Page 1
Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks. Nortel, Nortel (Logo), the Globemark, SL-1, Meridian 1, and Succession are trademarks of Nortel Networks.
Revision history May 2006 Standard 1.00. This document is a new NTP. It was created to support the Secure Multimedia Controller 2450. Secure Multimedia Controller Page 3 of 260 Implementation Guide...
Page 4
Page 4 of 260 Revision history 553-3001-225 Standard 1.00 May 2006...
Procedure 10 Starting the Web UI ......91 Secure Multimedia Controller Implementation Guide...
Page 12
Page 12 of 260 List of procedures Procedure 11 Creating a configuration ......94 Procedure 12 Viewing pending changes .
Page 13
Viewing the security keys ......137 Procedure 37 Verifying the IP phone connection ....137 Secure Multimedia Controller Implementation Guide...
Page 14
Page 14 of 260 List of procedures Procedure 38 Configuring the IP Phone 2001, IP Phone 2002, or IP Phone 2004 for security ..... . . 141 Procedure 39 Configuring the IP Phone 1140e and IP Phone 1120e for security .
Page 15
Enabling SSH using the CLI ..... . 187 Procedure 52 Configuring the SMC for RADIUS support ..194 Secure Multimedia Controller Implementation Guide...
About this document This document is a global document. Contact your system supplier or your Nortel representative to verify that the hardware and software described are supported in your area. Subject This document describes Secure Multimedia Controller (SMC) 2450 system architecture, software and hardware requirements, components, and network connections.
• Communication Server 1000E: Upgrade Procedures (553-3041-258) Intended audience This document is intended for individuals responsible for installation, configuration, administration, and maintenance of the SMC 2450. Conventions Terminology In this document, the following systems are referred to generically as “system”: •...
• Secure Multimedia Controller: Command reference (NN10300-091) Online To access Nortel documentation online, click the Technical Documentation link under Support & Training on the Nortel home page: www.nortel.com CD-ROM To obtain Nortel documentation on CD-ROM, contact your Nortel customer representative.
Page 20
Page 20 of 260 About this document 553-3001-225 Standard 1.00 May 2006...
How to get help This chapter explains how to get help for Nortel products and services. Getting help from the Nortel web site The best way to get technical support for Nortel products is from the Nortel Technical Support web site: www.nortel.com/support This site provides quick access to software, documentation, bulletins, and tools to address issues with Nortel products.
To access some Nortel Technical Solutions Centers, you can use an Express Routing Code (ERC) to quickly route your call to a specialist in your Nortel product or service. To locate the ERC for your product or service, go to: www.nortel.com/erc...
Product compliance ........Introduction Multimedia infrastructure components are currently deployed in enterprise networks with desktop access to data and Voice over IP (VoIP)/Multimedia Virtual LANs (VLAN). Desktop accessibility increases the vulnerability of Secure Multimedia Controller Page 23 of 260 Implementation Guide...
To provide adequate service availability, VoIP and other multimedia systems must be protected from internal threats. The SMC 2450 is a security system that consists of a PC-based hardware platform with SMC software. As shown in Figure 3 on Zone (SMZ) between the enterprise Local Area Network (LAN)/Wide Area Network (WAN and the call servers.
All traffic into and out of the zones flows through the multimedia controller. The SMC has six ports and supports up to four secure multimedia zones. The two remaining ports are used for management and intranet/untrusted traffic.
Page 26
Page 26 of 260 Description • SLAN subnet: The Server Lan (SLAN), which serves the CS 1000, is the location of Call Pilot, Symposium, and Optivity Telephony Manager. • MCS LAN subnet: The Multimedia Communication Server LAN (MCS LAN) subnet is the location of the MCS suite of servers. Note: You can substitute the optional networks with user-defined networks.
Page 28
Page 28 of 260 Description Management subnet The management subnet is required on all SMC installations. It is a separate protected network that handles management, cluster, and synchronization traffic. Management subnet configuration requires the following items: • dedicated ethernet port on the SMC •...
Page 29
Automatic rule generation The SMC can automatically generate rules to protect traffic flowing into the SMZs from the intranet. Rule sets are supported for the following subnets: Description Secure Multimedia Controller Page 29 of 260 Implementation Guide...
Page 30
See the release notes for recommendations for how to allocate the subnets to specific Nortel products. For release notes, click the Technical Documentation link under Support & Training on the Nortel home page: www.nortel.com External routing updates The SMC, a Layer-3 device, must be installed within the path of all traffic between the intranet and the SMZs for both the CS 1000 and MCS configurations.
Page 31
In VLAN networks, multiple devices are connected across routes but are part of the same subnet. Update these networks to identify the switch as the primary interface through the SMC. Description IMPORTANT! IMPORTANT! Secure Multimedia Controller Page 31 of 260 Implementation Guide...
Page 32 of 260 Description In a standard CS 1000 installation, the SMC is in the path of traffic between the Intranet and the protected subnets so that all traffic flows through the SMC. IP connectivity LAN ports The SMC supports six 10/100/1000 Base-TX (copper) ports. Each port must be on a separate subnet and the management and intranet networks must always be present.
Each of the SMZ networks requires a unique port on the SMC device and an IP address. Figure 3 on illustrates a typical CS 100 topology Description Secure Multimedia Controller Page 33 of 260 page 34 Implementation Guide...
Page 34
Page 34 of 260 Description Figure 3 Stand-alone configuration The management network needs two IP addresses in the stand-alone configuration. The first address is the host IP address, which is the IP address for the SMC. The second IP address is the cluster Management IP (MIP) address.
Page 35
IP addressing so the existing SMC interface IP addresses are used as the Virtual IP addresses when the HA config is implemented." Description IMPORTANT! IMPORTANT! Secure Multimedia Controller Page 35 of 260 page 36 illustrates a Implementation Guide...
Page 36
Page 36 of 260 Description Figure 4 High Availability configuration VRRP IP addressing A high availability cluster consists of two SMC devices: one SMC acts at the active device and the other acts as the backup device. In this scenario, only one SMC processes traffic.
Page 37
In all routing tables in external device, use the floating IP address to route packets. The floating IP address is always available even when one SMC in the cluster fails. Secure Multimedia Controller Description 37, VRRP requires three IP addresses for each...
Page 38 of 260 Description State synchronization To allow for faster connection re-establishment during a failover, the Secure UNIStim proxy master key is synchronized across both SMCs in the HA configuration. Master keys are also persistently stored on disk. Traffic protection The SMZ provides stateful filtering and Denial of Service (DoS) attack protection on all packets that flow through it.
UNIStim servers in a protected fashion, with encryption terminated at the SMC before the unencrypted traffic is passed to the back-end server. Nortel recommends that you install the SMC in close proximity to the server to minimize the exposure of insecure traffic.
Page 40
Page 40 of 260 Description Figure 6 Secure UNIStim proxy UNIStim security enhances the basic UNIStim protocol by providing Advance Encryption Standard (AES) 128-bit encryption for confidentiality and an AES-based Message Authentication Code for authentication and integrity. Transparent proxy support Because the SMC is a transparent proxy, the clients communicate directly to the UNIStim signaling servers.
Page 41
Secure UNIStim handshake, the key fingerprint stored on the IP phone compared against the public key to ensure a match. The key fingerprint Description page 42 identifies the three RSA key types. Secure Multimedia Controller Page 41 of 260 Implementation Guide...
