![[Top]](../../images/home.jpg)
![[Contents]](../../images/contents.jpg)
![[Prev]](../../images/previous.jpg)
![[Next]](../../images/next.jpg)
![[Last]](../../images/index.jpg)
This chapter describes how to set up basic security on the MAX. The chapter contains:
Security profiles consist of parameters you configure to control access to the MAX. All Security profiles are located below the Security menu of the System profile in the MAX configuration interface.
00-300 Security
>00-301 Default
00-302
00-303
00-304
00-305
00-306
00-307
00-308
00-309 Full Access
All MAX units provide two special profiles:
Note: You should follow the instructions in Changing the Full Access password and Setting
the Default profile for read-only access. These instructions result in two security levels, one
that is totally open (Full Access) and one that is totally restrictive (Default).
If you are the only user who must configure the MAX or perform administrative tasks, you do not need to create any Security profiles in addition to the Default and Full Access profiles. However, you can define additional security levels and enable specific users to perform a subset of administrative functions. You can create up to seven additional Security profiles. For more information on these tasks, see Chapter 2, Setting Up Security Profiles.
When the MAX is shipped from the factory, all levels are set with full privileges. You must assign a name to a security profile to activate it, so you can activate only the Default and Full Access profiles initially. The default security settings of the Full Access profile enable you to configure and set up the MAX without any restrictions. Before you make the MAX generally accessible, you should protect the configured unit from unauthorized access. Proceed as follows:
- Activate the Full Access profile
- Change the Full Access password.
- Set the Default profile for read-only access.
- Change the SNMP read-write community string.
- Assign a Telnet password.
- Require profiles for incoming connections.
- Turn off ICMP redirects.
- Specify the number of times the MAX retries a connection
- Retrieving configuration updates from RADIUS.
You must activate the Full Access profile for your own use in performing the rest of the basic security measures. To activate the Full Access profile, proceed as follows:
- From any VT100 menu, press <Ctrl> D.
The DO menu appears. For example:
DO...
>0=Esc
P=Password
C=Close TELNET
- Press P or select P=Password.
A menu appears listing all security profiles:
Security profile...?
>00-301 Default
00-302 test
00-303
00-304
00-305
00-306
00-307
00-308
00-309 Full Access
- Select Full Access.
The MAX displays a password prompt.
- Enter the password assigned to the Full Access security profile.
If you enter the correct password, the MAX displays the message Password accepted. Using new security level. If you enter the incorrect password, the MAX prompts you again for the password.
The Full Access Security profile is the super-user profile that enables you to configure your system, dial remote locations, reset the unit, and upgrade system software. Because this profile is intended to be totally open, all privileges are set to Yes. The default password assigned to the profile is Ascend. A user who knows the password for the Full Access profile can perform any operation on the MAX.
Change the default password as soon as possible.
To assign a password protecting the Full Access profile, proceed as follows:
- From any VT100 menu, press <Ctrl> D.
The DO menu appears. For example:
DO...
>0=Esc
P=Password
C=Close TELNET
- Press P or select P=Password.
A menu appears listing all security profiles:
Security profile...?
>00-301 Default
00-302 test
00-303
00-304
00-305
00-306
00-307
00-308
00-309 Full Access
- Select Full Access.
The MAX displays a password prompt.
- Enter the password assigned to the Full Access security profile.
If you enter the correct password, the MAX displays the message Password accepted. Using new security level. If you enter the incorrect password, the MAX prompts you again for the password.
- Open the System > Security > Full Access profile.
- Select the Passwd parameter and press Enter to open a text field.
- Type a new password, and press Enter.
- Exit the Full Access profile, saving your changes.
The first profile in the Security menu is named Default. The password assigned to this profile is null, and the profile's name and password cannot be changed. The MAX activates this profile whenever you power on or reset the unit, and whenever a user begins a new login session.
Although the Default profile is set initially with full privileges, it is intended to be very restrictive. Every user who logs in via Telnet, the Control port, or remote management is granted the privileges specified there.
To make the Default profile appropriately restrictive, proceed as follows:
- Open the System > Security menu.
- Open the Default profile.
The first two parameters in the Default profile cannot be changed-the name is always Default and the password is always null.
- Set Operations=No.
