Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks. Nortel, Nortel (Logo), the Globemark, SL-1, Meridian 1, and Succession are trademarks of Nortel Networks.
Revision history May 2006 Standard 1.00. This document is a new NTP. It was created to support the Secure Multimedia Controller 2450. Secure Multimedia Controller Page 3 of 126 Command Reference...
Page 4
Page 4 of 126 Revision history NN10300-091 Standard 1.00 May 2006...
About this document This document is a global document. Contact your system supplier or your Nortel representative to verify that the hardware and software described are supported in your area. Subject This document describes Secure Multimedia Controller (SMC) 2450 system architecture, software and hardware requirements, components, and network connections.
• Communication Server 1000E: Upgrade Procedures (553-3041-258) Intended audience This document is intended for individuals responsible for installation, configuration, administration, and maintenance of the SMC 2450. Conventions Terminology In this document, the following systems are referred to generically as system: •...
Secure Multimedia Controller: Implemention guide (553-3001-225) • Secure Multimedia Controller: Planning and engineering guide (NN42320-200) Online To access Nortel documentation online, click the Technical Documentation link under Support & Training on the Nortel home page: www.nortel.com Secure Multimedia Controller Command Reference...
Page 12
Page 12 of 126 About this document CD-ROM To obtain Nortel documentation on CD-ROM, contact your Nortel customer representative. NN10300-091 Standard 1.00 May 2006...
How to get help This chapter explains how to get help for Nortel products and services. Getting help from the Nortel web site The best way to get technical support for Nortel products is from the Nortel Technical Support web site: www.nortel.com/support This site provides quick access to software, documentation, bulletins, and tools to address issues with Nortel products.
To access some Nortel Technical Solutions Centers, you can use an Express Routing Code (ERC) to quickly route your call to a specialist in your Nortel product or service. To locate the ERC for your product or service, go to: www.nortel.com/erc...
Main menu After you complete the initial Secure Multimedia Controller (SMC) system setup and perform a successful connection and logon, the Main menu of the command line interface (CLI) appears. For more information about the CLI and how to use it, see Secure Multimedia Controller: Implemention guide (553-3001-225).
Page 16
Table 1 Main menu commands Command Description diff Displays the pending configuration changes. Only pending changes made during your current administrator session are included. Pending changes made by other CLI or browser-based interface (BBI) administrator sessions are not included. validate Validates pending configuration changes made during your current administration session.
Page 17
Cancels all pending configuration changes made during your current administration session. The revert command does not affect: • applied changes • pending changes made by other CLI or BBI sessions Secure Multimedia Controller Command Reference...
Page 18
Table 1 Main menu commands Command Description paste [<global key Restores a saved configuration dump file that includes encrypted private import password>] keys. When you create a configuration dump using the Dump command, you create a password to decrypt the private keys. When you enter the Paste command, you are prompted to supply the password.
Displays runtime information for all SMCs in the cluster. The runtime information includes: • CPU usage • hard disk usage • status of important applications such as Web server, SNMP, and Internet server • secure UNIStim proxy and firewall information Secure Multimedia Controller Page 19 of 126 Command Reference...
Page 20
Table 2 Information menu (/info) Command Description host Displays runtime information for the specified SMC host. The runtime information includes: • CPU usage • hard disk usage • status of important applications such as Web server, SNMP, and Internet server •...
Page 21
Description about Displays system information such as the product type and version of the running build. alarms Lists the alarms generated in the system. dump Displays the current configuration information available in the Information menu. Secure Multimedia Controller Command Reference...
Info_host menu The Info_host menu (/info/host) provides configuration, status, and statistics information about the host runtime, link, Ethernet, and syslog parameters. Table 3 identifies and describes the Info_host menu commands. Table 3 Info_host menu (/info/host) Command Description status Displays the runtime and application status for the specified host. <Host number>...
