4 Controller, Access Points and Convergence Software configuration
4.6 Filtering at the interface level
The Controller, Access Points and Convergence Software has a number of built-in filters that protect the system from unauthorized traffic. These filters are applied at the network interface level and are automatically invoked.
Port Status: To enable OSPF on the port, select Enabled from the drop-down list.
Link Cost: Key in the OSPF standard for your network for this port. Default displayed is 10. (The cost of sending a data packet on the
interface. The lower the cost, the more likely the interface is to be used to forward data traffic.)
>
If more than one port is enabled for OSPF, it is desirable to prevent the HiPath Wireless Controller from serving as a router for other network traffic (other than the traffic from wireless device users controlled by the HiPath WirelessController). To ensure that the HiPath Wireless Controller is never the preferred OSPF route, one solution is to set the Link Cost to its maximum value of 65535.
Filters should also be defined in the Virtual Network Configuration – Filtering screen that will drop routed packets.
Authentication: From the drop-down list, select the authentication type set up for the OSPF on your network: None or Password.
Password: If “Password” was selected above, key it in here. This password must match on either end of the OSPF connection.
Dead-Interval: Time in seconds (displays OSPF default).
Hello-Interval: Time in seconds (displays OSPF default).
Retransmit-Interval: Time in seconds (displays OSPF default).
Transmit delay: Time in seconds (displays OSPF default).
Filtering at the interface level
In addition to these built-in filters, the administrator can define specific exception filters at the interface-level to customize network access. These filters do not depend on a VNS definition.
4.6.1 Port-based exception filters: built-in
On the HiPath Wireless Controller, various port-based exception filters are built in and invoked automatically. These filters protect the HiPath Wireless Controller from unauthorized access to system management functions and services via the ports.
For example, on the HiPath Wireless Controller’s data interfaces (both physical interfaces and VNS virtual interfaces), the built-in exception filter prohibits invoking SSH, HTTPS, or SNMP.
However, such traffic is allowed, by default, on the Management port.
To enable SSH, HTTPS, or SNMP access through a data interface, select the interface in the IP Addresses screen and click the "Management" checkbox on. You can also enable such management traffic in the VNS definition.
If management traffic is explicitly enabled for any interface (physical port or VNS), access is implicitly extended to that interface through any of the other interface. (VNS).
Only traffic specifically allowed by the interface’s exception filter is allowed to reach the HiPath Wireless Controller itself. All other traffic is dropped. Exception filters are dynamically
configured, and are regenerated whenever the system's interface topology changes (a change of IP address for any interface).
Enabling management traffic on an interface adds additional rules to the exception filter to open up the well-known IP(TCP/UDP) ports corresponding to the HTTPS, SSH and SNMP
applications.
The port-based built-in exception filtering rules, in the case of traffic from VNS users, operate only on traffic that is targeted directly to one of the VNS's interfaces. For example, a VNS filter may be generic enough to allow traffic access to the HiPath Wireless Controller's management (Allow All [*.*.*.*]). The traffic will initially be allowed according to the VNS user’s policy, but may then be denied by the exception filter of the VNS interface.
4.6.2 Port-based exception filters: user defined
You can add specific filtering rules at the port level in addition to the built-in rules. Such rules give you the capability of restricting access to a port, for specific reasons, such as a Denial of Service (DoS) attack.
To define filtering rules that are associated with one of the physical data ports on the HiPath Wireless Controller rather than with a VNS, use the Port Exception Filter screen.
The filtering rules are set up in the same manner as filtering rules defined for a VNS — specify an IP address and then either “Allow” or “Deny” traffic to that address. See Section 7.5,
“Filtering rules for a VNS”, on page 90.
Filtering at the interface level
Exception filtering rules that you will define for a VNS will apply to the wireless device users after their authentication, whereas the filtering rules that you define here apply to all traffic on a physical port.
Define port exception filters
1. Click on the HiPath Wireless Controller tab. Click on the Port Exception Filters option.
The Port Exception Filters screen appears.
2. Select the data port from the pull-down list to which these filters will apply.
3. For each filtering rule you are defining:
4. Click on the Add button. The information appears in a new line in the Filter area of the screen.
5. Highlight the new filtering rule and click Allow checkbox on to allow traffic. Leave unchecked to disallow traffic.
6. Edit the order of a filtering rule by highlighting the line and clicking on the Up and Down buttons. The filtering rules are executed in the order defined here.
7. To save the filtering rules, click on the Save button.
IP / Port: Type in the destination IP address. You can also specify an IP range, a port designation or a port range on that IP address.
Protocol: Default is N/A. To specify a protocol, select from the drop-down list (may include UDP, TCP, IPsec-ESP, IPsec-AH, ICMP).
Filtering at the interface level
Wireless AP features