USRobotics NETServer/16, NETServer/8 specification

Implementing Security with Host Device Dial Out

To authenticate a host device dial out user, configure a host device port with a device service of Telnet and a TCP port number between 10,000 and 10,100. These ports can only be connected to by the NETServer itself, forcing the user to telnet to port 23, the default telnet port, and have the NETServer forward him to the modem. When the user connects to port 23, he or she will be prompted for a user name and password just like a login user. The port setup would look something like this:

set s1 device \dev\network

set s1 service_device telnet 10000 set s1 modem off

save all reset s1

Since such a user will be authenticated, he or she will require a user table entry. Example:

add user Dialer password dialoutpw

set user Dialer host <NETServer IP address> (user’s host is NETServer)

set user Dialer service telnet 10000

To use the modem, the user telnets to the NETServer

telnet <NETServer IP address>

The user will then be prompted for a user name and password. If he or she responds correctly, the user will be connected directly to the modem’s command line.

Note: RADIUS servers have a user type called Outbound User which is defined as a dial out user on the local network. How- ever, because the NETServer defines these users as login users whose host is the NETServer itself, in RADIUS you would configure these users with the user type Login-User.

Talking to the Modems 7-3

Image 107

USRobotics NETServer/16, NETServer/8 manual Implementing Security with Host Device Dial Out