The Route Information menu (/info/net/route) provides access to information about static routes. Table 5 identifies and describes the Route Information menu commands. Table 5 Route Information menu (/info/net/route) Command Description static Displays all static routes configured on the system. page page Secure Multimedia Controller Command Reference...
VRRP Information menu The VRRP Information menu (/info/net/vrrp) provides access to information about the status and configuration of VRRP. Table 6 identifies and describes the VRRP Information menu commands. Table 6 VRRP Information menu (/info/net/vrrp) Command Description status Displays the status for the VRRP Virtual Router ID (vrid). Displays the VRRP settings such as high availability (HA), VRRP advertisement interval, gratuitous ARP (GARP) delay interval, GARP broadcast interval, Advanced Failover Check (AFC), and Preferred Master...
Displays the current SSH configuration settings: enabled or disabled. Displays the current BBI configuration settings such as status (enabled or disabled), service port number for HTTP and HTTPS, and certificate information for Secure Sockets Layer (SSL). Secure Multimedia Controller Command Reference...
Statistics Information menu The Statistics Information menu (/info/stats) provides access to information about SMC statistics. Table 8 identifies and describes the Statistics Information menu commands. Table 8 Statistics Information menu (/info/stats) Command Description fwattack Displays historical statistics for approximately 130 firewall attacks against which the SMC provides protection.
Page 27
UsecProxy — number of clients that come in as secure but have an invalid fingerprint of the SMC Public Key — Number of clients that are deleted as a result of too many server retransmissions Secure Multimedia Controller Command Reference...
Page 28
Page 28 of 126 Information menu NN10300-091 Standard 1.00 May 2006...
SMC. For menu items, see “Network Configuration menu” on page Displays the Multimedia Security menu, which you can use to configure multimedia security on the SMC. For menu items, see “Multimedia Security menu” on Secure Multimedia Controller Page 29 of 126 page Command Reference...
Page 30
Table 9 Configuration menu (/cfg) Command ptcfg <SCP/SFTP/TFTP/FTP server> <server host name/IP address> <file name> NN10300-091 Standard 1.00 Description Saves the current configuration, including private keys and certificates, to a file on the selected server. The information is saved in a plain-text file, and you can later restore the configuration by using the gtcfg command.
Page 31
The password phrase enables encryption. When restoring a configuration that includes secret information, use the global Paste command. Before pasting the configuration, you are prompted to reenter the password phrase. Secure Multimedia Controller Command Reference...
System menu Using the System menu (/cfg/sys), you can configure system-wide parameters. Table 10 identifies and describes the System menu commands. Table 10 System menu (/cfg/sys) Command Description time Configures the date, time, time zone, and Network Time Protocol (NTP). For menu items, see “Date and Time menu” on Changes Domain Name System (DNS) parameters.
> time <HH:MM:SS> Sets the system time using a 24-hour clock format. Nortel recommends that you reboot the SMC after entering a time change that is greater than 1 minute. tzone Sets the system time zone. When entered without a parameter, you are prompted to select your time zone from a list of continents/oceans, countries, and regions.
Page 34
NTP menu Using the NTP menu (/cfg/sys/time/ntp), you can add or delete Network Time Protocol (NTP) servers that synchronize system time. Table 12 identifies and describes the NTP menu commands. Table 12 NTP menu (/cfg/sys/time/ntp) Command list del <index number> <NTP server IP address>...
Adds a new DNS server to the list at the specified index position. All existing items at the specified index number and higher are incremented by one position. Removes the DNS server from the specified index number and inserts it at the specified index number. Secure Multimedia Controller Command Reference...
Cluster menu Using the Cluster menu (/cfg/sys/cluster), you can configure the SMC host IP address and cluster Management IP (MIP) address. Table 14 identifies and describes the Cluster menu commands. Table 14 Cluster menu (/cfg/sys/cluster) Command <Management IP address> host <cluster host number>...
