Avaya Port Matrix: Avaya Diagnostic Server 2.5



Similar documents
Avaya Port Matrix: Avaya one-x Communicator Release 6

Avaya Port Matrix: Avaya Aura Conferencing 8.0

Cisco TelePresence Video Communication Server (Cisco VCS) IP Port Usage for Firewall Traversal. Cisco VCS X8.5 December 2014

ΕΠΛ 674: Εργαστήριο 5 Firewalls

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Cisco Expressway IP Port Usage for Firewall Traversal. Cisco Expressway X8.1 D December 2013

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Linux MPS Firewall Supplement

Chapter 8 Router and Network Management

CIT 480: Securing Computer Systems. Firewalls

Cisco Configuring Commonly Used IP ACLs

Implementing Network Address Translation and Port Redirection in epipe

Cisco Collaboration with Microsoft Interoperability

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

Application Note: GateManager Internet requirement and port settings

Virtual Server and DDNS. Virtual Server and DDNS. For BIPAC 741/743GE

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

IP Addressing A Simplified Tutorial

CIT 480: Securing Computer Systems. Firewalls

Application Notes for Configuring a SonicWALL VPN with an Avaya IP Telephony Infrastructure - Issue 1.0

Personal Telepresence. Place the VidyoPortal/VidyoRouter on a public Static IP address

Firewalls. Chapter 3

Firewall VPN Router. Quick Installation Guide M73-APO09-380

How To Load balance traffic of Mail server hosted in the Internal network and redirect traffic over preferred Interface

User Manual. Page 2 of 38

Linux MDS Firewall Supplement

Firewalls. Network Security. Firewalls Defined. Firewalls

Cisco TelePresence VCR MSE 8220

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Cisco WebEx Meetings Server Administration Guide

DeltaV System Health Monitoring Networking and Security

Executive Summary and Purpose

Secure Access Link 2.0 SAL Gateway Implementation Guide

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

Definition of firewall

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Basic Network Configuration

Network Configuration Settings

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

allow all such packets? While outgoing communications request information from a

Cisco TelePresence Authenticating Cisco VCS Accounts Using LDAP

IP Filter/Firewall Setup

Remote Access Platform. Architecture and Security Overview

SSL VPN Technology White Paper

Product Support Notice

Broadband Phone Gateway BPG510 Technical Users Guide

Application Note. Onsight TeamLink And Firewall Detect v6.3

Multi-Homing Dual WAN Firewall Router

EXPLORER. TFT Filter CONFIGURATION

Sage ERP Accpac Online

Sage 300 ERP Online. Mac Resource Guide. (Formerly Sage ERP Accpac Online) Updated June 1, Page 1

FIREWALLS & CBAC. philip.heimer@hh.se

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

M2M Series Routers. Port Forwarding / DMZ Setup

TECHNICAL NOTE 01/2006 ENGRESS AND INGRESS FILTERING

Firewall. FortiOS Handbook v3 for FortiOS 4.0 MR3

Reverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006

.Trustwave.com Updated October 9, Secure Web Gateway Version 11.0 Amazon EC2 Platform Set-up Guide

Chapter 11. User Datagram Protocol (UDP)

Overview. Firewall Security. Perimeter Security Devices. Routers

HP OpenView Operations 7.x for Windows. Firewall Configuration white paper. Version 2.2. Publication Date: 08/2003

Firewalls, IDS and IPS

Accessing Remote Devices via the LAN-Cell 2

Troubleshooting Procedures for Cisco TelePresence Video Communication Server

Introduction to Network Security Lab 1 - Wireshark

Avaya G700 Media Gateway Security - Issue 1.0

Chapter 15. Firewalls, IDS and IPS

Firewalls P+S Linux Router & Firewall 2013

SyncThru TM Web Admin Service Administrator Manual

Installation Guide. Squid Web Proxy Cache. Websense Enterprise Websense Web Security Suite. v for use with

LESSON Networking Fundamentals. Understand TCP/IP

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Placing the BlackBerry Enterprise Server for Microsoft Exchange in a demilitarized zone

Chapter 7. Firewalls

Hardening Guide. Installation Guide

eprism Security Suite

OfficeMaster Gate (Virtual) Enterprise Session Border Controller for Microsoft Lync Server. Quick Start Guide

