accept option to save your changes.

Requiring profiles for incoming connections

You can use the MAX unit's Answer profile to build connections that do not require a name and password. Although some sites allow such connections, most sites impose much tighter restrictions. You should consider limiting incoming connections to those that have a configured Connection profile, Password profile, or RADIUS user profile.

Chapter 3, "Setting Up User Authentication," describes the types of authentication you can configure for incoming connections. At the most basic level, however, you can configure the MAX to reject all incoming connections for which it finds no matching profile.

To require configured profiles for all incoming connections, proceed as follows:

  1. Open the Ethernet > Answer menu.

  2. To specify that a matching profile is required for incoming calls, set Profile Reqd=Yes.

    Note: If you configure the MAX to support AppleTalk Remote Access (ARA) connections, setting Profile Reqd=Yes disables Guest access to your network.

  3. Exit the Answer profile, and select the Exit and Accept option to save your changes.

Turning off ICMP redirects

ICMP enables a unit to find the most efficient IP route to a destination. ICMP Redirect packets are one of the oldest route discovery methods on the Internet and one of the least secure. It is possible to counterfeit ICMP Redirects and change the way a device routes packets. If the MAX is routing IP, Ascend recommends that you turn off ICMP redirects.

To configure the MAX to ignore ICMP redirect packets, proceed as follows:

  1. Open the Ethernet > Mod Config menu.

  2. Set ICMP Redirects=Ignore.

  3. Save your changes.

Specifying the number of retry attempts

When a MAX unit attempts to make a connection and the attempt fails, the MAX continues to attempt to complete the connection. The number of retry attempts allowed without using call blocking is very large and successive retries can cause excessive charges, congestion, and performance problems. With call blocking, you can specify a maximum number of unsuccessful attempts. After the specified number of attempts have been made and failed, the blocking timer starts. The MAX continues to block further retries for a the length of time you specify.

To configuring call blocking, proceed as follows:

  1. Open the Ethernet > Connections > any Connection profile > Session options menu.

  2. Set Block calls after to the number of retry attempts the MAX allows when placing a call.

  3. Set Blocked duration to the length of time the MAX continues to block calls.

Call blocking applies only to outgoing calls that are not answered by the far end. It does not apply to incoming calls or outgoing calls that connect and are immediately disconnected

Retrieving configuration updates from RADIUS

When you power up the MAX, it can retrieve a potentially large quantity of configuration information from the RADIUS server. Some of the data on the RADIUS server can change during operation. You can direct the MAX to retrieve this information in one of two ways:


[Top][Contents][Prev][Next][Last]Search

techpubs@ascend.com

Copyright © 1998, Ascend Communications, Inc. All rights reserved.