Page 37
SMC in the cluster. Note 1: The license restriction applies only to secure UNIStim users. Note 2: Type cur within the Cluster Host screen to see the current license for the SMC. Secure Multimedia Controller Command Reference...
Page 38
To increase the number of secure UNIStim users in an SMC cluster, you need to access the MAC address of each SMC device using this command and send the MAC address back to Nortel for license generation. hwplatform Displays the hardware platform model number.
There is only one access list, which applies to all remote management features. By default, the management network is added to the access list. Secure Multimedia Controller page 113.
Page 40
Requests for remote management access from any client whose IP address is not on the access list are dropped. You can ping the SMC host from an IP address not listed in the access list. When you add a client IP address to the access list, that client can access all enabled remote management features.
For menu items, see “SSH Administration menu” on page You need to add an entry into the access list for the client before it can administer the SMC through SSH. See “Access List menu” on page Secure Multimedia Controller Command Reference...
Page 42
Table 17 Administrative Application menu (/cfg/sys/adm) Command snmp audit auth Telnet Administration menu Using the Telnet Administration menu (/cfg/sys/adm/telnet), you can enable or disable remote Telnet access to the SMC CLI. By default, Telnet access is disabled. Note: Telnet is not a secure protocol. All data (including the password) between a Telnet client and the SMC is unencrypted and unauthenticated.
Page 43
The SMC uses iptables to implement access control to its management interfaces (SSH, Telnet, HTTP, and HTTPS). Iptables inspect packets above SMC-1 in the TCP/IP stack. The SMC can limit external access to internal system management software that uses sockets to communicate. Secure Multimedia Controller Command Reference...
Page 44
Table 19 identifies and describes the SSH Administration menu commands. Table 19 SSH Administration menu (/cfg/sys/adm/ssh) Command sshkeys SSH Host Keys menu Using the SSH Host Keys menu (/cfg/sys/adm/ssh/sshkeys), you can generate and manage SSH host keys. Table 20 identifies and describes the SSH Administration menu commands. Table 20 SSH Administration menu (/cfg/sys/adm/ssh/sshkeys) Command...
Page 45
Configures BBI access using HTTP (non-secure). For menu items, see “HTTP Configuration menu” on Configures BBI access using HTTPS with Secure Sockets Layer (SSL). For security reasons, Nortel recommends that you use SSL with the BBI. For menu items, see “SSL Configuration menu” on page...
Page 46
BBI access using HTTPS. HTTPS uses Secure Sockets Layer (SSL) to provide server host authentication, encryption of management messages, and encryption of passwords for user authentication. For security reasons, Nortel recommends that you use SSL with the BBI. By default, SSL is disabled. NN10300-091 Standard 1.00...
Page 47
Enables or disables SSL Version 2. sslv3 y | n Enables or disables SSL Version 3. certs Configures server certificates and external Certificate Authority certificates required for SSL. See “Certificate Management menu” on page 48 page page for menu items. Secure Multimedia Controller Command Reference...
Page 48
Certificate Management menu Using the Certificate Management menu (/cfg/sys/adm/web/ssl/certs), you can add or remove server certificates and external Certificate Authority (CA) certificates required for SSL. Table 25 identifies and describes the Certificate Management menu commands. Table 25 Certificate Management menu (/cfg/sys/adm/web/ssl/certs) Command serv NN10300-091...
Page 49
Adds a signed server certificate. After you enter this command, the system expects you to paste the PEM certificate into the CLI. When you finish pasting the certificate, add three periods (...) and press <Enter> to return to the CLI. Secure Multimedia Controller Command Reference...
Page 50
CA Certificate Management menu Using the CA Certificate Management menu (/cfg/sys/adm/web/ssl/certs/ca), you can administer SSL external CA certificates. Table 27 identifies and describes the CA Certificate Management menu commands. Table 27 CA Certificate Management menu (/cfg/sys/adm/web/ssl/certs/ca) Command Description list Lists all configured CA certificates. Removes a CA certificate from the configuration.