Page 42
Page 42 of 260 Description is unique to the public key and the public key to key fingerprint match authenticates the SMC to the IP phone.. Public key fingerprints are currently exported as both 16- and 32-character hexadecimal strings; however, only the 16-character string is currently employed to configure the IP phones.
Page 43
Because session keys are used for every packet sent, Nortel recommends you regenerate the session keys periodically. Dynamic Host Configuration Protocol The IP phones can use a static IP address or use full or partial Dynamic Host Configuration Protocol (DHCP) to acquire its own IP address and the IP address of the Terminal Proxy Server (TPS) in CS 1000 setups.
Web UI the preferred administration tool. Web User Interface (UI) SMC 2450 supports Web UI, a web-based graphical user interface (GUI) that offers an alternative to the command line interface (CLI). Web UI 553-3001-225 Standard 1.00...
Page 45
Traditional command line interface (CLI) SMC 2450 supports traditional CLIs. See “The Command Line Interface (CLI)” on page 183. Other supported administrative tools and features SMC 2450 supports the following administrative tools and features: •...
Port bypass H.225 sessions can take many minutes to re-establish when an SMC failover occurs. Due to the stateful firewall and long timeout of the clients, Nortel recommends that you create a port bypass for H.225 traffic. The Port Bypass feature allows all traffic destined to, or originating from, a particular port to flow through the SMC but bypass the stateful firewall.
Page 47
In an intranet phone to intranet phone call, the media does not cross the SMC. The phone attempts to re-establish signaling communication with the signaling server. During this time, the call is dropped. The phone creates a new secure signaling channel. Description Secure Multimedia Controller Page 47 of 260 Implementation Guide...
Page 48
Page 48 of 260 Description The existing media channel between the IP phones continues. The IP phone reboots and re-registers with the signaling server. Intranet phone to TDM phone or phone in the SMZ During a call from an intranet phone to a TDM phone or a phone in the SMZ, media traverses the SMC.
Page 49
The SMC is a Layer-3 device. The failure of a single SMC that is not part of a high availability configuration drops all packets directed to it, thereby effectively blocking connectivity. Nortel recommends that you install a high-availability cluster in all critical SMC installations. Description...
Page 50 of 260 Description Campus redundancy The Nortel Communications Server (CS) 1000E system is a highly-scalable and robust IP PBX that offers support of IP-based applications using industry-standard interfaces, while providing an industry-leading set of telephony features and applications.
Page 52 of 260 Description Requirements and recommendations No special configuration is required on the SMC to support campus redundancy; however, additional system-wide configuration changes are required to deploy the SMC system into the campus redundant environment: • To avoid potential routing problems, IP addresses from the same subnet must be assigned to the SMCs connected to the two different TLAN switches.
Page 53
SMC clusters must be defined appropriately. If the IP phones support two fingerprints, the two SMCs can have different private fingerprints; however, automatically generating two private Description Secure Multimedia Controller Page 53 of 260 Implementation Guide...
Note: Nortel recommends that both SMC clusters share the same private key, and hence fingerprint, in a geographically redundant configuration. Engineering impact and limitations...
Description Page 55 of 260 Port recommendations Nortel recommends that port 1 be used for the management subnet, port 2 for the intranet subnet, and ports 3 through 6 for the secure multimedia zones. Product compliance For a complete list of supported products, Nortel recommends that you refer to the release notes post on the Nortel Web site.
Page 56
Page 56 of 260 Description 553-3001-225 Standard 1.00 May 2006...
This chapter contains the high level information required to deploy a new system or a system upgrade. Deploying a new system Nortel recommends that you install a new SMC deployment through the following primary steps: Install the SMC hardware. See “Hardware installation” on Install and configure the SMC software.
Page 58
Page 58 of 260 Overview of the deployment process Incorporate the SMC into the network with the firewall unhooked (disabled) and UNIStim security turned off. All traffic passes through the box unhindered so that you can verify network connectivity. See “Firewall deployment”...
Console cable Bezel adapter kit with (2) brackets and (4) rubber feet Set of (4) mounting screws Secure Multimedia Controller: Implemen- tation guide (553-3001-225) SMC physical features The SMC front panel has buttons and indicators for normal operation. The front panel bezel is removable for access to the CD drive. The SMC rear panel has port and power supply access.
Page 61
CPU, or device temperature problems Blinks during hard disk drive activity Reboots the SMC Turns on or off SMC power Shows green when power is on Secure Multimedia Controller Page 61 of 260 Reset button System power LED Hard disk...
Page 62
Page 62 of 260 Hardware installation Remove the bezel from the faceplate. Figure 10 Bezel removal Figure 11 shows the front panel without the bezel. Figure 11 Front panel view without bezel 553-3001-225 Standard 1.00 End of Procedure May 2006...
With the release flap open, engage the bezel onto the track and slide it to the left until it locks into place (Figure 12). Close the release flap. Figure 12 Bezel attachment Hardware installation End of Procedure Secure Multimedia Controller Page 63 of 260 Implementation Guide...
LAN ports All ports are Gigabit 10/100/1000 LAN ports. Ports 1 and 2 are on-board ports. Ports 3 through 6 are NIC (Network Interface Controller) ports. Nortel recommends that port 1 be used for the management subnet, port 2 for the intranet subnet, and ports 3 through 6 for the secure multimedia zones.
Page 65
When the LEDs are flashing, the port is sending or receiving network data. One or more of the above conditions is not met. Secure Multimedia Controller Page 65 of 260 Implementation Guide...
Page 66
Page 66 of 260 Hardware installation Table 6 explains LED status indicators for ports 3 through 4 Table 6 Ports 3 through 6 LED status indicators Port speed Left LED 10 Mb/s 100 Mb/s Green 1000 Mb/s All speeds All speeds 553-3001-225 Standard 1.00 Right LED...
CAUTION — Service Interruption This device is a Class A product. In a domestic environment, this device can cause radio interference, in which case the user may be required to take appropriate measures. Secure Multimedia Controller Page 67 of 260 Implementation Guide...
Page 68
Page 68 of 260 Hardware installation ambient temperature of the room. Take appropriate steps to ensure that the device does not overheat. For proper air circulation, the vents on the front and back of the device must not be blocked or obstructed by cables, panels, rack frames, or other materials.
Installing the SMC in a rack Install the SMC in a rack using the four supplied rack mount screws. For rack installation. Nortel ships the SMC with the mounting brackets attached to the front of the unit. Procedure 2 Installing the SMC in a rack Follow these steps to install the unit in a rack: Identify a rack location and hole spacing alignment.
Page 70 of 260 Hardware installation Result: you can now connect the power supply. See “Connecting the power supply” on page 71. Supplying power to the SMC Supply power after installing the unit in a rack or on a flat surface. Use of both the rear and front power switches is required for full SMC operation.
For instructions on viewing and configuring system settings using either a console connection or network connection (via Telnet or SSH), see the “Installation and configuration” on page 77. Hardware installation End of Procedure IMPORTANT! Secure Multimedia Controller Page 71 of 260 Implementation Guide...
Page 72
Console configuration parameters Baud Rate Data Bits Parity Stop Bits Flow control • A console cable, male to female, with DB-9 connectors and a straight cable as shipped with the SMC 2450. 553-3001-225 Standard 1.00 Parameter 9600 None None May 2006...
Using the supplied console cable, connect the terminal to the console port. Power on the terminal and the SMC. Hardware installation Signal Shell Secure Multimedia Controller Page 73 of 260 Description Data carrier detect Received data Transmitted data Data terminal ready...
