HiPath v.5 on LAN - security concerns

[ccmjgb]

Greetings,

Are there are serious security concerns with placing a HiPath 4000 v5 on LAN/WAN for remote access? Ideally, it would sit behind FW, but I understand that it has a built-in FW that can be used in lieu of hardware based FW. Currently there is no HiPath Manager, only a stand alone HiPath 4000 v.5 w/Assistant.

The idea is to patch the customer port off the HiPath onto the LAN in order to reach the 192.0.2.5 Assistant via 2 dedicated admin laptops at a different office. Would having a new VLAN be necessary? Can a small 4 port router be used between HiPath customer port and site LAN core switch - would this be even necessary?

Please provide any and all best practice scenarios.

Thank you!

ccmjgb
- Psalm 144:3

 

[sbcsu]

The route should be the default router on that customer LAN
Add in entries into the Firewall of the IP addresses or use the NET for ranges
example 10.2.14.0 would give the 10.2.14.xxx range access to the system over the customer LAN
If you change IP addresses in the Route or LAN IP address you will have to do a reboot of the UW7
this is done on the same page - ensure you click on reboot and not shutdown

 

[ccmjgb]

thank you very much sbcsu! will the Unix re-boot cause service disruption? any reloads?

1 quick note: when I entered the IP, the broadcast auto-corrected to reflect 255.255.0.0 instead of what was provided to me as the mask 255.255.255.0 - should I allow the values to remain as the broadcast address or overwrite to make suer the mask is 255.255.255.0?

 

[ccmjgb]

another question... in the metric field... can the hop count from a traceroute from 1 net (admin building) to the other net (physicla Hipath site) be used for a value?

 

[sbcsu]

yes that is the value i would use but i have found it to be of no concern really.

 

[ccmjgb]

thank you again sbcsu!

 

[ccmjgb]

Thank you sbcsu & donb01. The HiPath was added without much issue. I did notice that opening more that 1 http session into the Configuration Management menu options kinda freezes on the 2nd window and the resize of the window is a little tempermental - have either of you experienced this?

Also, do either of you have experience getting a HiPath 3800 on LAN?

Thakn you again!

ccmjgb
- Psalm 38:36

 

[donb01]

It depends. I use both Firefox and IE to do configuration, but prefer Firefox. IE opens up another complete browser session for every choice I make from the menu, and Firefox opens each thing in a new tab. I suppose I could change the preferences in IE, but I don't use it much and I'm too lazy. I try to keep the screen as big as I can so I don't have to scroll much. On my ProCenter server that conveniently also is used as an admin console I run a lower res screen and have to always stay maximized. In my office I have much higher resolution and don't have to use the whole screen to fit everything in, but I've never had any problems with the window resizing other than if you make it smaller than 1024x768 with a maximized browser you end up having to scroll both horizontal AND vertical, which is really annoying....

How many apps do you have minimized to the taskbar? Maybe one of them is slowing things down a bit?

 

[Iamnothere]

The firewall is an "ALLOW" table. A client PC's IP Address is automatically added to the firewall table if valid authentication was provided during login.
The firewall table CAN become full. Therefore one reason to manually configure the firewall is if the administrator logs in to Assistant from various client PCs all over the infrastructure. Each time a unique IP address is used for login, it is added to the firewall. To prevent the table from becoming "full", you can manually add the entire subnet.

Regarding the Configuration Management slow down: are you using the approved version of the browser? Many people do not realize that their Internet Explorer browser has been automatically upgraded via MicroSoft "updates".
Go thru the "Client Preparation" on the HiPath 4000 Assistant public page.
Hint: use "http" rather than "https".

Also, the Jave Runtime Environment is a HUGE factor in how these Config Management windows function. The recommended JRE varies depending upon the release of HiPath 4000 V5. I use a non-approved 1.6.0_38, which I use between V5 and V6 systems. DO NOT USE 1.6.0_39 or higher, as these higher versions of JRE are extremely problematic for the 4K!!!!!!!!!!!
The 1.6.0_38 JRE version is not explicitly approved in V5, but it works fine on MY system. You may need to experiment with JRE to see which version runs best on YOUR system.

 

[ccmjgb]

thank you both for the detail.

I noticed that the browser takes a little longer to load certain windows... waiting a bit helps out. I did have to remove all Java runtimes and had to download and older version and install it for the Configuration Management windows to work.

The Firewall tips are helpful as I've noticed that a WAN IP was automatically added and the entire subnet from a different site was added after I successfully logged in from there. The subnet being added was explained by the above comment, however the addition of what appears to be a WAN IP was not expected... ?? is this normal??

Thank you!

ccmjgb
- Job 38:36