Page 51
| n Enables or disables the automatic delivery of alarm messages to the SNMP trap hosts. Alarm messages indicate serious conditions that can require administrative action. Secure Multimedia Controller page Command Reference...
Page 52
Table 28 SNMP Administration menu (/cfg/sys/adm/snmp) Command Description rcomm Displays the current read community value. You can change the value. There is no restriction on the input string. The default read community value is Public. users Displays the SNMP Users menu, which you can use to list, add, and remove USM users.
Page 53
SNMP get requests, receive enabled trap event and alarm messages, or both. the user must enter for access. selected on the SNMP Administration menu (/cfg/sys/adm/snmp), you can encode SNMP traffic between the user and the SMC using the encryption string. Secure Multimedia Controller Command Reference...
Page 54
Trap Hosts menu Using the Trap Hosts menu (/cfg/sys/adm/snmp/hosts), you can add, remove, or list hosts that receive SNMP event or alarm messages from the SMC cluster. Table 30 identifies and describes the Trap Hosts menu commands. Table 30 Trap Hosts menu (/cfg/sys/adm/snmp/hosts) Command list del <index number>...
Page 55
64 characters. Configures the name for the system. The name can have a maximum of 64 characters. Configures the name of the system location. The location can have a maximum of 64 characters. Secure Multimedia Controller Command Reference...
Page 56
Advanced SNMP Settings menu Using the Advanced SNMP Settings menu (/cfg/sys/adm/snmp/adv), you can configure advanced SNMP options. Table 32 identifies and describes the Advanced SNMP Settings menu commands. Table 32 Advanced SNMP Settings menu Command Description trapsrcip Configures the source IP address for SNMP traps generated from the auto | unique | mip SMC: •...
Page 57
Note 3: To find audit entries in the RADIUS server log, define a suitable string in the RADIUS server dictionary (for example, Nortel-SMC-Audit-Trail) and map this string to the vendor type value. Note 4: If your RADIUS system uses another number for vendor...
Page 58
Table 33 Audit menu (/cfg/sys/adm/audit) Command RADIUS Audit Servers menu Using the RADIUS Audit Servers menu (/cfg/sys/adm/audit/servers), you can add, modify, and delete information about RADIUS audit servers. Table 34 identifies and describes the Radius Audit Servers menu commands. Table 34 Radius Audit Servers menu (/cfg/sys/adm/audit/servers) Command list...
Page 59
RADIUS server password. Moves a RADIUS audit server up or down in the list of configured servers. To view all servers currently added to the configuration, use the List command. Secure Multimedia Controller page Command Reference...
Table 36 identifies and describes the Radius Authentication Servers menu commands. Table 36 Radius Authentication Servers menu (/cfg/sys/adm/auth/servers) Command list add <IP address> <TCP port number> <shared secret> insert <index number to insert at> <IP address of RADIUS authentication server to add> move <index number to move>...
Page 61
Too many firewall logs can affect SMC performance. Nortel recommends you update the firewall log configuration to prevent this degradation in performance. For more information, see Secure Multimedia Controller: Planning and engineering (NN42320-200).
Page 62
Command Description debug y | n Enables or disables specialized debugging log messages. By default, this setting is disabled. Enable it only as directed by Nortel technical support. sourceip Specifies the source IP address for logs generated from the SMC.
Page 63
Adds a new firewall log to the list at the specified index position. All existing items at the specified index number and higher are incremented by one position. Removes the firewall log from the specified index number and inserts it at the specified index number. Secure Multimedia Controller Command Reference...
Page 64
Firewall Log menu Using the Firewall Log menu (cfg/sys/log/firewall), you can remotely send firewall logs to an external system log server using the standard remote syslog port. Table 39 identifies and describes the Firewall Log menu commands. Table 39 Firewall Log menu Command addr Log Archiving menu...
