Semi-private medium security firewall rules | Avaya 3.7 specification

Semi-private zone firewall templates

Table 37: Semi-private high security firewall rules (continued)

Rule Name

Action

Source

Destination

Service

Direc

Zone

Keep

Keep State

tion

State

OutBoundS

Permit

SemiPriv

Any

IKE_OUT

Out

SemiP

No

Permit outgoing

emiPrivate

ateIP

IPSEC_NAT_T_OUT

rivate

VPN traffic.

VPNAcces

PublicIP

AH

s

ESP

ICMPDestUnreach

OutBoundS

Permit

Any

Any

Any

Out

SemiP

Yes

Permit everything

emiPrivate

rivate

with Keep state.

PermitAll

(For any traffic

initiated from

Private/

ManagementNET)

2 of 2

Table 38: Semi-private medium security firewall rules

Rule Name

Action

Source

Destination

Service

Direction

Zone

Keep

Description

State

InBoundSe

Deny

Any

Manageme

Any

In

SemiPrivat

No

Traffic to

miPrivateD

ntNet

e

Manageme

enyAccess

ntNet is

denied.

InBoundSe

Permit

Any

SemiPrivat

IKE_IN

In

SemiPrivat

no

Permit

miPrivateV

eIP

IPSEC_NA

e

incoming

PNAccess

PublicIP

T_T_IN

VPN traffic

AH/ESP

and ICMP

ICMPDest

unreachabl

e packet

Unreach

InBoundSe

Permit

Any

Any

Any

In

SemiPrivat

Yes

Permit WI/

miPrivateP

e

VMGR and

ermitAll

VPN, clear

traffic to

PUBLIC

OutBound

Deny

DMZNet

Any

Any

Out

SemiPrivat

No

Deny

SemiPrivat

e

traffic from

eDenyAcc

DMZNet

ess

OutBound

Permit

SemiPrivat

Any

IKE_OUT

Out

SemiPrivat

no

Permit

SemiPrivat

eIP

IPSEC_NA

e

outgoing

eVPNAcce

PublicIP

T_T_OUT

VPN traffic

ss

AH/ESP

ICMPDest

Unreach

OutBound

Permit

Any

Any

Any

Out

SemiPrivat

Yes

Permit

SemiPrivat

e

incoming

eDenyAll

VPN

Issue 4 May 2005 307

Image 307

Avaya 3.7 manual Semi-private medium security firewall rules

3.7 specifications

Avaya 3.7 represents a significant evolution in unified communications technology, designed to enhance collaboration and streamline communication workflows for organizations of all sizes. As a cornerstone of Avaya's offerings, this version incorporates a range of features and improvements that cater to contemporary business needs, emphasizing flexibility, reliability, and seamless integration.

One of the most notable features of Avaya 3.7 is its robust call management capabilities. The platform allows users to manage calls effectively through a user-friendly interface, enabling intuitive functionalities such as drag-and-drop call handling, call forwarding, and conference calling. These features help employees stay connected, facilitating better communication and teamwork across departments.

In terms of mobility, Avaya 3.7 supports mobile applications that allow users to access the system remotely. This is particularly advantageous for businesses with a workforce that relies on remote or hybrid work models. The mobile integration ensures users can make and receive calls, check voicemail, and manage their schedules directly from their smartphones, maintaining productivity regardless of location.

The system also embraces advanced collaboration tools, such as video conferencing and instant messaging. These features promote a more dynamic interaction environment, fostering real-time communication among team members. Video conferencing capabilities allow for high-definition video quality and reliable connectivity, making virtual meetings more engaging and effective.

Security is another critical characteristic of Avaya 3.7. The platform includes enhanced encryption protocols to protect sensitive communications and ensure data integrity. With cybersecurity remaining a top concern for businesses, Avaya has prioritized the security of its communications solutions, safeguarding organizations' information against potential threats.