“Hardware and power supply specifications” on 553-3001-225 Standard 1.00 WARNING If you change the default password, Nortel strongly recommends that you record the new password. Passwords are not recoverable; if a password is lost, you must reinstall the SMC. End of Procedure...
Page 75
• Make sure you connected the console cable supplied with the SMC system. If the system display does not function after checking these items, contact Nortel Technical Support at www.nortel.com/support. Hardware installation www.nortel.com/support. Secure Multimedia Controller Page 75 of 260...
Page 76
Page 76 of 260 Hardware installation 553-3001-225 Standard 1.00 May 2006...
The management network needs two IP addresses in the stand-alone configuration. The first address is the host IP address, which is the IP address for the SMC. The second IP address is the cluster Management IP (MIP) Secure Multimedia Controller Page 77 of 260 Implementation Guide...
Page 78
Page 78 of 260 Installation and configuration address. The host IP address and the cluster MIP address must reside in the same subnet. In a stand-alone configuration, the equipment residing on the SMZs uses the SMC Interface IP addresses as their gateway address. For example, a CSE-1000 Signaling Server TLAN Gateway address is the SMC TLAN IP address High Availability (HA) configuration...
Page 79
Intranet Virtual IP address. Installation and configuration page 80 provides SMC network engineering IP Address Mask same as above See note Secure Multimedia Controller Page 79 of 260 High Availability VRRP Virtual Router Gateway Virtual IP See note See note Implementation Guide...
Page 80
Page 80 of 260 Installation and configuration Table 10 SMC network engineering worksheet for second SMC in a HA configuration Port Zone Management Management address Intranet Table 11 provides a worksheet to identify other important IP addresses. Table 11 Other important addresses and networks Item IP Address SMC Admin PC/Subnet...
Page 81
SMC port mappings Port 1 Port 2 Port recommendations Nortel recommends that port 1 be used for the management subnet, port 2 for the intranet subnet, and ports 3 through 6 for the secure multimedia zones. Installation and configuration Port 3 Port 4...
Connect the console cable to the SMC. Connect the console cable from the serial port on the SMC to the serial port of a computer that runs terminal emulation software. Nortel recommends that you use VT100 for emulation and 9600-8-N-1 for the communication port speed on the terminal connection.
Page 83
Enter no to indicate you do not want to enable Web administration. 11 Initialize the intranet subnet. Enter the port number for the intranet subnet. Enter the IP address for the intranet subnet. Secure Multimedia Controller Installation and configuration IMPORTANT! Implementation Guide...
Page 84
Installation and configuration 12 Configure the cluster settings. Note: Nortel recommends that you generate a new SSH key to maintain a high level of security when connecting to the SMC using an SSH client. For more information about SSH, see “Using Secure Shell (SSH)” on...
Page 85
18 Choose one of the following: • Enter yes to indicate you have an MCS setup. Enter the port number for the intranet subnet. Enter the IP address for the intranet subnet. Secure Multimedia Controller Installation and configuration Implementation Guide Page 85 of 260...
Page 86 of 260 Installation and configuration • CS 1000 Result: The system initializes and rules generate for the ELAN subnet, TLAN subnet, and Server LAN subnet. The system logs you out and you must log on again to continue management on the SMC. MCS Result: The MCS filters are configured.
Page 87
SMC. For example, if the SMC intranet interface address was 10.1.1.2, you would browse to http://10.1.1.2. On a HA system, browse to the VRRP address shared on the intranet interfaces. Secure Multimedia Controller Installation and configuration End of Procedure Implementation Guide...
For a list of country codes, refer to the International Standards Organization (ISO) website for the ISO 3166 standard for two-letter country codes. For example: >> SSL configuration# certs/serv/gen Nortel US 1024 Enter Y to verify that you want to generate a self-signed certificate with the generated key. May 2006 page 184.
Page 89
By default, the access list is empty, meaning that all remote management access is initially blocked. Nortel recommends that you add trusted management clients to the access list when initially enabling any remote management feature. It is also vital that you review the access list regularly and keep it up to date.
Page 90 of 260 Installation and configuration Adding items to the access list Procedure 9 Adding items to the access list Start a console terminal. Press <Enter> on the console terminal to establish the connection. The SMC login prompt appears. Enter admin for the login name.
IP address as a name, provided that the IP address is assigned a name on the local domain name server • cluster MIP address • virtual IP address. The SMC login window appears. Installation and configuration page Secure Multimedia Controller Page 91 of 260 Implementation Guide...
Page 92
Page 92 of 260 Installation and configuration Figure 15 SMC Web UI login page To log on, enter the account name and password for the system administrator or operator account. For more login and password information, see “Users and passwords” on Note: Expect a delay of a few seconds while the default page collects data from all of the cluster components.
Page 93
• logging out Figure 16 identifies the location of the global command buttons. Figure 16 SMC Web UI components Installation and configuration 103. page Secure Multimedia Controller Page 93 of 260 page Global command buttons Implementation Guide...
Page 94 of 260 Installation and configuration Web UI task summary In general, you would perform Web UI tasks in the following order: Create a configuration. See Procedure 11. View pending changes. See Procedure 12. (Optional) Clear pending changes. See Procedure 13. Submitting changes.
Click Submit. Saving and restoring the SMC configuration Periodically, it is necessary to upgrade or reinstall the SMC software. Before doing so, Nortel recommends that you save the existing configuration using the either the Web UI or the CLI. Procedure 15 Saving the current configuration using the Web UI Using a Web browser, enter the URL to the Web management interface.
Enter a password to be used to encrypt sensitive data in the configuration file. You will need this password to be able to restore the configuration later. Note: Nortel recommends that you record the password used to encrypt sections of the configuration file. Click Export.
Click Ok. The Web session is logged off and you are returned to logon page. 10 Log on to the SMC again. Secure Multimedia Controller Installation and configuration End of Procedure End of Procedure...
Page 98 of 260 Installation and configuration Result: The restored/imported configuration is now active. Procedure 19 Restoring the current configuration using the CLI In the CLI, enter /cfg/gtcfg to start the restore (get) configuration wizard. Select the protocol when prompted. The default is TFTP. The protocol options are: TFTP, FTP, SCP, or SFTP.
SMC prior to adding the second to the cluster. Preconfiguration allows the second SMC to immediately set the IP addresses after the two SMCs join and limits the number of error messages generated when the device starts up. Secure Multimedia Controller Installation and configuration page page...
Page 100
Page 100 of 260 Installation and configuration In a HA configuration, three IP addresses are used for each cluster interface. One IP address per interface is defined for each SMC device in the cluster, and a third is a floating Virtual IP used by the routers for directing traffic. You can specify these values and apply prior to actually joining the second device to the cluster.
Turn on High Availability. • CLI: /cfg/net/vrrp/ha y • Web UI: Network > VRRP > High Availability Apply the changes: • CLI: Enter apply • Web UI: Click apply. Secure Multimedia Controller End of Procedure Implementation Guide Page 101 of 260...
Page 102
Page 102 of 260 Installation and configuration Validate that the cluster is running VRRP. • • Result: The SMC cluster is now in High Availability Mode. All packets are now be directed to the Virtual IP addresses. To continue the deployment process, continue to “Firewall deployment” on page 103.
1000 and MCS multimedia equipment resides. The SMC supports six subnets: two mandatory subnets (management and intranet) and up to four optional subnets used for the SMZs. page 78 to review the configuration Secure Multimedia Controller Page 103 of 260 Implementation Guide...