Page 65
For menu items, see “Firewall Log menu” on page Displays the UNIStim Log menu, which you can use to configure UNIStim log parameters. For menu items, see “UNIStim Log menu” on page Secure Multimedia Controller Command Reference...
Page 66
System Log menu Using the System Log menu (/cfg/sys/log/arch/syslog), you can configure system log parameters. The system logs contain information and errors generated during standard system operation. Table 41 identifies and describes the System Log menu commands. Table 41 System Log menu Command email <e-mail address>...
Page 67
Specifies the time interval for log rotation. The interval is specified in number of days and number of hours. Specifies the maximum size a log file can reach before triggering rotation. The size is specified in kilobytes. Secure Multimedia Controller Command Reference...
Table 43 identifies and describes the UNIStim Log menu commands. Table 43 UNIStim Log menu Command email <e-mail address> smtp <SMTP server IP address> int <days> <hours> size <max size (kb)> User menu Using the User menu (/cfg/sys/user), you can add, modify, delete, or list SMC user accounts, and change passwords.
Page 69
For menu items, see “User Edit menu” on Displays the SSH User menu, which provides options for administering SSH user access. For menu items, see “SSH User Admin menu” on page Secure Multimedia Controller page Command Reference...
Page 70
User Edit menu Using the User Edit menu (/cfg/sys/user/edit <user name>), you can change passwords and assign group privileges for the user account specified by the user name. Table 45 identifies and describes the User Edit menu commands. Table 45 User Edit menu (/cfg/sys/user/edit) Command password <admin password>...
Page 71
Enables the SSH account for the specified user name. Disables the SSH account for the specified user name. Deletes the SSH account. Groups menu Using the Groups menu (/cfg/sys/user/edit <user name>/groups), you can list, delete, or add groups. Secure Multimedia Controller Command Reference...
Table 47 identifies and describes the Groups menu commands. Table 47 Groups menu (/cfg/sys/user/edit/groups) Command list del <Index number of entry to delete> add <Index number of entry to add> Network Configuration menu Using the Network Configuration menu (/cfg/net), you can configure ports, gateways, (PARP) Table 48 identifies and describes the Network Configuration menu...
Page 73
ARP (PARP) list or enable PARP support in the SMC. For menu items, see “Proxy ARP menu” on Note: Use this command for testing the SMC in a lab environment; not in production. page page Secure Multimedia Controller page Command Reference...
Port menu Using the Port menu (/cfg/net/port <port_name>), you can configure the port characteristics for a specified port. Table 49 identifies and describes the Port menu commands. Table 49 Port menu (/cfg/net/port) Command autoneg on | off speed <port speed> mode full | half Interface menu Using the Interface menu (/cfg/net/if), you can configure IP address interfaces...
Page 75
HA. VRRP ensures that if the active SMC host fails, the redundant SMC host takes over. In an HA configuration, configure each participating IP address interface separately for VRRP. For menu items, see “VRRP Interface menu” on page Secure Multimedia Controller page Command Reference...
Page 76
Table 50 Interface menu (/cfg/net/if) Command mgmt VRRP Interface menu Using the VRRP Interface menu (/cfg/net/if <interface number>/vrrp), you can configure redundant interfaces when two SMCs are present in a cluster. VRRP ensures that if the active host fails, the backup host takes over. The SMC interfaces (ip1 and ip2) form a virtual router.
IP address and mask. Adds a new static route at a specific position (index number) in the index. Moves a static route from one position in the index to another. Secure Multimedia Controller Command Reference...
Page 78
parameter values. Both SMC hosts in the cluster must have the same configuration. Table 53 identifies and describes the VRRP Settings menu commands. Table 53 VRRP Settings menu (/cfg/net/vrrp) Command Description ha y | n Enables or disables HA. Two hosts must be previously installed and configured before you can enable HA.