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

TECHNICAL NOTE 01/02 PROTECTING YOUR COMPUTER NETWORK

Basic Networking Concepts. 1. Introduction 2. Protocols 3. Protocol Layers 4. Network Interconnection/Internet

Firewalls and System Protection

Internet Security Firewalls

Automating Server Firewalls

21.4 Network Address Translation (NAT) NAT concept

Technical Support Information Belkin internal use only

COMPUTER NETWORK TECHNOLOGY (300)

iseries TCP/IP routing and workload balancing

Internet Security Firewalls

Network Defense Tools

Dissertation Title: SOCKS5-based Firewall Support For UDP-based Application. Author: Fung, King Pong

Protecting and controlling Virtual LANs by Linux router-firewall

Application Note. Onsight Connect Network Requirements V6.1

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

Solution of Exercise Sheet 5

Cisco Secure PIX Firewall with Two Routers Configuration Example

Transcription:

Avaya Matrix: Avaya Diagnostic Server 2.5 Issue 1.1 March 2015

ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF PUBLICATION AND IS PROVIDED "AS IS". AVAYA INC. DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND FURTHERMORE, AVAYA INC. MAKES NO REPRESENTATIONS OR WARRANTIES THAT THE INFORMATION PROVIDED HEREIN WILL ELIMINATE SECURITY THREATS TO CUSTOMERS SYSTEMS. AVAYA INC., ITS RELATED COMPANIES, DIRECTORS, EMPLOYEES, REPRESENTATIVES, SUPPLIERS OR AGENTS MAY NOT, UNDER ANY CIRCUMSTANCES BE HELD LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, PUNITIVE, EXEMPLARY, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF THE INFORMATION PROVIDED HEREIN. THIS INCLUDES, BUT IS NOT LIMITED TO, THE LOSS OF DATA OR LOSS OF PROFIT, EVEN IF AVAYA WAS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. YOUR USE OF THIS INFORMATION CONSTITUTES ACCEPTANCE OF THESE TERMS. For the most current versions of this document, see the Avaya Support Web site: http://support.avaya.com. 2015 Avaya Inc. All Rights Reserved. All trademarks identified by the or are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners. 2 Avaya Matrix: Avaya Diagnostic Server 2.5 Mar 2015

1. Avaya Diagnostic Server Components Data flows and their sockets are owned and directed by an application. Avaya Diagnostic Server 2.5 running on RHEL 5.X or 6.X has many applications, such as Gateway User Interface, SAL Agent, Remote Access Agent, etc. For all applications, sockets are created on the network interfaces on the host machine. The information of sockets and port usage by Avaya Diagnostic Server given here should be used for configuring the local firewall (iptables) on the same host machine. Additionally, this information could help configure firewall external to the host machine. Application components in the Avaya Diagnostic Server are listed as follows. Component Interface Description Remote Access Agent Gateway User Interface (GWUI) Eth0(public IP) Eth0(public IP) Remote Access Agent is used to establish the remote connectivity to the customer devices. Gateway User Interface is the management interface for configuring SAL Gateway. SAL Agent Eth0(public IP) SAL Agent is used for alarming, inventory and on-boarding of customer devices. Net-SNMP Master Agent SLAMon User Interface SLAMon server Eth0(public IP) Eth0(public IP) Eth0(public IP) It is an optional component and owned by the customer. It is required if the customer wants to run SNMP GET queries against SAL Gateway. SLAMon User Interface is the management interface for configuring SLAMon server. SLAMon server is used to run QOS tests and also for troubleshooting issues between networks/endpoints Avaya Matrix: Avaya Diagnostic Server 2.5 Mar 2015 3

2. Usage Diagram *Note: The only port that needs to be opened in corporate firewall to the internet for Avaya Diagnostic Server is 443. In the case of connecting to Avaya support infrastructure, the port SHOULD NOT be re-configured unless otherwise advised by Avaya support. If connecting to a Business Partner support infrastructure, this port can be re-configured per the BP s requirement. 4 Avaya Matrix: Avaya Diagnostic Server 2.5 Mar 2015