Furthermore, Avaya 3.7 benefits from the incorporation of AI and analytics. These technologies provide businesses with valuable insights into communication patterns and user behavior, enabling them to optimize their processes. The analytics can help identify areas for improvement and drive informed decision-making, thus enhancing overall efficiency.

Interoperability with existing systems is another hallmark of Avaya 3.7. The platform easily integrates with various applications and services, allowing businesses to leverage their current technology investments and create a cohesive communication ecosystem.

In summary, Avaya 3.7 stands out as a comprehensive communication solution that addresses the modern demands of the workplace. With its advanced call management features, mobility support, collaboration tools, strong security measures, and integration capabilities, Avaya 3.7 positions itself as a vital asset for organizations aiming to enhance their communication strategies and drive business success.

Contents

VPNmanager Confi guration Guide Copyright 2005, Avaya Inc All Rights Reserved Declarations of Conformity Page Contents Using VPNmanager Setting up the network Configuring IP Groups Configuring user groups 129 Establishing security 163 Using advanced features 199 Contents Monitoring your network 245 Glossary 313 Index 319 VPNmanager Overview What Products are Covered No Special Consoles Required Secure VPN ConfigurationNetwork-wide Visibility and Control Intranet and Extranet Support Complementary to Snmp Management Tools Using VPNmanager HelpRelated Documentation How This Book Is Organized Preface Contacting Technical Support Preface Avaya VPNmanager Configuration Guide Release Security gateways Components of the Avaya security solution VPNmanager software VPNremote Client software Domain hierarchy Overview of the VPN management hierarchy Security gateway Preparing to configure your network Network zones Media type SG5 and SG5X SG200 SG203 SG208 Remote users and user groups IP groupsStatic Routes Security policies Denial of ServiceFirewall policies QoS VoIP NAT Additional features SSL for Directory Server Sequence to configure your VPNSyslog Client IP address pooling Sequence to configure your VPN Page Role Based Management About VPNmanager administrators To configure an administrator to be an SNMPv3 admin To add an administrator Add a policy server Log into the VPNmanager console Open Domain Navigating the main window VPNmanager console main window File menu File MenuNew Object list New object Objects Description View menu Edit menuNew object Objects Description Tools menu ToolbarHelp menu Icons on toolbar Toolbar commands Description Commands VPN view pane Network Diagram View Tree View Tiled View Alarm monitoring pane Configuration Console window Configuration console window Configuration Console Menu bar NAT Policy Services Details pane Update DevicesContents pane Toolbar General tab Preferences Dyna Policy Defaults Global Dyna Policy Defaults User Preferences, Dyna-Policy Global Tab Dyna Policy Authentication Remote Client Advanced TEP Policy Alarm/Monitoring Tunnel End Point Policy Page To create a new domain New VPN Domain Select Level of security Creating a new security gateway Configuring a security gatewayTo create a new security gateway Setting up the network Device tabs by release Tab All VPNos Releases Earlier Later Using Device tabs to configure the security gateway Snmp Device General tab To create a memo Memo tab DNS tab DNS tab To add a DNS Relay DNS Relay Configuration area, click Add To edit an existing server address Configuring the DNS tab for VSU at VPNos 4.2 or earlierTo add a static DNS server To add a DNS server address To delete a DNS server address Interfaces tab Network zones Media SG5 SG200 SG203 SG208 Type Interface tab Ethernet2 Unused Public backup Private Semiprivate Using Device tabs to configure the security gateway Manage-ment Address assigned Options for IP addressing for interface zonesStatic addressing Dhcp addressing Local Dhcp Server Point-to-Point Protocol Over Ethernet PPPoE Client Wins Changing network interfaces To change the media interface configurationDhcp Relay Static To add an IP device to the security gateway Media interface configuration dialog To add an IP telephony device to the security gateway Private port tab with VPNos 