Figure 17 on Figure 17 Routing updates Unhooking the firewall Prior to placing the SMC into full service, disable (or unhook) the firewall and allow all traffic to flow through the SMC. Nortel recommends that the 553-3001-225 Standard 1.00 page page 104 illustrates the devices that require routing updates.
IP phones are communicating through a proxied server, current UNIStim sessions are disrupted. UNIStim communication re-establishes and all existing calls drop. Insecure sessions—sessions that are not currently running through the Secure UNIStim proxy—are not affected. Secure Multimedia Controller Firewall deployment End of Procedure IMPORTANT!
SMC as they did prior to SMC integration Procedure 25 Hooking the firewall Nortel strongly recommends that you hook the firewall during a maintenance window. Log on to the Web UI. Note: This procedure cannot be performed using the CLI.
Page 107
After you hook the firewall, any problems, such as services no longer working, are generally caused by the firewall blocking traffic that should be allowed through. These problems are likely due to missing firewall policies. Firewall deployment End of Procedure IMPORTANT! IMPORTANT! Secure Multimedia Controller Page 107 of 260 Implementation Guide...
Page 108
Page 108 of 260 Firewall deployment You can troubleshoot the firewall policies by first determining what traffic is denied and then adding an appropriate policy for the relevant SMZ. Figure 18 shows HTTPS and UNIStim traffic flowing correctly through the SMC.
Result: You can ping the server through the SMC. If you allowed pinging, and the SMC is still blocking the traffic, verify connectivity between the client and the SMC, and the SMC and the server. Nortel recommends that you disable the ICMP rule when not in use.
Page 110 of 260 Firewall deployment Firewall logs Using the Web UI, you can view firewall logs by stepping through the logs in chronological order or view a specific log by specifying an appropriate search string, such as the IP address of the problem machine. Viewing the firewall logs is the best method to troubleshoot packets that are not traversing the SMC.
Mar 1 13:01:37 127.0.0.1 id=firewall time="2006-03-01 13:01:37" fw=a10-10-10-10 pri=4 proto=6(tcp) src=2.2.2.100 : 32802 dst=3.3.3.200 : 22 mid=2076 mtp=10 msg="Access Policy not found, dropping packet from ext n/ w" agent=Firewall Secure Multimedia Controller Firewall deployment End of Procedure Implementation Guide Page 111 of 260...
Page 112
Page 112 of 260 Firewall deployment Mapping rule IDs in the firewall log Log messages are assigned a rule ID, which represents the dynamic identifier of this rule entry within the running firewall. You can use rule IDs to determine the exact rule that mapped the dropped packet. To generate log messages for specific firewall rules, you must enable logging for each rule and Allow/Deny log messages must be enabled in the Multimedia Security >...
Additional rules are listed for secure UNIStim server traffic and self traffic, which is traffic to and from the SMC device. The basic firewall rules do not map to the configuration rules perfectly (for example, duplicate rules are removed). Firewall deployment Secure Multimedia Controller Page 113 of 260 Implementation Guide...
Page 114 of 260 Firewall deployment Search for the appropriate rule ID. Determine the details of the rule. System log To determine why particular traffic is not traversing an SMC, you can explore the current system logs to make sure there are no system-level failures affecting connectivity.
Designate Service as Custom with the appropriate protocol. Select the Source and Destination for the client and server networks. Set Action to allow. Click Update. Click Apply to save the current configuration. Firewall deployment End of Procedure Secure Multimedia Controller Page 115 of 260 Implementation Guide...
Page 116 of 260 Firewall deployment Result: The rule is added to the end of the current list. turn on logging for new rules, at least until you are sure they are working appropriately. Firewall rules are evaluated in top-down fashion. The rules with lower IDs have precedence over rules with higher IDs.
SWC Server. These components of Symposium can be in the same network or across multiple networks. If these components are across multiple networks, all the routers in between these individual components Firewall deployment End of Procedure Secure Multimedia Controller Page 117 of 260 Implementation Guide...
Page 118 of 260 Firewall deployment need to support multicast routing. The SMC is one of the routers that can be deployed in between these Symposium components. The ports and multicast addresses used by symposium components are: • A configurable multicast address on SWC Servers (SWC Server to Web Clients for RTD) •...
You must update this network with specific management IP addresses or subnets before any auto-generated rules containing the network will be accessible. Firewall deployment End of Procedure Secure Multimedia Controller Page 119 of 260 Implementation Guide...
Client policy and client firmware policy issues ....Introduction UNIStim is a Nortel-proprietary signaling protocol used within the MCS and CS 1000 product lines. Using UNIStim, a UNIStim IP phone communicates with a UNIStim server (TPS) using the User Datagram Protocol (UDP).
Page 122
Page 122 of 260 Secure UNIStim deployment Note: The SMC currently supports Secure UNIStim for the CS 1000 but not for the MCS 5100. The SMC acts as a Secure UNIStim proxy; it terminates the Secure UNIStim handshake from the UNIStim client and then communicates with the back-end server using insecure UNIStim.
Firmware check: Enables the SMC to consult the IP Client Firmware table to confirm that the IP phones support UNIStim security for new connections. Nortel recommends firmware checking if you have a heterogeneous mix of IP phones, including IP phones that do not support security.
Page 124
Page 124 of 260 Secure UNIStim deployment By default, the SMC keeps all IP client in an insecure mode. This allows the administrator to control the Secure Unistim roll-out so that licences are not exceeded. To add enhanced security for all IP phones protected by a given policy, client security is required.
Page 125
Web UI, how the IP client network is tied to the policy and Figure 23 on UNIStim. Figure 21 Security policy diagram Secure UNIStim deployment page 127 shows group of IP clients that does not support secure Secure Multimedia Controller Page 125 of 260 page 126 Implementation Guide...
Page 126
Page 126 of 260 Secure UNIStim deployment Figure 22 Sample policy page 553-3001-225 Standard 1.00 May 2006...
Page 127
When an IP phone is redirected to a server that is not located in an SMZ protected by the current SMC, the Security in External Redirections feature determines how the action byte is set. If the action byte is 1 (insecure), the IP Secure UNIStim deployment Secure Multimedia Controller Page 127 of 260 Implementation Guide...
Page 128
Page 128 of 260 Secure UNIStim deployment phone is redirected insecurely. If the action byte is 6 (secure), the phone is redirected securely. Table 12 identifies the default Security in External Redirection settings for a new SMC installation. Table 12 Default Security in External Redirection settings Policy nonsecure...
Page 129
Note: Even if both servers are protected by SMCs, the redirection may still fail if the IP phone does not have a fingerprint that matches the second server. Secure Multimedia Controller Secure UNIStim deployment Implementation Guide Page 129 of 260...
Page 130
Secure UNIStim deployment In a Virtual Office configuration configuration in which all Signaling servers are not protected by an SMC, Nortel recommends that you disable the Security in External Redirections feature so that the IP phones are redirected insecurely to CS 1000 Remote and they can establish connectivity;...
First-time deployment Nortel recommends that Secure UNIStim be enabled on a small group of target users first to ensure the process is understood. After operation has been confirmed for a couple of days, the Policies or Network definitions can be changed to include additional IP clients.
Page 132 of 260 Secure UNIStim deployment Procedure 35T Configuring Secure UNIStim Login to the Web UI. Navigate to the following page: Wizards > Configure > Secure UNIStim The Secure UNIStim Wizard page is displayed. Read Wizard instructions on page. Select Yes to enable Secure UNIStim.
