Technicolor - Thomson SpeedTouchTM620 manual Secure Remote Web Interface Access

Page 94

Chapter 8

SpeedTouch™ Remote Access

8.2 Secure Remote Web Interface Access

HTTPs service Introduction

The SpeedTouch™ supports secure HTTP or HTTPS. The Transport Layer Security (prior SSL implemented by Netscape) provides communications privacy over the Internet. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery.

The primary goal of the TLS Protocol is to provide privacy and data integrity between two communicating applications.

The remote management certificate

Default HTTPs service configuration

When booting, the SpeedTouch™ verifies if a certificate exists for remote management. If no certificate is found, the SpeedTouch™ generates its own certificate. When the SpeedTouch™ receives an HTTPs request on port 443, it transmits this certificate to the client. The client can either accept of refuse the server identity. Depending on client implementation, the end-user is prompted whether or not to trust the server.

When a web user logs in or tries to log in the SpeedTouch™, a syslog message is generated. This message indicates the user name and the underlying protocol (HTTP or HTTPS)

After negotiating the cipher between the two peers involved in the TLS protocol, data is encrypted for further communications. The minimum level of security required for the connection is indicated by each peer. If the minimum requirement of each peer cannot be achieved, the connection is closed.

Use the following CLI command to see the default HTTPs service configuration.

=>:service system list name=HTTPs expand=enabled

Idx NameProtocol SrcPort DstPort Group

-----------------------------------------------------------------------

1 HTTPs	tcp		443
Description	...............	HTTP web server over ssl
Properties		server
Attributes		state	port aclip aclif aclifgroup map log
User Managed Attributes...		state	port aclip aclif aclifgroup map log

Attribute	Values :	enabled
State
Port	List	443
Ip Access		any
Interface	Access List	any
Interface	Group Access List lan
Map List		443
Logging		disabled