4.2 or VPNos Private port tab IP Device Configuration with VPNos 4.2 or VPNos Adding an IP Device Configuration To add an IP Device None Device users tab To add a device account user Network Object tab Device Network Objects tab Routing To build a routing table using the default gateway Common Default Gateway for VPN Traffic topology Default Gateway for VPN Traffic VPNos To build a RIP table About NAT types for VPNos Policies tab, NAT services Priority of NAT types Configuring NAT VPNos To edit a NAT rule To add a NAT rule VPNosTo delete a NAT rule NAT applications About NAT types for VPNos Access the Internet from private Networks Accessing the Internet from private networks Setting up VPN with overlapping private addresses Setting Up a VPN with Overlapping private Addresses Using NAT to support multiple gateway configurations Interface for VPNos Using NAT to Support Multiple Gateways Add NAT Rule VPNos 4.2 or earlier To configure a NAT ruleOriginal Tunnel NAT rules To add a tunnel NAT rule Creating a New IP Group About IP GroupsTo create a new IP Group IP Group General tab New IP Group IP Group General tab Add IP Group member Configuring an IP Group To configure an IP Group that is associated with an extranet Configuring an IP Group that connects to an extranet Delete Memo Default client configuration Configuring remote access users User Dyna-Policy tab Using dyna-policy Dyna-Policy Defaults User tab Configuring a global dyna-policy VPN configuration files on remote user’s computer Dyna-Policy Defaults Global tabDisable split tunneling Dyna-Policy Authentication tab Dynamic VPNs VPNos Local authenticationRadius authentication Ldap authentication Remote Client tab Client DNS resolution redirection Send Syslog messages Remote Client inactivity connection time-out VPNos Configure a default CCD with global dyna-policy Creating new user object To create a new user object Default userAbout creating individual dynamic-policy User General tab User General tab Dyna-Policy tab Actions tab Reset User Directory Password. The user’s password is reset User Advanced tab Configuring a remote user object Information for VPNremote Client users Using Radius authentication VPNos 3.X and VPNos Using Policy Manager for user configurationClient IP address pool configuration Using local authentication Add Client DNS Add Client IP address pool Creating a message Configuring client attributesTo configure the Client IP configuration Add Client Wins Policy Manager for client attributes Enforce brand name Enable RADIUS/ACE RADIUS/ACE Services Radius concepts Settings Radius server data Authenticating secret passwordRadius protocol Add RADIUS/ACE server RADIUS/ACE To add a Radius server Configuring remote access users To create a user group New user group User Group Memo tab User Group General tab User Group Actions tab Configuring a user groupTo configure a user group Move to the Configuration Console window Configuring user groups Skip VPNs Types of VPN objects VPN packet processing modes IKE VPNs Default VPN policy To create a new VPN object Creating a default VPNTo create a default VPN within a selected domain Creating a new VPN object Create a new VPN Object, see Creating a new VPN object on Creating a designated VPN General tab with IKE Using the VPN tabs General tab with Skip Members-IP Groups tab Members-Users tab VPN, Members IP Groups Tab Security IKE tab SHA1 Field Description Pre-Shared Secret Security IPSec IPSec Proposals Add IPSec proposal AuthenticationField Description Encryption Field Description Lifetime Export VPN configuration Rekey site-to-site VPN Advanced VPN tabRekey To configure a new Skip VPN object Configuring a Skip VPN Configuring a Skip VPN To configure a new IKE VPN Object Configuring an IKE VPN Configuring an IKE VPN Configuring VPN objects Configuring an IKE VPN Enabling CRL checking Enabling CRL checking Exporting a VPN object to an extranet Click Update DevicesTo remove the CRL from the VSU VPN Object Export Checklist Task VPN Object export checklist To export a VPN Object Export procedure Importing a VPN object from an extranet Open the Configuration Console windowTo import a VPN Object data file To rekey a Skip VPN Object Rekeying a VPN object Levels of firewall policy management Firewall rules set up Domain level firewall rules Firewall rules To create domain level firewall rules