Page 133
Cut and paste the key into a file for storage. Maintain the private key in a safe location. It may be needed for another SMC install. 15 Click Apply. Secure Multimedia Controller Secure UNIStim deployment IMPORTANT! Implementation Guide Page 133 of 260...
Page 134
Page 134 of 260 Secure UNIStim deployment Now the SMC is ready to transparently proxy connections from a UNIStim IP phone to the primary servers entered within the wizard. It may take one minute for the SMC to start handling connections in an HA environment. If any phones on secure subnets do not explicitly support Secure UNIStim, enable Firmware Checking in the policy.
Page 135
This reset forces them to start from the initial primary servers, and all redirection pathways are captured by the SMC. You can monitor the server additions through the UNIStim Servers page. 19 Examine the IP Clients after priming the Secondary Servers. Secure Multimedia Controller Secure UNIStim deployment IMPORTANT! Implementation Guide...
Each host in a HA cluster will have a different MAC address. The MAC address internally maps to port 1. Obtain the license from Nortel. Paste the license into the New License window and save it. Repeat this step for each SMC for each host in a HA cluster. It takes approximately 30 seconds before the license goes into effect.
Administration > Monitor > UNIStim Security > Client page in the Web UI. Secure UNIStim deployment Private Key Public key Public key fingerprint End of Procedure End of Procedure Secure Multimedia Controller Page 137 of 260 Implementation Guide...
Page 138
Page 138 of 260 Secure UNIStim deployment The following section explains why Secure UNISTIM reregistration can be delayed and how to speed the process up. When an insecure IP Client is rebooted, it goes through the following process: The phone communicates to the CSE Node IP address on port 4100. The Node TPS redirects the IP Client to either: •...
IP phone. This is not practical when there are many IP phones in the enterprise. In large installations, Nortel recommends the server auto-update. The following section describes the manual configuration of security.
If the IP client can register to an alternate server (S2 IP), change the action byte and key fingerprint as required for S2. Press the Apply and Reset button. Secure Multimedia Controller Secure UNIStim deployment End of Procedure Implementation Guide...
Page 142 of 260 Secure UNIStim deployment For Phase 2 IP Phone 2001/IP Phone 2002/IP Phone 2004 phones, you can set the RSA public key fingerprint after the action byte is set to 6 for either the S1 or S2 servers. The key fingerprints, however, are not tied to either of the S1 or S2 servers even though it may appear this way during the configuration.
Page 143
Automatic fingerprint update For IP phones running in insecure mode with default security settings, the SMC can automatically update/populate the public key fingerprint on the Secure UNIStim deployment End of Procedure Secure Multimedia Controller Page 143 of 260 Implementation Guide...
Page 144
Nortel recommends that you export the current SMC private key to a secure location. Encrypt the key when you export it from the SMC. This private key is required for fingerprint updating of the current IP phones when the primary key changes.
Page 145
IP phones and therefore is limited in flexibility. DHCP recommendations Nortel recommends that you: • initially keep the action byte at 1 in DHCP and on the IP phones so that the automatic fingerprint update can work correctly and push the correct fingerprint to new IP phones.
Page 146 of 260 Secure UNIStim deployment Managing the keys If you have already enabled Secure UNIStim and generated keys using the wizard in Procedure 6 on page 70, the keys are already generated and you do not need to perform the Procedure 25 and Procedure 26. If you have already enabled Secure UNIStim and generated keys using the wizard in Procedure 6 on not need to perform the Procedure 40 and Procedure 41.
5100. In this context, a server is a combination IP address and port. Figure 25 illustrates a standard redirection in a CS 1000 system. Secure UNIStim deployment End of Procedure Secure Multimedia Controller Page 147 of 260 Implementation Guide...
Page 148
Page 148 of 260 Secure UNIStim deployment Figure 25 CS 1000 standard redirection Configure primary server Only the initial primary server is configured in the SMC. The two secondary servers are automatically discovered and stored persistently in the configuration as dynamic servers. This discovery occurs during the server redirection;...
Page 149
Secondary servers are displayed in the Web UI. You can delete secondary servers but you can not add them. Deleting these servers is discouraged unless the server is not longer in use. Secure Multimedia Controller Secure UNIStim deployment IMPORTANT! Implementation Guide...
Page 150
If the IP phones have not been registered with the SMC, Nortel recommends that you reset the IP phones directly through the Signaling Server using its management interfaces. The reset redirects the IP client back through a primary server and the SMC captures any missed redirections and adds them to its database.
The SMC operates in a heterogeneous environment with many different phone types. Some versions of the phone images either support UNIStim security in a limited fashion or do not support UNIStim security at all. Nortel highly recommends that all phones in the SMC-protected network have appropriate Secure UNIStim images.
Page 152
Without firmware checking, older firmware images that support security in a limited fashion are upgraded along with phones running the officially supported phone firmware. Nortel recommends you disable firmware checking only if no legacy Secure UNIStim phones exist on the network.
Page 153
Using the firmware checking feature, the SMC validates that the IP client firmware accurately supports the Secure UNIStim protocol. The SMC handles new IP client requests as before the firmware check; however before Secure UNIStim deployment Secure Multimedia Controller Page 153 of 260 Implementation Guide...
Page 154 of 260 Secure UNIStim deployment upgrading the client to Secure UNIStim or turning on session caching, the SMC checks the client firmware to make sure the firmware is supported. If not, the client request proceeds without intervention by the SMC. See Figure 28.
Because of the possibility of delayed private key updating, Nortel recommends that the primary and secondary keys co-exist for the length of time equal to the maximum session timeout plus the master key timeout.
Page 156 of 260 Secure UNIStim deployment • In the CLI, type /cfg/sys/cluster/host <n>/license, where <n> is the host number. Troubleshooting Current servers View the number of primary and secondary servers on the System page or at the Administration > Monitor > UNIStim Security > Servers page in the Web UI.
This section provides specific examples to clarify how to apply these policies to serve your specific needs. Secure UNIStim deployment IMPORTANT! Secure Multimedia Controller Page 157 of 260 Implementation Guide...
Page 158
Page 158 of 260 Secure UNIStim deployment Example 1 In this example, use the default policy to control the access so that IP phones with secure capability connect in secure mode and IP phones without secure capability connect in insecure mode. Policy setting: upgrade = y Security = n...
Page 159
UNIStim are present in the firmware database. The SMC assumes that if the firmware is not in the database, it does not have secure UNIStim capabilities. Secure Multimedia Controller Secure UNIStim deployment IMPORTANT! Implementation Guide...
Page 160
Page 160 of 260 Secure UNIStim deployment 553-3001-225 Standard 1.00 May 2006...
You can access the CLI accessed locally at the SMC or remotely through Telnet or Secure Shell (SSH) after access is granted. See “Defining the remote access list” on Secure Multimedia Controller Page 161 of 260 page...
SMC. The default usernames and password for each access level are listed in Table 14. Usernames and passwords are case sensitive. Note: Nortel recommends that you change all the default passwords after initial configuration and as regularly as required under your network security policies.
Page 163
The root login is available only through a local console terminal. The root user has complete internal access to the operating system and software. Root access is NOT RECOMMENDED unless under the direction of Nortel support personnel. CAUTION — Service Interruption The root login on this system is only intended for debugging and emergency repair, typically under the direction of support personnel.
This process is used to restore the SMC to the factory default state. The upgrade files are provided on the Nortel web site. The package files have a .PKG extension, and the ISO Install CD has an .ISO extension.