The SSH port 22 for a Device may vary depending upon the device being supported, but normally is 22. Avaya Diagnostic Server also supports, as needed by the products, other standard protocols for remote connectivity, e.g. HTTP, Telnet, etc. The ports for these access methods depend upon the individual product. Please consult the individual product documentation to get the complete list of remote connectivity ports supported by the product. Avaya Matrix: Avaya Diagnostic Server 2.5 Mar 2015 5

3. Usage Tables 3.1 Usage Table Heading Definitions Ingress Connections (In): This indicates connection requests that are initiated from external devices to open ports in Avaya Diagnostic Server. From the point of view of Avaya Diagnostic Server, the connection request is coming In. (Note that in most cases, traffic will flow in both directions.) Egress Connections (Out): This indicates connection requests that are initiated from Avaya Diagnostic Server to known ports on a remote device. From the point of view of Avaya Diagnostic Server, the connection request is going Out. (Note that in most cases, traffic will flow in both directions.) Intra-Host Connections: This indicates connection requests that both originate and terminate in Avaya Diagnostic Server. These would be handled on the loopback interface. These ports need not be configured on any firewall, but may show up on a port scan of Avaya Diagnostic Server. Destination : This is the default layer-4 port number to which the connection request is sent. Valid values include: 0 65535. A (C) next to the port number means that the port number is configurable. Refer to the Notes section after each table for specifics on valid port ranges. Network/Application Protocol: This is the name associated with the layer-4 protocol and layers-5-7 application. Optionally Enabled / Disabled: This field indicates whether customers can enable or disable a layer-4 port changing its default port setting. Valid values include: Yes or No No means the default port state cannot be changed (e.g. enable or disabled). Yes means the default port state can be changed and that the port can either be enabled or disabled. State: A port is either open, closed, filtered or N/A. Open ports will respond to queries Closed ports may or may not respond to queries and are only listed when they can be optionally enabled. Filtered ports can be open or closed. Filtered UDP ports will not respond to queries. Filtered TCP will respond to queries, but will not allow connectivity. N/A is used for the egress default port state since these are not listening ports in Avaya Diagnostic Server. External Device: This is the remote device that is initiating a connection request (Ingress Connections) or receiving a connection request (Egress Connections). 6 Avaya Matrix: Avaya Diagnostic Server 2.5 Mar 2015

3.2 Tables The following tables document the port usage for SAL Gateway and SLAMon Server. Table 1. s for (eth0) No. Destination (Configurable Range) Network / Application Protocol Optionally Enabled / Disabled? State External Device Description Notes INGRESS CONNECTIONS (CUSTOMER DEVICES TO SAL GATEWAY) 1 22 TCP/SSH No Open Admin terminal or SAL Gateway System mgmt requiring shell access. Secure Access Link Gateway User Interface uses this port for username/password authentication. 2 161 UDP/SNMP Yes Closed Admin terminal or NMS SNMP queries to Secure Access Link Gateway. 3 162 UDP/SNMP No Open listens for SNMP Traps from devices for the purpose of alarming. 1 4 7443 TCP/HTTPS No Open Admin terminal This port is used for accessing SAL Gateway User Interface via Browser. 5 5107 TCP/IPINADS Yes Open listens for IPINADS Traps from devices for the purpose of alarming. 1,6 6 5108 TCP/IPINADS CMS Yes Open listens for IPINADS CMS Traps from devices for the purpose of alarming. 1,6 INGRESS CONNECTIONS (INTERNET TO SAL GATEWAY) N.A. Avaya Matrix: Avaya Diagnostic Server 2.5 Mar 2015 7