=>

84	E-DOC-CTC-20051017-0155 v1.0

Image 94

Contents SpeedTouch620 Page SpeedTouch 620 Trademarks CopyrightDocument Information Contents SpeedTouch Software Modules Integrated SpeedTouch Isdn Modem How to Configure the Traps 158 How to Add an Snmp User 152How to Restrict Snmp Access 157 10.1.1 Basic Concepts 135 10.1.2 MIBs Explained 136SLA Monitoring Contents About this Operator’s Guide About this Operator’s Guide Introduction IntroductionChapter CLI Telnet access requirements SpeedTouch Command Line Interface About the CLI InterfaceCLI web page access requirements CLI serial access requirementsCLI Access via Telnet or Serial Console Access via a Telnet session or serial consoleBasic Navigation Command group navigation=help Or end of a line Going to the beginning=help firewall list Chapter Executing Commands from the Top Level Command Line Interface CommandsFirewall list Executing Commands From the Command Group Chapter Menu-driven CLI Navigation Chapter SpeedTouch System Software About the System Software SpeedTouch System SoftwareSystem Software Management via FTP Topic SeeStep Action Backup System Software via FTPFtpcd dl Subdirectory’s contents Software version commandGet the system software file Upgrade or Restore System Software via FTP Upgrade/Restore procedureSoftware deletepassive command to delete it Use the quote site software version command to checkTransfer system software to the SpeedTouch Ftp put ZZUIAA5.411 Activate the upgrade/ restored system software Mark system software file as Passive Software VersionManagement Manual System Software Management via BOOTP/TFTP serverSystem software Important note=software upgrade SpeedTouch Configuration Management SpeedTouch Configuration ManagementGo to Home SpeedTouch Configuration Configuration Management via the SpeedTouch Web InterfaceConfigurations via Basic Web Interface Step Action Click Save or Restore ConfigurationSpeedTouch Configuration Management Proceed as follows Restoring configurations via the basic Web InterfaceLocal disk, you want to restore on your SpeedTouch Open the Update page via Home SpeedTouch System Update Go to expert modeClick Save All to save the current configuration Click BackupOpen the Upgrade page via Home SpeedTouch System Update Restoring a configuration via the expert pagesIntend to restore. Select the file and click OK Configuration Management via Telnet FTP access SpeedTouch configuration filesConfig backup filename = user configuration filename Config CLI Command GroupConfig save Config dumpFlush = yesno Defaults = noyesLoadip = noyes Echo = noyesSite saveall command Back up Configurations via FTPSpeedTouch Multi Level Access Policy Configuration Guide Get the latest configuration file fromOther configuration files stored via Configuration you saved in is stored in the user.ini fileFtp get user.ini Store Configurations via FTP Introduction Restore/change procedureQuote site saveall command Transfer the configuration file to the SpeedTouchSoftware cleanup CLI command Ftp put config.ini Matches totalFtp quote site config load Connection for /bin/ls Jun 1971 Start.cmd Rwxrwxrwx Template Description SpeedTouch Service TemplatesTemplate files on the SpeedTouch file system Open the Upload File page via Home SpeedTouch System Update SpeedTouch System Languages ManagementSwitch between system languages Language Step Action Go to the Expert ModeOpen the language page via Home SpeedTouch System Update Click on the Language Packs tabChapter SpeedTouch Software Modules SpeedTouch Software ModulesSoftware Modules ST620 ST608WL ST605 Software keySoftware Activation Key Management Table Item Description=software addon list How to Install a Software Key SpeedTouch System Services SpeedTouch System ServicesService See Overview This chapter covers the following servicesSpeedTouch Dynamic DNS Dyndns host SpeedTouch CLI dyndns commandsDyndns service =dyndns help=dyndns host add group=MyDynDNSHost name=johndoe.dyndns.org Example dynamic DNS subscriptionAdding a dynamic DNS host name Adding a dynamic DNS client =dyndns add name=MyDynDNS=dyndns modify Name = MyDynDNS Modifying the dynamic DNS clientGroup = MyDynDNSHost Refining the dynamic DNS service settings Service list=dyndns modify name=MyDynDNS status=enabled DNS ServiceUse multiple hosts configure an additional host Checking dynamic DNS client ResolvingSpeedTouch Sntp Client Manual tab Select Manual to Step Action Sntp list Sntp configSntp add and sntp delete Website Filtering Method DescriptionSection See Website Filtering Configuration Pages How to Verify the Filtering Configuration Filtering license is available Content level becomes available. Refer to 6.3.3 How toWeb Section Description InformationHow to Activate a Web Filtering License Configuring the Actions for Uncategorised Sites Filter Priority Actions for Uncategorised SitesGo to the first bullet in the list Address Based Filtering How to Create an Address Based FilterHow to Create a New Proceed as follows Entry Step Action Want to create an entry in the filterLevel How to Create a Content Based FilterSelect the content level of your choice All Legal Teenagers Children BlockAllLevel Step Action How to Create a Content LevelView Step Action Go to the Web site filtering OverviewContent Level Step Action Pick a Task... list, select Create a new content levelTask Description Intrusion Detection and ProtectionToolbox section, click Intrusion Detection How to Log On To The SpeedTouch Remotely About Remote Assistance How to Set Up Remote AssistanceRemote Assistance Chapter Chapter Opening an FTP session SpeedTouch File SystemTo the SpeedTouch Access rights to the file system Preparing for FTP file transfersFiles stored on the file system FtpcdChapter SpeedTouch access methods SpeedTouch Remote AccessAccess method System service name Chapter =service system list name=HTTP expand=enabled Remote Web Interface AccessConfiguration via CLI commands =service system ifadd name=HTTP group=wan ==service system ipadd name=HTTP ip=192.6.11.0/24 = Refinement Service=service system ipadd name=HTTP ip=192.6.11.5 = =service system ipadd name=HTTP ip=192.6.2-55.2-55 =NAT configuration menu, but always in System Services =service system modify name=HTTP state=enabled port=82 =HTTPs service Introduction Secure Remote Web Interface Access=service system list name=HTTPs expand=enabled =service system ifadd name=HTTPs group=wan = =service system ipadd name=HTTPs ip=192.6.11.0/24 = =service system