Click Browse to locate the package you wish to upload to SMC. Note: The package file is already downloaded from the Nortel Web site and saved onto the PC. Package files end with the extension .PKG.
Page 166
Page 166 of 260 Maintenance A confirmation dialog appears and displays the following message: Are you sure you want to activate this image? Click Ok. The page refreshes and the package is marked as old. 10 Click Activate again. The SMC installs the package and then reboots. The reboot can take up to 5 minutes to complete.
Enter cur to verify the current versions of the software. Choose one of the following: FTP or TFTP download CD-ROM download Enter cur to verify the current versions of the software. Secure Multimedia Controller Maintenance Page 167 of 260 Then Enter /boot/software/ download.
Page 168
Page 168 of 260 Maintenance Verify that the version you downloaded has a status of unpacked. The software versions are marked with one out of four possible status values. The meaning of each status value is described in Table 15. Table 15 Software status values Status...
Telnet/SSH. Enter /cfg/sys/accesslist/list to verify that an access list exists that includes all addresses on the management interface. If this entry does not exist, add it. Secure Multimedia Controller Maintenance End of Procedure Implementation Guide Page 169 of 260...
Page 170
A reinstallation erases all configuration data, which includes installed keys, network settings, and certificates. Nortel recommends that you save all configuration data to a file on a TFTP/FTP/SCP/SFTP server using the ptcfg command.
.IMG image of the software. See Procedure 47 on Procedure 46 Reinstalling the software using the .ISO image Nortel recommends this method to copy the .ISO version of the software on a CD-ROM and boot from it. This reinstall removes the current configuration and reimages the SMC.
Page 172 of 260 Maintenance Procedure 47 Reinstall the software using the .IMG image This method installs the IMG version of the software using TFTP or FTP. This reinstall overwrites the current configuration. In this procedure, you instruct the SMC to use a specific network interface and use a specific IP address to pull the Image file from the TFTP or FTP server.
Enter f to select FTP. End of Procedure WARNING Resetting the SMC to factory defaults halts all current operations on the SMC. Reset a standalone SMC installation to factory default. — CLI: /cfg/sys/cluster/host 1/delete Secure Multimedia Controller Maintenance Page 173 of 260 Implementation Guide...
Page 174
Page 174 of 260 Maintenance • Restart the SMCs. 553-3001-225 Standard 1.00 — Web UI: Operation > SMC Host(s) Select the host you want to delete and then click Delete. WARNING Deleting the host to which the Web UI is connecting causes the browser to lose connectivity.
A single port pair behaving as previously described invokes the master election process behavior. Note 2: In VRRP election, the only relevant IP address is the cluster MIP address. End of Procedure IMPORTANT! Secure Multimedia Controller Maintenance Page 175 of 260 Implementation Guide...
Page 176
Page 176 of 260 Maintenance The SMC that assumes the virtual router IP addresses is called the active master, and it forwards packets intended for these IP addresses. If the active master becomes unavailable, VRRP provides dynamic failover in the forwarding responsibility to a redundant VRRP router.
Page 177
ARP requests (one per second) to the active master virtual router IP addresses. This gives the active master ample opportunity to respond, Maintenance page 177. Secure Multimedia Controller Page 177 of 260 Implementation Guide...
Page 178
Page 178 of 260 Maintenance enabling the backup virtual routers to confirm that it is down before going on to the next step: • If ARP replies from the active master are not received, failover occurs. • If ARP replies from the active master are received, no failover occurs. Note: If VRRP multicast advertisement packets are not received on any backup router, the reason might be that the traffic on the active master is too heavy for it to send advertisement packets within the advertisement...
Page 179
Increasing the advertisement interval lowers the chance for unnecessary disruption of packet forwarding, but increases the length of service disruption in the event that the active master fails. Maintenance page Secure Multimedia Controller Page 179 of 260 180. If the backup does Implementation Guide...
Page 180
Page 180 of 260 Maintenance Gratuitous ARP (GARP) After the backup detects a failure in the active master, the backup immediately flashes a Gratuitous ARP (GARP) message to the end-hosts on the virtual router interface. The GARP, an unsolicited ARP response, forces end-hosts to update their ARP caches with the new MAC address and IP address mapping.
Page 181
IP addresses must belong to the same subnet. Advanced failover check If Advanced Failover Check (AFC) is enabled, the system sends an ARP message before initiating a failover caused by missed VRRP advertisements. Secure Multimedia Controller Implementation Guide...
Page 182
Page 182 of 260 Maintenance 553-3001-225 Standard 1.00 May 2006...
Introduction The Command Line Interface (CLI) is the most direct method for viewing information about the Secure Multimedia Controller (SMC). In addition, you can use the CLI for performing all levels of system configuration. You can view the text-based CLI using a basic terminal. The CLI commands are grouped into a series of menus and submenus.
Page 184 of 260 The Command Line Interface (CLI) Accessing the CLI Using the local serial port Any SMC serial port provides direct local access for managing the SMC. For details on attaching a console terminal to the serial port and establishing a connection, see “Hardware installation”...
Using Secure Shell (SSH) Using an SSH connection, you can manage the SMC from any workstation connected to the network. SSH access provides the same management options as those available through the local serial port. Secure Multimedia Controller page End of Procedure page 162.
Page 186 of 260 The Command Line Interface (CLI) SSH access provides the following security benefits: • server host authentication • encryption of management messages • encryption of passwords for user authentication By default, SSH access is disabled and all remote access is restricted. Depending on the severity of the security policy, you may enable SSH and permit remote access to one or more trusted client stations.
Generate new SSH keys. During the initial setup of the SMC, Nortel recommends that you select the option to generate new SSH host keys. This is required to maintain a high level of security when connecting to the SMC using an SSH client. If you fear that the SSH host keys are compromised, or at any time the security policy dictates, you can create new host keys.
Use the global revert command to clear all pending changes and then continue the configuration session. Use the global exit command to logout from the system. Closing the remote session also discards pending changes, though Nortel May 2006 page page...
However, if multiple CLI or Web UI administrators apply changes to the same set of parameters concurrently, the latest applied changes take precedence. The Command Line Interface (CLI) Secure Multimedia Controller Page 189 of 260 Implementation Guide...
Page 190
Page 190 of 260 The Command Line Interface (CLI) Global commands Some basic commands are recognized throughout the entire menu hierarchy. These commands are useful for obtaining online help, navigating through menus, and for applying and saving configuration changes. Table 16 Global CLI commands Command Description...
Page 191
0 = Quiet: Nothing appears except errors—not even prompts. 1 = Normal: Prompts and requested output are shown, but no menus. 2 = Verbose: Everything is shown. The Command Line Interface (CLI) Secure Multimedia Controller Page 191 of 260 Implementation Guide...
Page 192
Page 192 of 260 The Command Line Interface (CLI) Command Line history and editing Using the CLI history and editing commands, you can retrieve and modify previously entered commands with just a few keystrokes. Table 17 Command Line history and editing options Command history !<n>...
Page 193
<Enter>. If the <Tab> key is pressed without any input on the command line, the currently active menu appears. The Command Line Interface (CLI) Description Clears the entire line. Inserts new characters at the cursor position. Secure Multimedia Controller Page 193 of 260 Implementation Guide...
Page 194 of 260 The Command Line Interface (CLI) RADIUS authentication SMC 2450 enables you to log on using RADIUS authentication. The RADIUS client on the SMC forwards the RADIUS message to a single or multiple RADIUS servers configured for authentication. RADIUS authentication applies to both stand-alone and cluster configurations.
