HiPath v.5 on LAN - security concerns

[ccmjgb]

Greetings,

Are there are serious security concerns with placing a HiPath 4000 v5 on LAN/WAN for remote access? Ideally, it would sit behind FW, but I understand that it has a built-in FW that can be used in lieu of hardware based FW. Currently there is no HiPath Manager, only a stand alone HiPath 4000 v.5 w/Assistant.

The idea is to patch the customer port off the HiPath onto the LAN in order to reach the 192.0.2.5 Assistant via 2 dedicated admin laptops at a different office. Would having a new VLAN be necessary? Can a small 4 port router be used between HiPath customer port and site LAN core switch - would this be even necessary?

Please provide any and all best practice scenarios.

Thank you!

ccmjgb
- Psalm 144:3

 

[ccmjgb]

forgot 1 thing... there is no intent to re-IP the HiPath & Xpressions in order to keep them intact as possible... they are on the 192.0.2.x subnet...

 

[sbcsu]

Normally you would give the Customer LAN a Customer IP address, subnet mask, broadcast address. Then a default route.
Also you add in the individual IP addresses in the Firewall or ranges to allow access.
If an IP address outside of range tries you will get an error showing up in the HISTA

If your Customer LAN is good with no security concerns then adding in another device with a fixed IP address should not be an issue.

Normally you do not put the Atlantic LAN 192.0.2.0 on the Customer equipment as it is only used for internal purposes on the HiPath.

 

[donb01]

I have mine on the network as stated above. Each of my sites have different VLANs and IP ranges, but as long as the routing is set up for them to access each other I can get into the switch from anywhere on the LAN. If I want to get in from outside I either need to VPN into the LAN or remote into a PC that is already on the LAN with something like logmein or pcanywhere. Outside people have no access, and I suppose if some inside person was a hacker type they could be messing around with the switch, but there's not a lot they could do without credentials.

 

[ccmjgb]

Thank you both for the input!! of course a few more questions...

-----------------
| 1 | 2 | 3 | 4 |
-----------------

1 = customer 192.0.2.10 = customer port (will patch into LAN core switch)
2 = service 192.0.2.xx = admin laptop w/ 192.0.2.73 connects to service port when on-site)
3 = ipda not used
4 = atlantic 192.0.2.xx = Xpressions server 192.0.2.59 (on the atlantic port)

192.0.2.5 = assistant portal

When the firewall is mentioned above, do you mean the HiPath Unix FW?
If so, is it managable via assistant?
Do either of you have a sample rule set that I can use to configure FW - this would be cool?

How can I find the IP assignment on ports 2 & 4? i.e. Is there an equivalent command to ms-dos ipconfig/all that will query all LAN ports? Can I use AMO: DISPLAY-CPTP to display all IP addressing on the HiPath ethernet ports? how about SIPCO? all advice is appreciated...

Once the HiPath is on the LAN, would I be able to navigate to the Xpressions web admin portal via http:// 192.0.2.59? Does the HiPath provide routing that would re-direct http requests to the Xpressions?

Thank you!

ccmjgb
- Psalm 116:5

 

[ccmjgb]

how about CPCI?

 

[donb01]

Is your in-house LAN really set up on 192.0.2.x?? Normally you would not connect the customer LAN to the Atlantic LAN because excessive traffic and broadcast packets, etc on the customer LAN could slow things down for the system. I haven't seen one yet where the Atlantic LAN was not "private" between just the switch and things like Procenter or other switch related services.

Normally you would go into the system and give the customer network port a static IP on your existing LAN, like 10.1.6.55 (unless your LAN is on 192.168.x.x type of numbering). Then when you need to administer the switch you just hit that LAN port and the assistant comes right up (or you access it with Comwin, etc). If you are running an STMI card for IP telephony you would come up with a second static IP on your own LAN for the STMI card, and that would be your gateway address that you give to the phones.

 

[ccmjgb]

donb01, no... the detail in the note above is the understanding I have on how the HiPath LAN is currently set up - still under discovery. It has never been networked to the site's LAN. That is 1 of the reasons i was asking about a 'ipconfig/all' type of command/AMO... I need to find out exaclty how it is configured now in order to re-assign the necessary IPs. I tried DISPLAY-CPTP and it pulled much detail, but not could make the correlations - was hoping to find Customer / Service / IPDA / Atlantic but it of course did not come out that clear.

So I gather from your comment that the Customer LAN port on the HiPath should have a 10.x.x.x IP assigned to it, depending on the site's DATA VLAN subnet and it should not have 192.0.2.x assigned to it - correct? If this is correct, and the Customer port IP becomes 10.10.10.10 (for example) with matching subnet mask - how will I reach the Assistant portal? will it be by typing 192.0.2.5 in the browser or via 10.10.10.10?

Can you please provide the AMO to change the Customer port from 192.0.2.x over to 10.x.x.x.?

Does the HiPath use a unix based firewall? if so, can it be accessed via assistant?

Thank you!