Use Proxy ARP for testing the SMC in lab environments when IP address allocation is an issue. Do not use Proxy ARP in production; instead each interface should exist on its own subnet. IMPORTANT! Secure Multimedia Controller Command Reference...
Page 80
Table 54 identifies and describes the Proxy ARP menu commands. Table 54 Proxy ARP menu (/cfg/net/parp) Command Description enable y | n Enables or disables Proxy ARP for the cluster. Proxy ARP is disabled by default. iface Specifies the interface to proxy ARP messages for a subnet on a different interface.
You can consolidate frequently used services into a single service specification and then use it repeatedly in firewall rules. For menu items, see “Service menu” on page page 100. Secure Multimedia Controller page 112. Command Reference...
Page 82
Table 55 Multimedia Security menu (/cfg/smc) Command Description flow Displays the Flow Control menu, which you can use to specify the different flow parameters for SMC firewall rules. For menu items, see “Flow Control menu” on addzone Initiates the Addzone Wizard, which guides you through the steps to add a new security zone to the system.
For example, if a packet matches two rules in the system, and the rule with the lower number allows the packet, and the rule with the higher number denies the packet, the packet is allowed. Secure Multimedia Controller Command Reference...
Page 84
Table 56 identifies and describes the Security Zone menu commands. Table 56 Security Zone menu (/cfg/smc/) Command Description irule Displays the Inbound Access menu for the specified rule. For menu items, [rule_number] see “Inbound Access menu” on orule Displays the Outbound Access menu for the specified rule. For menu [rule_number] items, see “Outbound Access”...
Displays the Flow Control menu, which you can use to specify flow control for the specified rule. The flow control applies only to this individual rule and the traffic that maps to it. For menu items, see “Flow Control menu” on page Secure Multimedia Controller Command Reference...
CLI or BBI. The SMC firewall logs follow Webtrends Extended Log Format (WELF). The location of the log file is /logs/firewall.log. Note: Too many firewall logs can affect SMC performance. Nortel recommends you update the firewall log configuration to prevent this degradation in performance.
Specifies the destination network for the traffic. service Details the protocol (TCP, UDP, ICMP) and ports for the traffic that matches this rule. If the service value is an asterisk (*), all types of traffic match this rule. Secure Multimedia Controller Command Reference...
Page 88
Enables rule logging. The location of the log file is /logs/firewall.log. Note: Too many firewall logs can affect SMC performance. Nortel recommends you update the firewall log configuration to prevent this degradation in performance. For more information, see Secure Multimedia Controller: Planning and engineering (NN42320-200).
/logs/firewall.log. For menu items, see “Message Logging menu” on Note: Too many firewall logs can affect SMC performance. Nortel recommends you update the firewall log configuration to prevent this degradation in performance. For more information, see Secure Multimedia Controller: Planning and engineering (NN42320-200).
Page 90
SMC across all zones is 700 000. Traffic flowing between zones is counted as a concurrent connection within the intranet zone, so Nortel recommends that the zone have the highest maxconn value. The default value is 100000.
Page 91
Firewall logs can become quite large in high-traffic environments, slowing down the SMC and filling up disk space. Nortel recommends that you modify the firewall logging configuration appropriately if the log files are filling up too quickly.
Page 92
Enables verbose generation of log messages. By default, this parameter is disabled. Note: Too many firewall logs can affect SMC performance. Nortel recommends you update the firewall log configuration to prevent this degradation in performance. For more information, see Secure Multimedia Controller: Planning and engineering (NN42320-200).
Page 93
IP packets. ipopt Enables and disables logging of messages that are generated when attacks based on IP options occur. access Enables and disables logging of messages that are generated when a policy is accessed. Secure Multimedia Controller Command Reference...
Page 94
Thresholds menu Using the Threshold menu (/cfg/smc/settings/log/threshold), you can set the message threshold to limit the number of repetitive messages sent to the remote firewall log server (/cfg/sys/log/firewall). Messages are repetitive if more than the one message contains the same message ID, protocol, source IP address, destination IP address, source port, and destination port.