Contents

NETServer/8 NETServer/16 Page Table of Contents Network Dial-in Access Reference Section Administrative Tools Limited Warranty Warranty and Service Vii Service and SupportTechnical Support Viii We welcome your suggestions for better documentation Overview Chapter OverviewWhat’s New with Release 3.1? Additional Software Enhancements Accounting Server Support Netmask TableIP Address Spoofing Accounting Servers Icmp Message Logging Multiple Name ServersRandomized Hosts Radius Accounting and ANI/DNIS New Modem Port Features NETServer Overview IP Modem Sharing How do I get there from here? Security Administrative Utilities Basic Installation Chapter Basic InstallationSystem Administrator Requirements TCP/IP Reference Material Accessing the Command Line Getting Started First step for IPX or IP/IPX networks Getting the LAN port up and running Basic Installation IP Configuration You must also set the Broadcast Address. Type the following Ethernet802.3 ethernet802.2 ethernet802.2II ethernetII IPX Configuration Final Steps IP and IPX Default Gateways Recommended Global ConfigurationPassword To set the IP gateway, type the following Save your work Name Service Basic Installation Configuration Overview Chapter Configuration OverviewHow to Setup Applications Application Section Where do I go from here? Separate a parameter and its value by a space Command LineCommands are not case sensitive You can abbreviate commands Save your changes Reset any ports you have changedReboot when necessary How to log out of the command line Quick Command Overview Hosts Table Overview of configurable tablesGlobal Configuration Netmasks Table Initialization Script ConfigurationNet0 LAN Port Configuration Location Table Packet Filter Table Port Type Port Configuration Routes Table Snmp Configuration User Table Configuration Overview IP Terminal Server Setup Chapter IP Terminal Server SetupTerminal or Workstation Setup NETServer Terminal Server Setup Overview User Table Port DefaultGlobal Default Set the port’s security Pass-Thru Login Terminal Server Detailed SetupConfiguring a Port Set the port type to User Login Create default user settings for the port Port Default Login Service Optional Friendly Stuff Save sport # Add the user to the User Table Configure the userAdding a Remote User to the User Table Login Service Configure for dialback use? Example IP Terminal Server Case Studies NETServer will use ports 6, 7, and 8 for this application Save your work and reset all the ports Example IP Terminal Server Setup Network Dial In Access Chapter Network Dial In AccessDial-in User Setup Prework NETServer Setup for Network Dial-In Overview Configuration NETServer Dial-In Detailed Setup Dialback Users on this Port? Save the changes to flash memory Normal or dialback user? Create a new user Add configuration information for the user This is the user’s IP subnet mask. Use the following command Option can be any one of the following Configure the ports IP Remote Access Case Study Create a user table entry for the dialback user Create user table entries for the dial in users Save your work and reset the ports Connecting to the NETServer IPX Remote Access Create User Table entries for the dial in users LAN-to-LAN Routing Setup for NETServer Routing OverviewChapter LAN-to-LAN Routing IPX routing LAN-to-LAN Routing NETServer Routing An Introduction to NETServer Routing LAN-to-LAN Routing How RIP Dynamically Builds the Routing Table Static vs. Dynamic Routes Establishing Connections to Remote Gateways How Packets are Routed Routing Procedure PAP Password Authentication Protocol PAP/CHAP Authentication Chap Setup for the NETServer Chap Challenge Example Configuring the Port LAN-to-LAN Routing Detailed Setup Creating a Dial-Out Group Set Required Location Parameters Adding a Remote Device to the Location TableCreate a new location table entry This is the remote device’s IP address Set location location name netmask netmask Dial Group Number Multiple lines for a single connection Maximum Ports Create a Dial Script Set location Chicago script 1 atds slot#\r Connect Tell the NETServer about the Remote Device Adding the Remote Device to the User TableCreate a User Table Entry Set user user name protocol ppp slip Set netuser user name compression on off LAN-to-LAN Routing Case Study Add netuser nsb password xyzabc Setting Up NETServer a Setting Up NETServer B Now, save your work and reset the ports Testing the Connection What If I Don’t Want to Use Chap Authentication? Connecting to NETServer a from NETServer B Assign the modem a TCP port number Configure the port as a host deviceChapter Talking to the Modems TCP/IP Modem Sharing Turn modem control carrier detect off Save your work and reset the port Implementing Security with Host Device Dial Out Configuring modems as Unix pseudo TTYs Talking to the Modems Assign Text to an Initialization Script Modem Initialization ScriptsHow To Add a New Initialization Script Displaying an Initialization Script Use an Existing Initialization ScriptDelete an Initialization Script Initialization Script Example Default initialization string Sending AT commands to the modems Talking to the Modems Packet Filters Chapter Packet FiltersPacket Filters Packet Filters and the NETServer Types of Filters Information Sources Input filters vs. Output filters Adding Packet Filters Input filters vs. Output filters Name Filter Rule FormatRule Type Options Rule NumberPermit or Deny TCP/IP packet filtering Destination Address TCP and UDP parameters TCP UDP Standard Port Numbers FTP Packet Filtering Filtering RIP messages Client opens a control channel FTP Example Type Description Filtering Icmp packets IPX Rules IPX packet filtering Dsthost SAP Rule Options Delete a Packet Filter Editing Packet FiltersEdit a Packet Filter Delete a Packet Filter Rule View the Packet Filter Table View a Packet Filter Root Access Chapter Administrative