00-301 Default
Name=Default
Passwd=
>Operations=No
Edit Security=N/A
Edit System=N/A
Edit Line=N/A
Edit All Ports=N/A
Edit Own Port=N/A
Edit All Calls=N/A
Edit Com Call=N/A
Edit Own Call=N/A
Edit Cur Call=N/A
Sys Diag=N/A
All Port Diag=N/A
Own Port Diag=N/A
Download=N/A
Upload=N/A
Field Service=N/A
All other parameters are set to N/A when Operations=No.
Users who access the MAX terminal server cannot make any changes to its configuration or to perform restricted operations. For all users with the Default security level, passwords (including the null password) are hidden by the string *SECURE* in the MAX unit's user interface.
- Exit the Default profile, saving your changes.
An SNMP community string is an identifier that an SNMP manager application must specify before it can access the MIB (Management Information Base). The MAX has two community strings:
You cannot turn off SNMP write, so you must change the default read-write string in order to secure the MAX against unauthorized SNMP access. To change the read-write community string, proceed as follows:
- Open the Ethernet > Mod Config > SNMP Options menu.
- For the R/W Comm parameter, specify a text string containing up to 16 characters.
For example, you can specify this setting:
R/W Comm=unique-string
- Close the SNMP Options menu, saving your changes.
Until you assign a Telnet password, any local user who knows the MAX unit's IP address can start a Telnet session with the MAX. When you assign a password, all users requesting incoming Telnet sessions, whether locally or from across the WAN, must enter the password.
To assign a Telnet password, proceed as follows:
- Open the Ethernet > Mod Config > Ether Options menu.
- For the Telnet PW parameter, specify a password containing up to 20 characters.
For example, you might enter this setting:
Telnet PW=telnet-pwd
- Close the Ether Options menu, saving your changes.
You can use the MAX unit's Answer profile to build connections that do not require a name and password. Although some sites allow such connections, most sites impose much tighter restrictions. You should strongly consider limiting incoming connections to those that have a configured Connection profile, Password profile, or RADIUS user profile.
Chapter 3, Setting Up User Authentication, describes the types of authentication you can configure for incoming connections. At the most basic level, however, you can configure the MAX to reject all incoming connections for which it finds no matching profile.
To require configured profiles for all incoming connections, proceed as follows:
- Open the Ethernet > Answer menu.
- To specify that a matching profile is required for incoming calls, set Profile Reqd=Yes.
Note: If you configure the MAX to support AppleTalk Remote Access (ARA)
connections, setting Profile Reqd=Yes disables Guest access to your network.
- Exit the Answer profile, saving your changes.
ICMP enables a unit to find the most efficient IP route to a destination. ICMP Redirect packets are one of the oldest route discovery methods on the Internet and one of the least secure; it is possible to counterfeit ICMP Redirects and change the way a device routes packets. If the MAX is routing IP, we recommend that you turn off ICMP redirects.
To configure the MAX to ignore ICMP redirect packets, proceed as follows:
- Open the Ethernet > Mod Config menu.
- Set ICMP Redirects=Ignore.
- Save your changes.
When an Ascend unit attempts to make a connection and the attempt fails, the MAX continues to attempt to complete the connection. The number of retry attempts allowed without using call blocking is very large; successive retries can cause excessive charges, congestion, and performance problems. With call blocking, you can specify the number of unsuccessful attempts to place a call that a MAX makes before blocking further attempts to make that connection. After the specified number of attempts have been made and failed, the blocking timer starts. The MAX continues to block further calls for a the length of time you specify.
To configuring call blocking, proceed as follows:
- Open the Ethernet > Connections > Any Connection profile > Session options menu.
- Set
Block calls after to the number of retry attempts the MAX allows when
placing a call.
- Set
Blocked duration to the length of time the MAX continues to block calls.
Note: Call blocking applies only to outgoing calls that are not answered by the far end. It
does not apply to incoming calls or outgoing calls that connect and are immediately
disconnected
When you power up the MAX, it can retrieve a potentially large quantity of configuration information from the RADIUS server. Some of the data on the RADIUS server can change during operation. You can direct the MAX to retrieve this information in one of two ways:
techpubs@eng.ascend.com
Copyright © 1998, Ascend Communications, Inc. All rights
reserved.