Page 95
Specifies the total message count allowed over the time period specified in the Period command. Note: Messages are counted; packets or bytes are not counted. period Specifies the time period over which messages are allowed. Secure Multimedia Controller Command Reference...
Page 96
ALG menu Using the ALG menu (/cfg/smc/settings/alg), you can enable or disable application layer gateway support for a variety of protocols. Without ALG support, some of these protocols are unable to traverse the SMC. Table 65 identifies and describes the ALG menu commands. Table 65 ALG menu Command...
Page 97
Custom Timeout menu Command Description name Specifies a custom timeout name. proto Specifies the allowed protocol. port Specifies the service port number. timeout Specifies the service timeout in terms of seconds. delete Removes the custom timeout. page Secure Multimedia Controller Command Reference...
Page 98
Port Bypass menu Using the Port Bypass menu (/cfg/smc/settings/portbypass), you can identify a specific set of TCP ports for which you want the SMC’s stateful processing to bypass. You can add, modify, and delete the IP addresses for the TCP ports you want to bypass.
Page 99
You can configure up to a maximum of eight multicast groups along with their source and destination network. Table 70 identifies and describes the Multicast Bypass menu commands. Table 70 Multicast Bypass menu Command Description enable Enables the Multicast Bypass feature. Secure Multimedia Controller Command Reference...
Table 70 Multicast Bypass menu Command Description disable Disables the Multicast Bypass feature. mcastlist Displays the Multicast List menu, which you can use to add, modify, or delete multicast group info to the mcastlist to bypass. For menu commands, see “Multicast List menu” on Multicast List menu Using the Multicast menu (/cfg/smc/settings/multicast/mcastlist), you can add, modify, and delete multicast groups, source network, and destination...
Page 101
For menu items, see “Keys menu” on Displays the Advanced menu, which you can use to apply advanced UNIStim features. See “Advanced menu” on Enables secure UNIStim. Disables secure UNIStim. page 102. page 109. Secure Multimedia Controller page 106. Command Reference...
Page 102
Client menu Using the Client menu (/cfg/smc/unistim/client), you can segment clients and apply different policies to different clients as defined by the subnets. Table 73 identifies and describes the Client menu commands. Table 73 Client menu Command Description policy Displays the Policy menu. For menu items, see “Policy menu” on rule Displays the Rules menu.
Page 103
UNIStim server using a non-secure session, this parameter determines whether the SMC can upgrade the session to secure UNIStim. In some cases, a non-secure connection is not a problem; however, Nortel strongly recommends that you upgrade the policy to a secure session.
Page 104
Specifies the server type used for matching IP phone firmware. Currently, the choices are cs1k and mcs. For SMC 1.0, Nortel recommends that you use the default of cs1k because mcs does not officially support Secure UNIStim phone images.
Page 105
You can define how often the master and session keys to are renewed during communication. Because UNIStim sessions can be lengthy in terms of days and weeks, Nortel recommends the session keys change every day for each connection and the master keys update every few days.
Page 106
Table 77 identifies and describes the Rules menu commands. Table 77 Rules menu Command Description network Specifies the network to which this rule applies. policy Specifies the policy for these clients. Removes the client rule. Keys menu Using the Keys menu (cfg/smc/unistim/keys/), you can configure key handling and manipulation functionality.
Page 107
UNIStim phone if the primary keys on the SMC change. The current fingerprint on the IP phones must match the secondary key to enable the Auto command. Otherwise, you must manually enter the fingerprint on each IP phone. Secure Multimedia Controller Command Reference...
Page 108
Apply the new key before you save it to disk and activate it. Displays the public key associated with the stored private key. priv Displays the private key so you can save the key to disk. Nortel highly recommends that you encrypt the private key. Displays the public key fingerprint.