ToolsConfiguring the !root account Changing the command prompt Telnet Access Port Nslogin, Rlogin and Telnet Commands Manually Connecting to a Remote SiteDial Command Viewing Debug messages Troubleshooting Commands Turn off the output console by typing the following Ifconfig MTU Ping Ptrace Version Traceroute Show Show command Show flash Show arp Show netconns Show memory Show netstat Show sessions Show sap Administrative Tools Command Reference Chapter Command ReferenceGlobal Configuration Save Changes View the Global Configuration TableGet help Connect Message Default HostGlobal user parameters Assigned Address Randomize Hosts Global routing parameters Default Gateways IP Address Spoofing Default Route System Name NetBIOS Packet PropagationPAP Authentication Proxy ARP Server name Name ServiceService Domain name DNS Cache Reset Time-out Radius Secret Radius securityPrimary Radius Server Alternate Radius Server Syslog Accounting Radius Accounting Icmp Logging View the Hosts Table Hosts TableAdd a Host Delete a Host Change a Location’s Parameters Bring Up the List of CommandsLocation Table Add a Location to the Location Table View a Particular Location Save Location Table ChangesView the Location Table Connection Type Location Table Parameters IPX Network IP AddressNetmask Compression ProtocolRouting Maximum Ports Dial Group High Water Mark Idle Time-out PPP Async Map MTU Dial Script Output FilterInput Filter Send Reply Reset the Network Interface Card LAN Port Net0 Configuration Ethernet Status View LAN Port ConfigurationLAN Port Parameters Interface Address Configured Ethernet Media Broadcast Address IPX Frame Type Set net0 ifilter filter name View the netmask table Netmask TableAdd a netmask Delete a netmask Change a Port’s Parameters Save Port Configuration View the Ports Table To view all of the S-ports, use the following command Idle Port is idle View an Individual Port Host Device User LoginDetermining a Port’s Type Device Service Network Line Hangup Login MessageDial In Port Parameters Security Pass-Thru Login Login Prompt Autolog Name User Login Port ParametersDialback Delay Host Login Service Terminal Type IPX Network Number Hardwired Port Parameters Set s0 netmask netmask NETServer sends RIP information across Stopbits Serial Communications ParametersPort Speed Databits Modem Control ParityFlow Control Host Override Change a Route’s Information Routes Table ConfigurationAdd a Route to the Routes Table View the IP Routes Table Delete a Routes Table EntrySave Routes Table Changes Flag Parameter Viewing the IPX Routes Table IP Parameters IPX Parameters Enabling/Disabling Snmp Snmp TableDelete Snmp Hosts Save the Snmp Table Changes Write Community Name Snmp Table ParametersView Snmp Table Read Community Name Write Hosts Read Hosts Add a User to the User Table User Table View the User Table Change a User’s ParametersDelete a User Save User Table Changes Dialback Number Login User ParametersAccess Filter Set user name service rlogin telnet netdata portmux Command Reference Dialback Network User Parameters IPX connections require the PPP protocol NETServer sends RIP information to the dial Set user filter name ofilter filter name Command Reference 16 port NETServer Hardware Appendix a Technical Specifications Typical Input Power Power RequirementsMaximum Output Power Maximum Input Power External Serial Port Console Technical Specifications A-3 10Base-T Ethernet Network Interface Card Isolated GND SignalTechnical Specifications A-5 10Base-2 BNC Technical Specifications Token Ring Network Interface Card Token Ring⎯STP ConnectorTechnical Specifications A-7 Token Ring⎯UTP Connector Routing Support NETServer Firmware SpecificationsAdministration Technical Specifications A-9 Client Dial-up Support PPP Specific FeaturesIndustry Standards Support Slip and PPP Client Software Support Technical Specifications A-11 Technical Specifications Addressing Schemes B-1 Appendix B Addressing SchemesIPX Addressing Basics IP Addressing Basics Addressing Schemes Address ClassesSubnetting Addressing Schemes B-3 Mask Binary Subnets Hosts Reserved Addresses Addressing Schemes B-5 Supernetting Advanced TCP/IP Cidr Each Supernet is treated as a single entity Addressing Schemes B-7 Step two Select a range of addresses for each supernet Addressing Schemes B-9 Supernetting and the NETServer Software Download C-1 SDL Using a Direct Connection to a PCWhy Perform an SDL Software Download? Appendix C Software Download Starting SDL Make Backup Copies of the NETServer FirmwareSoftware Installation Loading the Software Download SDL Program Software Download C-3 SDL Command Syntax Filename Prefixes Optional -d Parameter Software Download C-5 Entering SDL Mode Upgrading NETServer Firmware From the Windows Management Software Software Download C-7 Upgrading the Modem Firmware For the Isdn NETServer, the file names are Software Download C-9 Error Messages PC SDL program detected unknown command line argu- ments Software Download C-11 Invalid Control Word Software Download C-13 File you are trying to download is not a NETServer file Boot Process D-1 Appendix D Boot Process Boot Process Syslog Accounting E-1 Using SyslogAppendix E Syslog Accounting Syslog Accounting Syslog System MessagesSpotting Unused Ports Syslog System Message Format Syslog Accounting E-3 Syslog System Message Examples Someone has logged in as !root on port S16 Syslog Accounting E-5 Syslog Accounting Obtaining Radius Appendix F Security a Centrally Managed User Table Authentication Items Setting Up Radius User Table Entries Response Items Radius F-5 Framed-Netmask Radius F-7 User Types Radius F-9 Making NETServer talk to a Radius security server Chap authentication using Radius Acct-Status-Type Acct-Delay-TimeRadius Accounting Radius accounting fields Acct-Session-Time Accounting ExamplesAcct-Authentic Radius Index Alphabetical Index Index Icmp MTU NIC PPP SAP Slip Index Index