No. Destination (Configurable Range) Network / Application Protocol Optionally Enabled / Disabled? State External Device Description Notes EGRESS CONNECTIONS (SAL GATEWAY TO CUSTOMER DEVICES) 1 2 162 (1-65535) 443 (1-65535) UDP/SNMP No N/A NMS TCP/HTTPS No N/A 3 22 TCP/SSH Yes N/A 4 23 TCP/Telnet Yes N/A 5 3389 (1-65535) TCP/RDP Yes N/A Policy Server or 6 123 UDP/NTP Yes N/A NTP Server 7 25 TCP/SMTP Yes N/A SMTP Server 8 8000 (1-65535) HTTP Yes N/A 9 162 UDP/SNMP No Open Internet Proxy Server SNMP traps from Secure Access Link Gateway. Policy Server It is an optional component. If configured, Remote Access Agent connects to it for policy control. Remote Access Agent can also connect to the devices over this port for providing remote access to the device. will connect to external devices using SSH over port 22 for remote connectivity. will connect to external devices using Telnet over port 23 for remote connectivity. will connect to external devices using RDP (Remote Desktop Protocol) over port 3389 for remote connectivity. NTP Network Time Protocol. This is used for connecting to an NTP Server for synchronizing the system clock. This port is NOT opened by SAL Gateway. Avaya highly recommends that the host machine should have NTP configured and running. The NTP client on the host will connect to the time server on this port. SMTP Simple Mail Transfer Protocol. It s optional and is used by SAL Gateway for sending e-mails to administrators if configured. A customer may have an optional internet proxy server for all the outgoing internet connections. In this case SAL Gateway will go through the proxy server for any outgoing connections. Usually the proxy server is configured with port 8000 but may vary based on the particular proxy. sends an ACK using this port to the external devices sending SNMP alarm to the Gateway. 2 1,4,5 1 1 1 8 Avaya Matrix: Avaya Diagnostic Server 2.5 Mar 2015

No. Destination (Configurable Range) Network / Application Protocol Optionally Enabled / Disabled? State 10 5107 TCP/IPINADS Yes Open 11 5108 TCP/IPINADS CMS Yes EGRESS CONNECTIONS (SAL GATEWAY TO INTERNET) 1 443 (1-65535) INTRA-HOST CONNECTIONS Open TCP/HTTPS No N/A External Device SAL Support Infrastructure 1 705 TCP/Agent-X Yes Closed N/A Description sends an ACK using this port to the external devices sending IP INADS alarm to the Gateway. sends an ACK using this port to the external devices sending IP INADS CMS alarm to the Gateway. Consists of Remote and Core Servers for providing remote access and alarming. It is a port opened by Net- SNMP Master Agent. It is NOT opened by SAL Gateway but is used by SAL SNMP Sub Agent to connect to the Net-SNMP Master Agent if one is running. This port is NOT required to, and should NOT be, accessible over the LAN outside the host. Notes 1,3 1 Table 2. s for SLAMon Server (eth0) No. Destination (Configurable Range) Network / Application Protocol Optionally Enabled / Disabled? State External Device Description Notes INGRESS CONNECTIONS 1 50009 UDP No Open 2 50010 UDP No Open 3 50011 TCP/UDP No Open SLAMon Agent SLAMon Agent SLAMon Agent Used for event monitoring Used for packet sniffing Used for exchanging data between SLAMon server & agents 4 4511 TCP No Open SLAMon UI Used for accessing SLAMon UI 5 52233 TCP No Open WebLM Used for WebLM licensing EGRESS CONNECTIONS 1 50009 UDP No Open 2 50010 UDP No Open 3 50011 TCP/UDP No Open SLAMon Agent SLAMon Agent SLAMon Agent Used for event monitoring Used for packet sniffing Used for exchanging data between SLAMon server & agents Avaya Matrix: Avaya Diagnostic Server 2.5 Mar 2015 9

NOTES: 1. This interface is system-to-system only. 2. The SNMP port to which traps are sent is configurable to any valid port number (1-65535), but will usually be port 162. 3. 443 is the only port that needs to be opened in the firewall for internet connections from SAL Gateway. This is the case when connecting to Avaya support infrastructure. The port SHOULD NOT be re-configured unless otherwise advised by Avaya support. If connecting to a Business Partner support infrastructure, this port can be reconfigured per the BP s requirement. 4. The SSH port 22 for a Device may vary depending upon the device being supported, but normally is 22. 5. SAL Gateway 2.2 can be configured to use SFTP (Secure File Transfer Protocol) on port 22 for its backup-restore feature. 6. SAL Gateway listens on these ports for IPINADS and IPINADS CMS which are alarming protocols from legacy products. 3.3 Table Changes Table 2. Changes From Avaya Diagnostic Server 2.0 to 2.5 No. Destination (Interface) Network / Application Protocol Optionally Enabled / Disabled? State External Device Description Notes PORTS ADDED NA PORTS REMOVED NA 10 Avaya Matrix: Avaya Diagnostic Server 2.5 Mar 2015

