![[Top]](../../images/home.jpg){kind=small}
![[Contents]](../../images/contents.jpg){kind=small}
![[Prev]](../../images/previous.jpg){kind=small}
![[Next]](../../images/next.jpg){kind=small}
![[Last]](../../images/index.jpg){kind=small}
Getting Started: Basic Security Measures
This chapter describes how to set up basic security on the MAX. The chapter contains:
Introducing Security profiles
Security profiles consist of parameters you configure to control access to the MAX. All Security profiles are located below the Security menu of the System profile in the MAX configuration interface.
00-300 SecurityAll MAX units provide two special profiles:
>00-301 Default
00-302
00-303
00-304
00-305
00-306
00-307
00-308
00-309 Full Access
Provides full access to the MAX. It is the super-user profile that enables you to configure your system, dial remote locations, reset the unit, and upgrade system software.
Ascend. To maintain security, you should change the Full Access password from its default value. For details, see Changing the Full Access password.
The MAX assigns the Default profile to every user who logs in via Telnet, the Control port, and remote management. The MAX activates the Default profile whenever the MAX powers on or resets. The privileges set in the Default profile are available to all users. You cannot change the name of the Default profile or assign a password to it. However, you can change its settings to make the profile more restrictive. For details, see Setting the Default profile for read-only access.
If you are the only user who must configure the MAX or perform administrative tasks, you do not need to create any Security profiles in addition to the Default and Full Access profiles. However, you can define additional security levels and enable specific users to perform a subset of administrative functions. You can create up to seven additional Security profiles. For more information on these tasks, see Chapter 2, Setting Up Security Profiles.
Understanding basic security measures
When the MAX is shipped from the factory, all levels are set with full privileges. You must assign a name to a security profile to activate it, so you can activate only the Default and Full Access profiles initially. The default security settings of the Full Access profile enable you to configure and set up the MAX without any restrictions. Before you make the MAX generally accessible, you should protect the configured unit from unauthorized access. Proceed as follows:
Activating the Full Access profile
You must activate the Full Access profile for your own use in performing the rest of the basic security measures. To activate the Full Access profile, proceed as follows:
The DO menu appears. For example:
DO...
>0=Esc
P=Password
C=Close TELNET
A menu appears listing all security profiles:
>00-301 Default
00-302 test
00-303
00-304
00-305
00-306
00-307
00-308
00-309 Full Access
The MAX displays a password prompt.
Changing the Full Access password
The Full Access Security profile is the super-user profile that enables you to configure your system, dial remote locations, reset the unit, and upgrade system software. Because this profile is intended to be totally open, all privileges are set to Yes. The default password assigned to the profile is Ascend. A user who knows the password for the Full Access profile can perform any operation on the MAX.
The DO menu appears. For example:
DO...
>0=Esc
P=Password
C=Close TELNET
A menu appears listing all security profiles:
>00-301 Default
00-302 test
00-303
00-304
00-305
00-306
00-307
00-308
00-309 Full Access
The MAX displays a password prompt.
If you enter the correct password, the MAX displays the message
Password accepted. Using new security level. If you enter the incorrect password, the MAX prompts you again for the password.
Setting the Default profile for read-only access
The first profile in the Security menu is named Default. The password assigned to this profile is null, and the profile's name and password cannot be changed. The MAX activates this profile whenever you power on or reset the unit, and whenever a user begins a new login session.
The first two parameters in the Default profile cannot be changed-the name is always Default and the password is always null.
00-301 DefaultAll other parameters are set to N/A when Operations=No.
Name=Default
Passwd=
>Operations=No
Edit Security=N/A
Edit System=N/A
Edit Line=N/A
Edit All Ports=N/A
Edit Own Port=N/A
Edit All Calls=N/A
Edit Com Call=N/A
Edit Own Call=N/A
Edit Cur Call=N/A
Sys Diag=N/A
All Port Diag=N/A
Own Port Diag=N/A
Download=N/A
Upload=N/A
Field Service=N/A
Users who access the MAX terminal server cannot make any changes to its configuration or to perform restricted operations. For all users with the Default security level, passwords (including the null password) are hidden by the string *SECURE* in the MAX unit's user interface.
Changing the SNMP read-write community string
An SNMP community string is an identifier that an SNMP manager application must specify before it can access the MIB (Management Information Base). The MAX has two community strings:
For example, you can specify this setting:
R/W Comm=unique-string
Assigning a Telnet password
Until you assign a Telnet password, any local user who knows the MAX unit's IP address can start a Telnet session with the MAX. When you assign a password, all users requesting incoming Telnet sessions, whether locally or from across the WAN, must enter the password.
For example, you might enter this setting:
Telnet PW=telnet-pwd
Requiring profiles for incoming connections
You can use the MAX unit's Answer profile to build connections that do not require a name and password. Although some sites allow such connections, most sites impose much tighter restrictions. You should strongly consider limiting incoming connections to those that have a configured Connection profile, Password profile, or RADIUS user profile.
To require configured profiles for all incoming connections, proceed as follows:
Note: If you configure the MAX to support AppleTalk Remote Access (ARA)
connections, setting Profile Reqd=Yes disables Guest access to your network.
Turning off ICMP redirects
ICMP enables a unit to find the most efficient IP route to a destination. ICMP Redirect packets are one of the oldest route discovery methods on the Internet and one of the least secure; it is possible to counterfeit ICMP Redirects and change the way a device routes packets. If the MAX is routing IP, we recommend that you turn off ICMP redirects.
Specifying the number of retry attempts
When an Ascend unit attempts to make a connection and the attempt fails, the MAX continues to attempt to complete the connection. The number of retry attempts allowed without using call blocking is very large; successive retries can cause excessive charges, congestion, and performance problems. With call blocking, you can specify the number of unsuccessful attempts to place a call that a MAX makes before blocking further attempts to make that connection. After the specified number of attempts have been made and failed, the blocking timer starts. The MAX continues to block further calls for a the length of time you specify.
Block calls after to the number of retry attempts the MAX allows when
placing a call.
Blocked duration to the length of time the MAX continues to block calls.
Retrieving configuration updates from RADIUS
When you power up the MAX, it can retrieve a potentially large quantity of configuration information from the RADIUS server. Some of the data on the RADIUS server can change during operation. You can direct the MAX to retrieve this information in one of two ways:
Copyright © 1998, Ascend Communications, Inc. All rights reserved.