To create device level firewall rules Device level firewall rules Priority of Firewall rules versus NAT rules Security Gateways and FTP To add a new firewall rule for FTP-control or passive FTP Firewall templatesTo add a new firewall rule for active FTP User defined templates Predefined templatesTo create a user-defined firewall template Select Template, Device, or None Parameter Description Services property Services Device Group Denial of ServiceTo create a device group object Denial of Service Voice Over IP Using the IP Trunking Call ModelTo select or deselect DOS categories To enable VoIP and add IP Trunking Voice Over IP Voice over IP tab Using the Gatekeeper Routed Call Model To enable VoIP and add gatekeeper settings Add gatekeeper settings QoS Policy QoS policy and QoS mapping QoS policy and QoS mapping QoS policy To add a QoS policy Modify QoS bandwidth. burst and Dscp value screen QoS mapping Packet FilteringMapping QoS policies Packet Filtering and NAT What can be filteredTraffic types that can be filtered Policy Manager, Packet Filtering/QoS Permit/Deny non-VPN traffic Radio Buttons Add Packet Filtering Policy From/Where Running the packet filtering policy wizard To WhereFiltering Policy in progress Locating this filtering policy Managing the ACL Starting and stopping filtering servicesTo start or stop filtering services Running the Policy Manager for packet filtering To edit, change the sequence, or delete a filtering policy Configuring advanced filtering optionsTo configure advanced filtering options ACL commands Command Description Packet Filter rule-advanced options Option Description Marking packets for differentiated services QoS How a VSU marks packets About Differentiated Services IP packet marking information Description How to create a packet marking ruleTypes of marking rules To create a packet marking rule Parameters used in a Packet Marking Rule Description Policy Manager for firewalls Packet filtering firewall Parameter Description Add firewall policyTo use the firewall policy management To add a firewall policy Establishing security Device Advanced Using advanced features ARP You would then want to Path MTU Discovery Enter the Path MTU Timeout value To configure the Path MTU Discovery NAT Traversal To change the port number Port for Secure AuthenticationPort for dyna-policy download Private IP Address VPNos To select a VSU name distribution method Select the Enable Private IP Address check boxSend Device Names To add a private IP address SuperUser Password VPNos Tunnel Persistence VSU Tunnel Persistence TEP Policy Add servers Servers Managing the server list To create a backup serverTo edit, change the sequence, or delete a backup server Add Directory Server Commands Description Resilient Tunnel Servers list commands Command Description Primary and Resilient Tunnels Tunnel Switching Resilient Tunnel tab for a security gateway Object Creating a resilient tunnel Prerequisites Add resilient tunnelTo create a resilient tunnel Managing the resilient tunnel list Move to the Configuration Console window. Select Devices Stopping and starting resilient tunnel servicesPrimary end-point service Secondary end-point service Failover TEP tab for a security gateway object Failover TEP To configure failover TEP Configuring failover TEPAdvanced Action Reset password Switch FlashDisable Fips High Availability High Availability Advanced parameters Virtual addressesSelect the Deny all non VPN traffic radio button Members Creating a High Availability Group Configuring high availability To update HA VSUs Updating a high availability group using Update DeviceDeleting a high availability group Failover Tab Failover To configure failover Configuration is as followsFailover connectivity checks in 10-second intervals Set consecutive no responses Failover reconnect To set up failover reconnect Converged Network Analyzer Test Plug Enter the test request port value Select the CNA Test Plug Services interface Keep Alive Keep alive tab To configure keep alive About VSU certificates Policy Manager My Certificates Installing a Signed Certificate into a VSU Creating and Installing a Signed Certificate Policy Manager for My Certificates To install a signed certificate into a VSU To switch certificates Switching certificates used by VPNmanager Console About Issuer Certificates Issuer certificates