Page 109
Table 81 identifies and describes the RSA Throttling menu commands. Table 81 RSA Throttling menu Command Description ena | dis Enables or disables throttling. RSA throttling is enabled by default. Secure Multimedia Controller Command Reference...
Table 81 RSA Throttling menu Command Description sessions Specifies the maximum number of new sessions from a single client that are created in a given period of time. interval Sets the interval measurement for new session creation. SMC Network menu Using the SMC Network menu (/cfg/smc/network), you can display the different networks used in configuring the SMC.
Page 111
Displays a listing of subnets that comprise this network. An IP address of 0.0.0.0 defaults to all subnets. Subnets are defined by a network address and a mask. comment Specifies a comment for the network. Secure Multimedia Controller Command Reference...
Service menu Using the Service menu (/cfg/smc/service), you can display the different services used in configuring the SMC firewall rules. Services map to a protocol and a series of port ranges. You can consolidate frequently used services into a single service specification, and then use it repeatedly in firewall rules.
After you reset the SMC to factory defaults, you can access the device only through a console terminal attached directly to the local serial port. You can then log on using the administration account (admin) and the default password (admin) to access the initial Setup utility. page 114. Secure Multimedia Controller Command Reference...
Software Management menu Using the Software Management menu (/boot/software), you can load, activate, or remove SMC software upgrade packages. Table 85 identifies and describes the Software Management menu commands. Table 85 Software Management menu Command activate <software version> download <host name or IP address> <file name>...
Downloads an SMC software patch (.RPM files) from an FTP server. When prompted, enter the host name or IP address of the FTP server, and then enter the file name of the software patch. Removes an installed software upgrade package. Secure Multimedia Controller Command Reference...
Page 116
Page 116 of 126 Boot menu NN10300-091 Standard 1.00 May 2006...
Use the Maintenance menu (/maint) to administer technical support dumps, back up and restore system configuration, and check the applied configuration. Generate diagnostics logs or statistics only at the request of Nortel technical support. Table 87 identifies and describes the Maintenance menu commands.
Tech Support Dump menu Using the Tech Support Dump menu (/maint/tsdump), you can create tech support dumps that you can copy to a disk or upload to an FTP server. Table 88 identifies and describes the Tech Support Dump menu commands. Table 88 Tech Support Dump menu Command...
“UNIStim Bandwidth Rate menu” on Description Specifies the number of connections allowed per specified interval. If maxconn is set to 0, there is no limit. Specifies the interval in seconds. Secure Multimedia Controller page 119. 120. page Command Reference 120.
UNIStim Packet Rate menu Using the UNIStim Packet Rate menu, you can specify the number of packets allowed over a specified interval. Table 89 identifies and describes the UNIStim Packet Rate menu commands. Table 91 UNIStim Packet Rate menu Command number interval UNIStim Bandwidth Rate menu...
Certain Web servers have no limit on the mime headers that can be included in a client HTTP request. Due to this lack of limitation, an intruder can consume a lot of memory by sending a large headers. Secure Multimedia Controller Page 121 of 126 Command Reference...
FTP bounce When an attacker sends a Port command with an IP address and port number of another system, the server sends the data to that system. When you enable this check, the SMC checks if the data connection is to the same system as that of the control connection.
Certain popular TCP/IP implementations cannot properly take care of all the datagram reassembly cases. If the attacker sends datagram fragments in a certain sequence to such hosts, the hosts perform unpredictably. Secure Multimedia Controller Command Reference...
Output rules. Each zone input/output has a maximum of 1024 rules. 700,000 total connections, which you can distribute among the six primary zones: management, intranet, and the four multimedia security zones Secure Multimedia Controller Page 125 of 126 Command Reference...
Page 126
Page 126 of 126 Appendix B: Firewall limits NN10300-091 Standard 1.00 May 2006...
Page 128
Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks. Nortel, Nortel (Logo), the Globemark, SL-1, Meridian 1, and Succession are trademarks of Nortel Networks.