• No results found

LUCOM GmbH * Ansbacher Str. 2a * Zirndorf * Tel / * Fax / *

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "LUCOM GmbH * Ansbacher Str. 2a * Zirndorf * Tel / * Fax / *"

Copied!
14
0
0

Loading.... (view fulltext now)

Download now ( 14 Page )

Full text

(1)

User module

Advanced Security

APPLICATION NOTE

(2)

USED SYMBOLS

Used symbols

Danger – important notice, which may have an influence on the user’s safety or the function of the device.

Attention– notice on possible problems, which can arise in specific cases.

(3)

CONTENTS

Contents

1 Description of user module 1

2 Configuration 2

2.1 Network security options . . . 2

2.2 SSH access administration . . . 4

2.2.1 Add host to access list . . . 4

2.2.2 Remove host from access list . . . 5

2.2.3 Clear list . . . 6

3 Module activity monitoring 7 3.1 System log . . . 7

3.2 Setup log . . . 8

(4)

LIST OF FIGURES

List of Figures

1 Access to the router withAdvanced Securityvia SSH . . . 1

2 Network security options . . . 3

3 Add host to access list . . . 4

4 Remove host from access list . . . 5

5 Clear access list . . . 6

6 System log . . . 7

(5)

LIST OF TABLES

List of Tables

(6)

1. DESCRIPTION OF USER MODULE

1. Description of user module

User moduleAdvanced Securityis not contained in the standard router firmware. Upload-ing of this user module is described in the Configuration manual (see [1, 2]).

The user module is v2 and v3 router platforms compatible.

Advanced Security module extends configuration of Conel router of ability to set the num-ber of additional security features. These include for example disabling (or enabling) sending error messages within the ICMP protocol, disabling (or enabling) the ICMP protocol as a whole, disabling (or enabling) access to the router via Telnet or SSH etc. Detailed descriptions of all options can be found in chapter2 Configurationon page 2.

This module also allows user to regulate access to the router via SSH (network protocol for secure data communication). There is an access list, where it can be specified IP addresses from which it is possible to access to the router via SSH. Access from other addresses is automatically disabled (packets are dropped).

Figure 1: Access to the router withAdvanced Security via SSH

For configuration Advanced Security user module is available web interface, which is in-voked by pressing the module name on theUser modulespage of the router web interface. The left part of the web interface contains the menu with pages for monitoring (Status), configura-tion of security rules (Network security options),SSH access administrationandCustomization

of the module. Customization block contains only the Returnitem, which switches this web interface to the interface of the router.

(7)

2. CONFIGURATION

2. Configuration

Configuration ofAdvanced Security user module is divided into two separate parts – Net-work security optionsandSSH access administration.

2.1

Network security options

Configuration form onNetwork security optionspage allows user to set a few security rules which ensure higher security of Conel routers. Their meaning is described in the table below.

Item Description

SSHD banner Disables (or enables) displaying of a banner informing unautho-rised users that their use is in fact unauthounautho-rised (they are not in the access list).

Restrict SSHD access Allows user to regulate access to the router via SSH. Only au-thorized users are accepted (specified in the access list). Restrict Telnet access Allows user to regulate access to the router via Telnet. Only

au-thorized users are accepted.

Source based routing Allows a sender of a packet to partially or completely specify the route the packet takes through the network. In contrast, in non-source routing protocols, routers in the network determine the path based on the packet’s destination.

Directed broadcast Allows user to send broadcast packets to a remote network. The moment this packet reaches its destination, it is sent as a broad-cast to all stations on that subnet. Attention, this method of op-eration can be dangerous on public network segments. There are several well-known DoS attacks, most notably the smurf and fraggle attacks, that take advantage of directed broadcasts. IP classless routing Disables (or enables) routing between domains without classes.

Classless routing allows to associate addresses in order to re-duce the amount of routing information.

ICMP messages Disables (or enables) sending error messages within the ICMP protocol (for example notification that the requested service is not available). If ICMP protocol item is disabled, ICMP mes-sagesitem is automatically disabled.