 

[ccmjgb]

update:

-----------------
| 1 | 2 | 3 | 4 |
-----------------

1 = customer x.x.x.x ? = customer port (will patch into LAN core switch)
2 = service 192.0.2.xx = admin laptop w/ 192.0.2.73 connects to service port when on-site)
3 = ipda not used
4 = atlantic 192.0.2.3 = Xpressions server 192.0.2.59 (patched on the atlantic port)

by opening an expert mode session on the Xpressions server via Atlantic port into the HiPath server, I noticed that the heading listed the atlantic port IP - 192.0.2.3 which answers 1 question... no I'd like to find out the ip addressing on the Customer & service port... and how to change the customer port to an ip from the site's LAN

 

[donb01]

I don't know how to change the customer LAN characteristics without the Assistant, sorry.

What you said though is right, if you change the customer LAN port to 10.10.10.10 with appropriate subnet and gateway then if you hit 10.10.10.10 with your browser it will come up in the public area of the server. From there you choose workstation configuration and it will check to make sure you have a supported version of Java (it won't work with higher than V6 and will whine but still work with higher than V5) and it loads some certificates and the applet cache and checks some other settings. After that you will either go right to the login screen when you hit the IP or you will just choose administer the system (I don't know because I have the actual link as my homepage on that PC for 4 years now).

You might have to setup the customer LAN address in unixware.

Looking at /etc/hosts I can see: 10.3.8.XXX server
as one of the entries.

127.0.0.1 localhost
192.0.2.3 ADP-RMX
192.0.2.4 WAML
192.0.2.5 ADP-UNIX
10.3.8.XXX server

I'm sure you can't just edit the hosts table - there are proper procedures to go through for that. That also doesn't set the netmask and other goodies.

It's in there somewhere, but I don't have time to go snooping around!

 

[ccmjgb]

OK, will changes made to the customer LAN port IP on the Assistant update all components of the HiPath including Unix?

also, if the Customer port changes to 10.10.10.10 and I type 10.10.10.10 in the browser - will the Assistant page list 10.10.10.10 instead of 192.0.2.5 as the hyperlink to the Launchpad? I use the Assistant on 1 HiPath and RMX on another due to corrupt Assistant (which will be resolved soon), so if the Assistant can be used to configure the Customer port - this is good news... can the Assistant be used to configure the Firewall?

 

[donb01]

I don't use a firewall on mine, but if you can get into assistant then go to:

Base Administration -> Unix Base Administration

That is where you can configure the customer LAN and the Firewall, but be careful with the firewall so you don't block yourself!

 

[ccmjgb]

10-4, thank you!

 

[ccmjgb]

i see the LAN card with 1 IP and under firewall there are several hosts... but I don't see the Customer port, Service port or the Atlantic port defined ... is the LAN card equivalent to the Customer LAN port???

 

[sbcsu]

Yes the LAN card setup is for the Customer Port,
The service and Atlantic port are fixed on the 192.0.2.0 range.
The IPDA port is for remote shelves only.

 

[donb01]

The firewall table must get updated at least in part automatically by some process, because when I looked at mine yesterday I also saw the address of my STMI IP gateway and the addresses of all the IP phones on the system in the table. Probably when something authenticates against the host it gets added in there.

I have a lot to learn about the 4000 stuff, and with any luck it will be getting migrated to V6 soon, and from what I hear I will have to start learning all over again, so I'm glad I didn't soak up too much yet!

 

[ccmjgb]

thank you again for the input! so the firewall lists all the registered hosts and there are 3 columns, but i didn't see any area to select or de-select specific ports, neither did I notice any spot where subnets can be allowed or blocked - did I miss a tab?

also donb01, per your note above:

127.0.0.1 localhost
192.0.2.3 ADP-RMX
192.0.2.4 WAML
192.0.2.5 ADP-UNIX
10.3.8.XXX server <--- is this the ip to your customer LAN port

Thank you!

 

[donb01]

Yes, the last one is the IP of my customer LAN port. The system calls it "server" for whatever purpose it uses. If you go through Configuration -> System Config -> Network to set the customer LAN port it will get entered into the hosts table the way it is supposed to be.

I have poked through a lot of these menus over the years in look don't touch mode, and I think this particular firewall is just IPs that are known to the system. There are other places in other config menus where there are different settings for different functions and ports. AMO BFDAT will let you do the configuration of your STMI card for things like how many SIP ports vs HFA ports and things like that, and once you configure the gateway address for a STMI card then you can hit that IP in a browser and there is a web-based config tool for that too. There are default ports that the phones communicate on, and SIP uses, and CDR uses and they are all set up in different places. Look around in there - just never hit save on any window you are not sure if you touched - use the X to close the window....

 

[ccmjgb]

sbcsu, donb01,

finally got the customer LAN IP... navigated to UNIX Base Admin --> LAN Cards --> and inputted IP address. As soon as I saved it, a message displayed that the server neede to tbe re-booted in order for the changes to take - i don't remember this message on previous IP changes ??? (the system recently got upgraded so maybe this is new - ??)

with regard to the route: there are no routes in the table and this has never prevented the access to the Assistanat on previous IP changes to the Customer port... does a route 'need' to be added to this table?

Thank you!

ccmjgb
- Job 38:36

 

[ccmjgb]

Forgot to ask: what type of restart needs to take place in order for the IP changes to take? If it is only a UNIX restart, I'm assuming there will be 'no service' interuption <-- correct?

If it is only a Unix re-boot, this can be performed by using the 're-boot server' option under UNIX Base Admin --> Shutdown ... correct?

thank you again,

ccmjgb
- Psalm 116:5