Engineering guidelines 41

Hosts that need to be accessed from the World Wide Web must be placed in a special sub-network called the Green and Red LAN. The firewall isolates the Green and Red LAN from the C-LAN. Devices that can be accessed from the World Wide Web are put into this segregated LAN segment. Nortel Networks recommends that the Green and Red LAN be the location of the ICB connection.

On the other hand, C-LAN hosts require open access to the ICB for administration and maintenance.

Table 3 summarizes the recommended access permissions allowed by the firewall. All other paths not in the table should be denied.

Table 3

Firewall access permissions

Source

Destination

Protocol

 

 

 

WWW

ICB

HTTP

 

 

 

C-LAN

ICB

HTTP, FTP, TELNET

 

 

 

ICB

WWW

FTP (optional; allows upgrade from the

 

 

web)

 

 

 

ICB

C-LAN

FTP

 

 

 

ICB

Mail Server

SMTP

 

 

 

Notes

Take the following notes into consideration:

Technically, a firewall can be configured to enforce these access restrictions even when the ICB is in the C-LAN. However, a Green and Red LAN is usually used, because it is safer.

Cards of a dual-ICB set must be in the same LAN segment, with no restrictions between them.

LAN/intranet access only

In this configuration, the ICB is not accessible from anywhere in the World Wide Web (assuming this policy is enforced by the firewall). There are two options for this type of configuration: C-LAN connection and E-LAN connection.

Figure 7 on page 42 shows an example of the C-LAN connection.

Nortel Integrated Conference Bridge Service Implementation Guide

Page 41
Image 41
Nortel Networks 555-4001-135 manual Firewall access permissions, LAN/intranet access only, Source Destination Protocol