4. SAL Facing IP/FQDN Mapping SAL RA Sr. No. FQDN IP 1 remote.sal.avaya.com 135.11.107.20 443 2 sl1.sal.avaya.com 198.152.212.33 443 3 sas1.sal.avaya.com 135.11.105.105 443 4 sas2.sal.avaya.com 135.11.105.106 443 5 sas3.sal.avaya.com 135.11.105.107 443 6 sas4.sal.avaya.com 135.11.105.109 443 7 gas3.sal.avaya.com 198.152.212.29 443 8 gas4.sal.avaya.com 198.152.212.30 443 9 sas21.sal.avaya.com 135.10.203.5 443 10 sas22.sal.avaya.com 135.10.203.6 443 11 sas31.sal.avaya.com 198.152.76.5 443 12 sas32.sal.avaya.com 198.152.76.6 443 SAL Alarming 1 alarming.esp.avaya.com 198.152.220.252 443 2 secure.alarming.avaya.com 198.152.220.247 443 3 vahana.sal.avaya.com 198.152.220.245 443 Avaya Matrix: Avaya Diagnostic Server 2.5 Mar 2015 11

What are ports and how are they used? Appendix A: Overview of TCP/IP s TCP and UDP use ports (defined at http://www.iana.org/assignments/port-numbers) to route traffic arriving at a particular IP device to the correct upper layer application. These ports are logical descriptors (numbers) that help devices multiplex and de-multiplex information streams. Consider your desktop PC. Multiple applications may be simultaneously receiving information. In this example, email may use destination TCP port 25, a browser may use destination TCP port 80 and a telnet session may use destination TCP port 23. These logical ports allow the PC to demultiplex a single incoming serial data packet stream into three mini-streams inside the PC. Furthermore, each of the mini-streams is directed to the correct high-level application because the port numbers identify which application each data mini-stream belongs. Every IP device has incoming (Ingress) and outgoing (Egress) data streams. s are used in TCP and UDP to name the ends of logical connections which carry data flows. TCP and UDP streams have an IP address and port number for both source and destination IP devices. The pairing of an IP address and a port number is called a socket (discussed later). Therefore, each data stream is uniquely identified with two sockets. Source and destination sockets must be known by the source before a data stream can be sent to the destination. Some destination ports are open to receive data streams and are called listening ports. Listening ports actively wait for a source (client) to make contact to a destination (server) using a specific port that has a known protocol associate with that port number. HTTPS, as an example, is assigned port number 443. When a destination IP device is contacted by a source device using port 443, the destination uses the HTTPS protocol for that data stream conversation. Type Ranges numbers are divided into three ranges: Well Known s, Registered s, and Dynamic s (sometimes called Private s). Well Known s are those numbered from 0 through 1023. Registered s are those numbered from 1024 through 49151 Dynamic s are those numbered from 49152 through 65535 The Well Known and Registered ports are assigned by IANA (Internet Assigned Numbers Authority) and are found here: http://www.iana.org/assignments/port-numbers. Well Known s For the purpose of providing services to unknown clients, a service listen port is defined. This port is used by the server process as its listen port. Common services often use listen ports in the well known port range. A well known port is normally active meaning that it is listening 12 Avaya Matrix: Avaya Diagnostic Server 2.5 Mar 2015

