Avaya 1000 Manual page 5

Data flow 1 has two different port numbers and two different IP addresses and is a valid and typical socket pair.
Data flow 2 has the same IP addresses and the same port number on the second IP address as data flow 1, but since the port
number on the first socket differs, the data flow is unique.
Therefore, if one IP address octet changes, or one port number changes, the data flow is unique.
Below is an example showing ingress and egress data flows from a PC to a web server.
Client
HTTP-Get
TCP-info
`
Notice the client egress stream includes the client's source IP and socket (1369) and the destination IP and socket (80). The
ingress stream has the source and destination information reversed because the ingress is coming from the server.
Avaya Server and Sockets
Data flows and their sockets may be directed by a server but for the purposes of firewall configuration, these sockets are NOT
sourced from the server. The source will be another network element such as a CLAN circuit pack, a gateway VoIP engine or
other elements. Therefore, the following port matrix will list these Avaya elements as the source and not the server.
Keep Alive Timer
When a socket/TCP port is considered critical and expected traffic on the socket/TCP port could be limited, a keep alive
mechanism is necessary to ensure the socket/TCP port is not closed within a system wide value of 120 minutes. As such, if
there is no message exchange over the particular socket/TCP port for the set time of 120 minutes, the keep alive mechanism
will trigger thus ensuring traffic over the socket/TCP port. However, if firewalls are used and they have a port timeout value
set to less than 120 minutes, the keep alive mechanism will NOT be capable of being triggered. It is therefore advised that
firewalls timeout value be set to be higher than 120 minutes so that the existing keep alive mechanism is triggered for those
critical sockets/TCP ports.
Understanding Firewall Types and Policy Creation
Firewall Types
There are three basic firewall types:

Packet Filtering

Application Level Gateways (Proxy Servers)

Hybrid (Stateful Inspection)
Packet Filtering is the most basic form of the firewalls. Each packet that arrives or leaves the network has its header fields
examined against criterion to either drop the packet or let it through. Routers configured with Access Control Lists (ACL) use
packet filtering. An example of packet filtering is preventing any source device on the Engineering subnet to telnet into any
device in the Accounting subnet.
Application level gateways (ALG) act as a proxy, preventing a direct connection between the foreign device and the internal
destination device. ALGs filter each individual packet rather than blindly copying bytes. ALGs can also send alerts via email,
alarms or other methods and keep log files to track significant events.
Use pursuant to the terms of your signed agreement or Avaya policy.
Avaya Communication Server 1000 Port Utilization – Issue 4.04
Socket Example Diagram
Source 192.168.1.10:1369
Destination 192.168.1.10:1369
Avaya – Proprietary.
Destination 10.10.10.47:80
Source 10.10.10.47:80
Web Server
5