Page 195
Web UI. If failover occurs, the web session may log off and you must authenticate again. Secure Multimedia Controller End of Procedure Implementation Guide...
• provides configuration and monitoring functions similar to those available through the Command Line Interface (CLI) • supports up to ten simultaneous Web UI sessions Secure Multimedia Controller Page 197 of 260 Implementation Guide...
Page 198 of 260 Web User Interface (UI) Getting started Following are the requirements to enable the Web UI: • installed SMC • PC or workstation with network access to the SMC host IP address • frame-capable web browser software, such as the following: •...
Page 199
The Warning display area provides important warnings for the user, such as information about CLI users logged on or the status of the GUI lock. Any user Web User Interface (UI) Secure Multimedia Controller Page 199 of 260 Implementation Guide...
Page 200
Page 200 of 260 Web User Interface (UI) logged on as an administrator can activate the GUI lock before changing or creating a configuration. Lock the GUI before making changes. Forms display area The Forms display area contains fields that display information or allow you to specify information for configuring the system.
Click the global Revert button to cancel all pending changes. Click the global Apply button. WARNING To prevent conflicts, any user logged on as administrator can take control of the GUI lock before changing or creating a configuration. Secure Multimedia Controller Page 201 of 260 Implementation Guide...
Page 202
Page 202 of 260 Web User Interface (UI) Lost changes Changes are lost if a new form is selected or the session is ended without submitting the information to the pending configuration. Click the Update or Submit button on the form to submit changes to the pending configuration. Pending changes are also discarded if they are not submitted before the inactivity timeout value on Web UI sessions elapses.
Page 203
The pending configuration changes are examined to ensure that they are complete and consistent. If problems are found, the following types of messages are displayed: Web User Interface (UI) Secure Multimedia Controller Page 203 of 260 Implementation Guide...
Page 204
Page 204 of 260 Web User Interface (UI) — Run a Security Audit: When selected, this command lists security • Submit button: Click to perform the action selected in the Apply Changes pull-down list. • Back button: Click to return to the previously viewed form without applying changes.
Page 205
Select any sub-menu item to display Help for that form. • Load: Click Load to display the form referenced on the bar. Secure Multimedia Controller Web User Interface (UI) Implementation Guide Page 205 of 260...
Page 206
Page 206 of 260 Web User Interface (UI) • Forms area: This area displays detailed information about the selected topic. • Close button: Click Close to close the context-sensitive Help window. Task-based Help Task-based Help directs the administrator through the steps of various common procedures.
System Log The System Log contains general device-level status information and errors. You can view the contents of the System Log in the Web UI at the Logs > System Log page. Secure Multimedia Controller Page 207 of 260 Implementation Guide...
Page 208 of 260 Logging Note: Many System Log messages have Log IDs, such as LIBADMIN_32 or USECPD_16. In the Web UI log display page, you can search on these IDs and show additional information about the log message (and possible resolutions). Security Log The Security Log displays attack and packet-level information, including potential exploits and problem packets, logged from the SMC firewall.
Limiting by count prevents the CPU from becoming over-used in managing log resources; however, it also provides an inaccurate report of the state of the current system because log messages beyond the limit are dropped. Logging IMPORTANT! Secure Multimedia Controller Page 209 of 260 logging Implementation Guide...
Page 210
Page 210 of 260 Logging Limit by sampling The SMC supports logging ever n’th message (for example, storing 1 out of every 10 messages). Limiting by sampling has the same problem as the previous option (not all messages are logged); however because uses sampling, one does not get the large blocks of messages discarded.
Note: Adding a UNIStim server adds rules to the database as well. These rules are called autogenerated rules and are displayed in green on the rule mappings page. Logging Secure Multimedia Controller Page 211 of 260 page 251. Implementation Guide...
Page 212
Page 212 of 260 Logging 553-3001-225 Standard 1.00 May 2006...
Page 214 of 260 Limits and Scaling Configuration limits Parameter Secure Multimedia Zones Networks Services Flows Keys UNIStim Policies UNIStim Rules UNIStim Servers Firewall Rules Firewall limits Parameter Connections Engineering limitations Because the hardware is a PC platform, small packet performance can be a limitation for high-end systems.
(attacked) if packets are forged and sent at very high rates (several Mbps). Note that these rates far exceed the rates that the UNIStim proxy is required to handle in a typical deployment. To “protect” the UNIStim Limits and Scaling Secure Multimedia Controller Page 215 of 260 Implementation Guide...
Page 216 of 260 Limits and Scaling proxy a full variety of rate limiting settings are available under the /maint/ unistim/adv/flow menu. The UNIStim proxy is not designed to accommodate tens of Mbps of UNIStim control traffic. Although not supported, the secure UNIStim proxy is tested at steady state capacities of over 12000 simultaneous secure UNIStim clients.
Ping the initial SMC to the gateway IP address on the intranet. Ping the initial SMC to the interface IP addresses on the second SMC. This assumes that the networks are connected through the Layer 2 device. Secure Multimedia Controller Page 217 of 260 Implementation Guide...
Page 218 of 260 Appendix A: Troubleshooting Security error and fingerprint update issues During the initial Secure UNIStim deployment, common error message seen on the client phone screen. The cause of this error is typically the mismatch of the fingerprints. That is, the currently configured client fingerprint does not match either the primary or secondary fingerprint.
Page 219
This ensures that clients with the old fingerprint can still register securely. Generate a new RSA key and attach it as the Primary RSA key. The SMC automatically writes the new FP to all the registered IP clients. Secure Multimedia Controller Page 219 of 260 Implementation Guide...
Page 220 of 260 Appendix A: Troubleshooting Server Unreachable error Unsecure clients that reside in the same subnet as Secure UNIStim clients can fail if the SMC policy requires clients from this subnet to run Secure UNIStim. The failed clients receives a message.
(559 millimeters) approximately 12 Kg rack-mount hardware to allow mounting in 19 inch standard rack plastic front bezel with Nortel name/logo and SMC 2450 model name and number Intel Pentium-4, 2.8 Gigahertz (GHz) 512 Megabyte (MB) DDR 200.266 Mhz...
Page 222
Page 222 of 260 Appendix B: Specifications Table 20 Hardware specifications (Continued) Characteristic Drives LAN ports I/O expansion slot PCI Card Console port System management Light-emitting diodes (LED) LAN connection speeds Table 21 lists LAN connection speeds accommodated by the SMC. Table 21 LAN connection speeds LAN connection speed...
Canada ICES-003 Class A AS/NZ 3548 EN55022 (emissions) & EN55024 (immunity) CISPR-22 VCCI Appendix B: Specifications Country Canada Europe Europe Country Canada Australia & New Zealand (standard replaced by EN55022) Europe Europe Japan Secure Multimedia Controller Page 223 of 260 Implementation Guide...
Page 224
Page 224 of 260 Appendix B: Specifications Table 24 Certification marks Compliance cULus Gost S-Mark TUV-GS 553-3001-225 Standard 1.00 Country USA & Canada Europe Russia Mexico Argentina Germany/Europe Korea May 2006...
Electromagnetic compatibility ....... System approval The Secure Multimedia Controller (SMC) has approvals to be sold in many global markets. The regulatory labels on the back of system equipment contain national and international regulatory information.
Page 226
Page 226 of 260 Appendix C: Regulatory information Table 25 describes the EMC specifications for Class A devices: Table 25 EMC specification for Class A devices Jurisdiction Standard United States FCC CFR 47 Par 15 Canada ICES-003 Europe EN 55022/ CISPR 22 EN 55024 EN 6100-3-2...