for any traffic destined for a specific application. For example, well known port 23 on a server is actively waiting for a data source to contact the server IP address using this port number to establish a Telnet session. Well known port 25 is waiting for an email session, etc. These ports are tied to a well understood application and range from 0 to 1023. In UNIX and Linux operating systems, only root may open or close a well-known port. Well Known s are also commonly referred to as privileged ports. Registered s Unlike well known ports, these ports are not restricted to the root user. Less common services register ports in this range. Avaya uses ports in this range for call control. Some, but not all, ports used by Avaya in this range include: 1719/1720 for H.323, 5060/5061 for SIP, 2944 for H.248 and others. The registered port range is 1024 49151. Even though a port is registered with an application name, industry often uses these ports for different applications. Conflicts can occur in an enterprise when a port with one meaning is used by two servers with different meanings. Dynamic s Dynamic ports, sometimes called private ports, are available to use for any general purpose. This means there are no meanings associated with these ports (similar to RFC 1918 IP Address Usage). These are the safest ports to use because no application types are linked to these ports. The dynamic port range is 49152 65535. Sockets A socket is the pairing of an IP address with a port number. An example would be 192.168.5.17:3009, where 3009 is the socket number associated with the IP address. A data flow, or conversation, requires two sockets one at the source device and one at the destination device. The data flow then has two sockets with a total of four logical elements. Each data flow must be unique. If one of the four elements is unique, the data flow is unique. The following three data flows are uniquely identified by socket number and/or IP address. Data Flow 1: 172.16.16.14:1234-10.1.2.3:2345 Data Flow 2: 172.16.16.14.1235-10.1.2.3:2345 Data Flow 3: 172.16.16.14:1234-10.1.2.4:2345 Data flow 1 has two different port numbers and two different IP addresses and is a valid and typical socket pair. Data flow 2 has the same IP addresses and the same port number on the second IP address as data flow 1, but since the port number on the first socket differs, the data flow is unique. Therefore, if one IP address octet changes, or one port number changes, the data flow is unique. Figure 1, below, is an example showing ingress and egress data flows from a PC to a web server. Avaya Matrix: Avaya Diagnostic Server 2.5 Mar 2015 13

Socket Example Diagram Client HTTP-Get Source 192.168.1.10:1369 Destination 10.10.10.47:80 Web Server TCP-info Destination 192.168.1.10:1369 Source 10.10.10.47:80 ` Figure 1. Socket Example Notice the connection is egress from the client. For the server, the same connection is ingress. The TCP/IP packet in the connection request has the client s IP as the source IP and source port as 1369. In the same packet, the destination IP is that of the server and destination port is 80. In the response from the server, the TCP/IP packet has source and destination information reversed. Although request and response are different TCP/IP packets and their direction is opposite to each other, they are part of the same TCP connection, seen as egress by the client and ingress by the server. Understanding Firewall Types and Policy Creation Firewall Types There are three basic firewall types: Packet Filtering Application Level Gateways (Proxy Servers) Hybrid (Stateful Inspection) Packet Filtering is the most basic form of the firewalls. Each packet that arrives or leaves the network has its header fields examined against criterion to either drop the packet or let it through. Routers configured with Access Control Lists (ACL) use packet filtering. An example of packet filtering is preventing any source device on the Engineering subnet to telnet into any device in the Accounting subnet. Application level gateways (ALG) act as a proxy, preventing a direct connection between the foreign device and the internal destination device. ALGs filter each individual packet rather than blindly copying bytes. ALGs can also send alerts via email, alarms or other methods and keep log files to track significant events. Hybrid firewalls are dynamic systems, tracking each connection traversing all interfaces of the firewall and making sure they are valid. In addition to looking at headers, the content of the 14 Avaya Matrix: Avaya Diagnostic Server 2.5 Mar 2015

packet, up through the application layer, is examined. A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table. Stateful inspection firewalls close off ports until the connection to the specific port is requested. This is an enhancement to security against port scanning 1. Firewall Policies The goals of firewall policies are to monitor, authorize and log data flows and events. They also restrict access using IP addresses, port numbers and application types and sub-types. This paper is focused with identifying the port numbers used by Avaya products so effective firewall policies can be created without disrupting business communications or opening unnecessary access into the network. Knowing that the source column in the above matrices is the socket initiator is key in building some types of firewall policies. Some firewalls can be configured to automatically create a return path through the firewall if the initiating source is allowed through. This option removes the need to enter two firewall rules, one for each stream direction, but can also raise security concerns. Another feature of some firewalls is to create an umbrella policy that allows access for many independent data flows using a common higher layer attribute. Finally, many firewall policies can be avoided by placing endpoints and the servers that serve those endpoints in the same firewall zone. 1 The act of systematically scanning a computer's ports. Since a port is a place where information goes into and out of a computer, port scanning identifies open doors to a computer. scanning has legitimate uses in managing networks, but port scanning also can be malicious in nature if someone is looking for a weakened access point to break into your computer. Avaya Matrix: Avaya Diagnostic Server 2.5 Mar 2015 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information