To install an Issuer Certificate into a VSU target Installing an issuer certificate IKE Certificate Usage An Example of an Issuer Certificate Assigning a Target for a Certificate About Certificate Usage Exchange Click Add to open the Add IKE Certificate Policy To assign a target for a certificate Policy Manager My Certificates Page Monitoring your network Using Snmp to monitor the device Snmp Tab for a security gateway Object To add Snmp trap targets To delete Snmp trap targets Adding Admin Users for SNMPv3Configuring Snmp for a security gateway VPN active sessions Policy Manager for Syslog Services Syslog Services Add Syslog Policy To run Syslog services Enterprise MIB Using MonitorMonitoring wizard Using Monitor System Group Parameters Log Group Parameters Description ActiveSessions Parameters Description IpRouteTable Parameters Address Table Parameters Description IpRouteTable Parameters Description IpRouteTable Parameters Description FilterStats Parameters FilterStats Parameters Description FilterStats Parameters Description FilterStats Parameters Description FilterStats Parameters Description FilterStats Parameters Description Filter Rules Parameters Traffic Rate Table Parameters Active Ports Parameters Description Group Overview Statistics Table Parameters Traffic Rate Table Parameters Description Ethernet Statistics Table Parameters Overview Statistics Table Parameters Description Ethernet Statistics Table Parameters Description Define Custom Monitoring wizard Presentation Monitoring alarmsPresentation Alarm Descriptions Alarm Type Alarm Types Report Wizard To create a report using the report wizard Report Sample Generating the report Diagnostic Reports Report Type Description Device diagnostics Diagnostic Reports Report Type Description Setting Up SSH and Telnet Using the Management tab To set up SSH or Telnet Changing device administrator’s passwords To reset the passwords Using the Connectivity tab Connectivity tab for a security gateway Object Check connectivity by ping To proxy ping a specific security gateway Using the Device Actions tabCheck Connectivity by Proxy Ping To directly ping a specific security gateway Reset Device Time Update ConfigurationReboot Device Import Device Configuration Re-setup Device Ethernet Speed To import configuration data for a device Network Interface Status Redundancy Switching Importing and exporting VPN configurations to a deviceExport VPN Exporting Radius Device management Centralized firmware management Upgrading firmware and licenses Device Upgrade tab Upgrading a security gateway’s firmware To upgrade a security gateway’s firmwareSelect Save this file to disk. Click OK License Encryption Strength Remote Access VSU-100 OnlyOpen Page Installing Certificates for Running SSL When to Configure your VPNmanager for SSL Windows NT and Windows 2000 Computers To install a certificate in VPNmanager ConsoleTo view all the installed issuer’s certificates To delete an installed issuer’s certificates To install the issuer’s certificate into a security gateway Installing the Issuer’s Certificate into a security gatewaySolaris OS Computers Using SSL with Directory Server General Appendix B Firewall rules template Public zone firewall templates Public high and medium security firewall rules Telnet Ikein Public VPN-only firewall rules Public low security firewall rules Private zone firewall templates Private medium security firewall rules Private high security firewall rules Private low security firewall rules Semi-private zone firewall templates Ping Semi-private high security firewall rules Semi-private medium security firewall rules Semi-private VPN-only security firewall rules Semi-private low security firewall rules DMZ high and medium security firewall rules DMZ zone firewall templates DMZ low security firewall rules Converged Network Anaylyzer template Management zone securityManagement high, medium, and low security firewall rules CNA-RT Converged network analyzer firewall rules Alarms Aggressive mode Certificate Service DNSCertificate Authority Certificates Extranet security Dynamic VPNsDyna Policy Encapsulation Non-Enterprise Lifetime, KeyMask Pairs MIB Enterprise Secrecy OakleyPacket Filter Perfect Forward User Groups Smart CardSplit Tunneling Triple DES Index DOS 254 55, 97, 115, 129 PAP Radius ToS, marking 193 Zone, public zone, public-backup