Page 227
Note 4: The user should not make changes or modifications not expressly approved by Nortel. Any such changes can void the user’s authority to operate the equipment. Note 5: EN 55022/CISPR 22 Statement: “Warning...
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. Secure Multimedia Controller Page 229 of 260 Implementation Guide...
Page 230
Page 230 of 260 Appendix D: Software licenses The end-user documentation included with the redistribution, if any, must include the following acknowledgment: “This product includes software developed by the Apache Software Foundation (http://www.apache.org/).” Alternately, this acknowledgment may appear in the software itself, if and wherever such third-party acknowledgments normally appear.
Redistributions of any form whatsoever must retain the following acknowledgment: “This product includes software developed by Ralf S. Engelschall <rse@engelschall.com> for use in the mod_ssl project (http:// www.modssl.org/).” Appendix D: Software licenses Secure Multimedia Controller Page 231 of 260 Implementation Guide...
Page 232 of 260 Appendix D: Software licenses THIS SOFTWARE IS PROVIDED BY RALF S. ENGELSCHALL “AS IS” AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Page 233
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com). Secure Multimedia Controller Page 233 of 260 Implementation Guide...
Page 234
Page 234 of 260 Appendix D: Software licenses Original SSLeay License Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) All rights reserved. This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so as to conform with Netscape’s SSL. This library is free for commercial and non-commercial use as long as the following conditions are adhered to.
Page 235
The licence and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution licence [including the GNU Public Licence.] Secure Multimedia Controller Page 235 of 260 Implementation Guide...
Page 236 of 260 Appendix D: Software licenses Brian Gladman’s License --------------------------------------------------------------------------- Copyright (c) 2002, Dr Brian Gladman <brg@gladman.me.uk>, Worcester, UK. All rights reserved. LICENSE TERMS The free distribution and use of this software in both source and binary form is allowed (with or without changes) provided that: 1.
*/ PHP License The PHP License, version 2.02 Copyright (c) 1999, 2000 The PHP Group. All rights reserved. Secure Multimedia Controller Implementation Guide...
Page 238
Page 238 of 260 Appendix D: Software licenses Redistribution and use in source and binary forms, with or without modification, is permitted provided that the following conditions are met: Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of Secure Multimedia Controller Implementation Guide...
Page 240 of 260 Appendix D: Software licenses MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License in the file COPYING along with this program; if not, write to: Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
Page 241
To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. Secure Multimedia Controller Implementation Guide...
Page 242
Page 242 of 260 Appendix D: Software licenses The precise terms and conditions for copying, distribution and modification follow. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License.
Page 243
Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. Secure Multimedia Controller Page 243 of 260 Implementation Guide...
Page 244
Page 244 of 260 Appendix D: Software licenses You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: The source code for a work means the preferred form of the work for making modifications to it.
Page 245
It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; Secure Multimedia Controller Page 245 of 260 Implementation Guide...
Page 246
Page 246 of 260 Appendix D: Software licenses this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system;...
Page 247
To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion Secure Multimedia Controller Page 247 of 260 Implementation Guide...
Page 248
Page 248 of 260 Appendix D: Software licenses of warranty; and each file should have at least the “copyright” line and a pointer to where the full notice is found. <one line to give the program's name and a brief idea of what it does.> Copyright (C) 19yy <name of author>...
Page 249
If this is what you want to do, use the GNU Library General Public License instead of this License. Secure Multimedia Controller Page 249 of 260 Implementation Guide...
Page 250
Page 250 of 260 Appendix D: Software licenses 553-3001-225 Standard 1.00 May 2006...
(WELF) for logging network activity. A sample of a log message in WELF generated by syslog is shown here. Apr 18 04:25:52 172.16.1.247 id=firewall time="2002-04-18 16:15:34" fw=DEVICE1 pri=6 proto=6(tcp) src=172.16.7.246 dst=66.218.70.149 msg=Service access request successful Src 3171 Dst 80 from EXT n/w agent=Firewall Page 251 of 260 Secure Multimedia Controller...
Page 252
Page 252 of 260 Appendix E: SMC packet filter log messages Various fields in the above sample syslog message are explained in Table 26: Table 26 Syslog message fields Field Syslog header time proto agent 553-3001-225 Standard 1.00 Description Contains the time stamp of the event. Identifies the type of record.
This log message indicates that the maximum packet rate is reached and no extra packets are allowed. Apr 29 19:53:28 172.16.7.225 id=firewall time="2004-04-29 14:36:28" fw= a10-10-10-10 pri=1 mid=2102 mtp=2048 msg="Rate-Limiting: Maximum Packet Rate reached, dropping the packet from ext n/w" ruleid=23 agent=Firewall Page 253 of 260 Secure Multimedia Controller...
Page 254
Page 254 of 260 Appendix E: SMC packet filter log messages Table 27 Log messages Maximum Connection Rate Reached Maximum Bandwidth Reached Deny Policies Deny Policy Matched 553-3001-225 Standard 1.00 This log message indicates that the maximum connection rate is reached and new connections within that rate limiting time are not formed.
Page 255
80 percent of its limit, and SMC activates TCP SYN Flooding protection. Apr 29 20:30:04 172.16.7.225 id=firewall time="2004-04-29 15:13:03" fw= a10-10-10-10 pri=1 proto=6(tcp) src=172.16.7.224 dst=172.16.8.226 mid=2066 mtp=1 msg="Crossed 80% of resource. Possible flooding(TCP) Src 1048 Dst 23 from corp n/w" agent=Firewall Page 255 of 260 Secure Multimedia Controller...
Page 256
Page 256 of 260 Appendix E: SMC packet filter log messages Table 27 Log messages General attacks LAND Unable to Determine Route IP-Reassembly IP-Source Route Options 553-3001-225 Standard 1.00 This log message is generated when the SMC detects a land attack.
Page 257
This log message is generated when the SMC detects an invalid TCP connection. Apr 29 21:27:55 172.16.7.225 id=firewall time="2004-04-29 16:10:55" fw= a10-10-10-10 pri=1 proto=6(tcp) src=172.16.7.224 dst=172.16.8.226 count=9 mid=2002 mtp=2048 msg="Invalid TCP Connection request Src 23 Dst 2058 from corp n/w" agent=Firewall Page 257 of 260 Secure Multimedia Controller...
Page 258
Page 258 of 260 Appendix E: SMC packet filter log messages Table 27 Log messages IP Spoof IP Spoof Ping of Death Ping of Death IP Option Attacks IP Option Attack 553-3001-225 Standard 1.00 This log message is generated when the SMC detects and IP-Spoof attack.
Page 259
This log message is generated when a connection times out. Apr 29 20:44:40 172.16.7.225 id=firewall time="2004-04-29 15:27:40" fw= a10-10-10-10 pri=6 proto=17(udp) src=172.16.7.225 dst=172.16.7.224 mid=2088 mtp=32768 msg="Connection timed out.Bytes transferred : 6554 Src 32777 Dst 514 from self n/w" ruleid=12 agent=Firewall Page 259 of 260 Secure Multimedia Controller...
Page 260
Page 260 of 260 Appendix E: SMC packet filter log messages 553-3001-225 Standard 1.00 May 2006...
Page 262
Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks. Nortel, Nortel (Logo), the Globemark, SL-1, Meridian 1, and Succession are trademarks of Nortel Networks.