DNS broadcast By default, name queries are sent to the broadcast address 255.255.255.255. This item disables DNS name resolution if it is not needed.

(8)

2. CONFIGURATION

Continued from previous page

Item Description

ICMP protocol Disables (or enables) ICMP protocol as a whole. This means that if the ICMP protocol is disabled, theICMP messagesitem is also disabled.

Fragmentation Disables (or enables) packet fragmentation. If a packet is frag-mented, only the first fragment contains the complete header. Other fragments contain only IP addresses (for example, there is no specified protocol).

TCP establish timeout The time of waiting for establishing of TCP connection. Table 1: Description of security rules

(9)

2. CONFIGURATION

2.2

SSH access administration

For the administration of access to the router via SSH serve three items in theSSH access administrationpart of the main menu.

2.2.1 Add host to access list

The first item intended for the administration of access to the router via SSH –Add host to access list – allows user to add IP address to Access List. IP address is entered to theHost

box and added to the Access List usingAdd button. Access from IP addresses which are not listed in the Access List is automatically rejected.

(10)

2. CONFIGURATION

2.2.2 Remove host from access list

Remove host from access listitem allows user to remove particular IP address from access list (before removing this address from access list, it is possible to access to the router via SSH). IP address is entered to theHost box and removed from the Access List usingDelete

button under theHost box.

(11)

2. CONFIGURATION

2.2.3 Clear list

The last item intended for the administration of access to the router via SSH – Clear list– allows user to delete all IP addresses from the Access List. Clearing is done by pressingClear

button on the top of the window.

(12)

3. MODULE ACTIVITY MONITORING

3. Module activity monitoring

3.1

System log

In case of any problems it is possible to view the system log by pressing theSystem Log

menu item. In the window are displayed detailed reports from individual applications running in the router including possible reports relating to theAdvanced Security module.

(13)

3. MODULE ACTIVITY MONITORING

3.2

Setup log

The Advanced security setup log window displays detailed information about the current settings of this module. The data reflect the settings made in theNetwork security configura-tion form.

(14)

4. RECOMMENDED LITERATURE

4. Recommended literature

[1] Conel: Configuration manual for v2 routers [2] Conel: Configuration manual for v3 routers

Figure

Figure 1: Access to the router with Advanced Security via SSH
Table 1: Description of security rules
Figure 3: Add host to access list
Figure 4: Remove host from access list
+3

References

Download now ( PDF - 14 Page - 1.97 MB )

Related documents

Academy Mortgage Santa Fe Nm

Write a member of santa fe store hours are updated regularly, and to ssl path unless it came to buy homes in business: desert academy of santa fe.. Understands that you qualify

On the evolution of Afro-Bolivian Spanish subject-verb agreement: Variation and Change

As inter-speaker variability among these the two groups was minimal, ranging from 0% to 2% of lack of concord in the 21-40 group and from 41% to 46% in the 71+ generation, we

Prevalence and corrrelates of 12- month prescription drug misuse in Alberta

Conversely, 43.7% of all respondents who misused prescription drugs met criteria for alcohol dependence, problem gambling, and (or) had used illicit drugs in the past year..

(Un)becoming tourist-teachers: Unveiling white racial identity in cross-cultural teaching programmes

The purpose of the data collection is to describe the impact of professional experiences in a community not their own, particularly in rural and remote settings, on the development

North Atlantic and Rio Tinto Joint Venture Potash Project in Saskatchewan, Canada. Resource Summary

The summary resource report prepared by North Atlantic is based on a 43-101 Compliant Resource Report prepared by M. Holter, Consulting Professional Engineer,

Accelerating adaptive ultrasound imaging algorithms by means of general-purpose computing on graphics processing units

Haider, “Adaptive Design of a Global Opacity Transfer Function for Direct Volume Rendering of Ultrasound Data,” Visualization Conference, IEEE, p.. Orderud, “A Framework for

Oracle MultiTenant Pros and Cons

[r]

Medicine Shelf Stuff

○ If BP elevated, think primary aldosteronism, Cushing’s, renal artery stenosis, ○ If BP normal, think hypomagnesemia, severe hypoK, Bartter’s, NaHCO3,