ipadd name=HTTPs ip=192.6.11.5 ==service system ipadd name=HTTPs ip=192.6.2-55.2-55 = =service system modify name=HTTPs state=enabled port=448 = 448=service system ifadd name=TELNET group=wan = Remote Telnet Access=service system list name=TELNET expand=enabled =service system ipadd name=TELNET ip=192.6.11.0/24 = Refinement of the Service=service system ipadd name=TELNET ip=192.6.11.5 = =service system ipadd name=TELNET ip=192.6.2-55.2-55 ==service system modify name=TELNET state=enabled port=50 = =ssh config auth=password Remote SSH AccessSSH service Introduction SSH authentication =ssh config shell=enabled=ssh publickey list =service system list name=SSH expand=enabled SSH=service system ifadd name=SSH group=wan =service system ipadd name=SSH ip=192.6.11.0/24 =service system ipadd name=SSH ip=192.6.11.5=service system ipadd name=SSH ip=192.6.2-55.2-55 =service system modify name=SSH state=enabled port=35 =service system list name=FTP expand=enabled Remote FTP Access=service system ifadd name=FTP group=wan =service system ipadd name=FTP ip=192.6.11.0/24 =service system ipadd name=FTP ip=192.6.11.5=service system ipadd name=FTP ip=192.6.2-55.2-55 =service system modify name=FTP state=enabled port=26 Remote Sftp Access =ssh config sftp=enabled101 102 103 104 105 LAN Based Auto-Configuration LAC Support TR-064 Configuration Options How to Configure LAC SyntaxDisabled Enabled orParameter Descripion Value Description CPE WAN Management Protocol Cwmp Support TR-069 How to Configure Cwmp Syntax Parameter Descripion How to ConfigureParameter Value Description How to Configure the Cwmp Server Syntax Cwmp Server Parameter Description Value112 Integrated SpeedTouch Isdn Modem Integrated SpeedTouch Isdn ModemOverview This chapter covers the following topics About the Isdn Modem 115 How to Configure the Isdn Modem Isdn Backup Action SeeClick Connections How to Configure the Isdn Dial-In ConnectionIsdn backup Click Routed PPoI119 Enabled or disabled How to Configure the PPP Connection Pap , chap or auto Cidr , dotted or noneDemanddial Enable or disable dial-on-demandWill engage the Isdn backup if DOD. This means that the systemIsdn Callback 125 126 Called party must also be set to Support callback128 129 130 \windows\system32\capi2032.dll How to Install Remote Proceed as followsIsdn Remote Capi RemoteCAPISelect Remote Capi Daemon SpeedTouch Monitoring SpeedTouch MonitoringAn Introduction to Snmp Snmp in the SpeedTouch OverviewManagement Information Base Basic Commands Basic ConceptsMIBs Explained RFC1213 MIB-IISpeedTouch Monitoring From previous Standard MIBs MIBs About SnmpRFC3417 Transport Mappings for Snmp MIB RFC3418 SNMPv2-MIB 138 Snmp configuration Task SeeHow to Allow Access to the Snmp Agent You can the same command to view the SNMPV3 Traps How to View the Snmp ConfigurationAbout the Snmp Service This returns the following outputHow to View the System Contact, Name and Location Allow external access to the Snmp agent How to Configure SNMPv1Configure the community to have these group rights Create a new communityCreate a new target Configure the target parametersEnable traps Create a notify filterParameters This command has the following parameters How to Configure the System contact, Name and LocationEnable or disable Enable or disable the sendingHow to Force the Source IP Address MTUHow to Configure the Snmp Target Parameters The command has the following parametersDestination With objectid the object identity to getNext from How to Read Snmp Parameters via the CLITo update the traffic load, use To get the iP address table, useAdministratorsnmp=walk ObjectId=1.3.6.1.2.1.1 How to Allow Remote Snmp =service system ifadd name SNMPV3AGENT group wanHow to Add an Snmp User Group Description Use the following command to create a new user Use the following command to create a new viewNotification access to that view Use the following command to add the user to the groupThis results in the following output Communities How to Restrict Snmp Access SNMPV3AGENTUse the snmp notifyfilter add command How to Configure the TrapsUse the snmp targetparams add command Use the snmp notifyprofile add commandUse the snmp target add command Use the following command sequenceSpeedTouch Syslog SpeedTouch What is SyslogSpeedTouch Syslog Daemon Syslog daemonPriority Notation Code 163 Syslog via the Web Interface 165 =syslog help Syslog CLI command groupSyslog via the CLI =syslog msgbuf helpRemote Syslog Notification =syslog ruleadd fac=all sev=debug dest=192.168.1.10 =saveall=service system list name=SYSLOG expand=enabled Syslog host on a remote networkSpeedTouch Identification on AWS Advantages SpeedTouch IdentificationSpeedTouch Identification over AWS SpeedTouch Advanced Diagnostics About the Advanced Diagnostics OverviewOffice Network Web 173 174 Opening SpeedTouch Diagnostic Web Interface Diagnostic WebClick... To 176 177 178 Command Line Interface Diagnostics Diagnostical CLI About CLI DiagnosticsAccessing the CLI CommandsLower Layer Diagnostics TmmbAtm debug portstats Atm debug aal5statsAtm debug gstats Atm oam cc send=autopvc config mode=active = ATM Auto-Configuration via TR-37/ Ilmi=autopvc list Dhcp server debug stats Router Services DiagnosticsDhcp client debug stats Dhcp relay debug statsDisplays statistics of SpeedTouch’s DNS server/forwarder Dns server debug stats=dns server debug stats Firewall rule debug stats Routing Diagnostics=firewall rule debug stats Below is an example of a ping command and its reply It uses the following parametersCommand Below is an example of a traceroute command and its replyEthernet Diagnostics =eth switch mirror capture port=4 =190 System debug stats Management DiagnosticsDisplays SpeedTouch cpu and memory statistics 192 SLA Monitoring =sla ping add test=internet addr=11.0.0.138Parameter Description Values =sla ping start test=internet = =sla ping listName Description SLA Monitoring Following results will be displayedSLA Traceroute configuration =sla traceroute add test=route addr=11.0.0.138 =198 =sla traceroute modify test = route Addr = Starting the SLA Traceroute=sla traceroute start test=route = =sla traceroute list Dffield = no Result Info Status=sla traceroute hist test route owner modem 202 =system reboot Resetting the SpeedTouchResetting the SpeedTouch =system reset factory=yes proceed=yesSwitch on the SpeedTouch Switch off the SpeedTouchPress and hold the reset button Keep the reset button pushed in for ca secondsPage Need more help?