Support

 

Support Overview
Support FAQ
Tips and Tricks
Help Tech Support Help You
Product Support Resources
Contact Support

“Through the use of Asentria’s SNMP-Link, we can now remotely survey our entire network, including our security, power and alarm equipment. Their products are seamlessly integrated into our network, and help us avoid expensive labor and installation costs.”
Jim Wemette, Manager of Systems Engineer at Burlington Telecom


Asentria Product Security – Part II


This is the second in the three-part series of articles concerning the security of Asentria products. Last month, we highlighted fundamental physical security and safety steps you should take to insure that your Asentria product is safe and secure in its physical location. This month we’ll review the basic internal security features available in Asentria products to limit unauthorized remote access to the units and connected devices. Next month we’ll go in to more detail on how to configure some of the advanced security features discussed this month. As always, if you have any questions concerning any information presented here, please contact Asentria Tech Support at 206-344-8800 or support@asentria.com and we’ll be glad to explain anything you need to know!


Basic Internal Security Features

In addition to the external steps you can take to physically protect and safeguard your Asentria product, there are a number of internal features that you can use to prevent unauthorized remote access to the unit, any data it has stored, and to any connected devices. It’s also possible to limit what authorized users can do when they are connected to the product by way of User Profiles.


Unauthorized Remote Access

The Network and Modem Settings menus in your Asentria product provide several options for preventing access via either of these remote access routes.

 

Network Access:

  • IP Address Restrictions - is the primary defense against unauthorized access via a network or PPP connection. An administrator can restrict access by configuring one or more IP addresses that will be the only ones allowed to access the unit. Restrictions can also be configured to allow or deny access to larger groups of IP addresses using .0 and .255 wildcards. IP Address Restrictions do not replace or override any restrictions set by User Profiles, but they do provide an extra level of protection by causing the unit to ignore all network traffic except from the addresses allowed.
  • No network proxy - while some Asentria products can be configured to allow access to other devices on the same network, ALL Asentria products can either be configured to not perform any sort of network proxy action or do not feature the ability to do so. In either case, at no time would a user connected to the unit by any means be able to directly interact with any devices on the same network. The only outbound network access that would be allowed would be PING and FTP Push..
  • Disabling other network features - provides further remote access protection. If your Asentria product provides these options, turn them OFF unless you specifically need them:
    • PPP Hosting
    • IP Routing
    • Web Interface
    • Allow FTP bump by new user
    • Allow Telnet bump by new user

Modem Access:

  • Caller ID Security - provides a means of restricting inbound modem calls to a specific list of telephone numbers. Any number not on the list will be denied modem access. If no numbers are configured, than all inbound calls will be granted access. Note: Caller ID must be available on the phone line connected to the unit for this feature to work.


User Profiles

The User Profiles menu in most Asentria products provides the next layer of protection in preventing unauthorized remote access, and for users who are authorized access it allows a means of fine-tuning what they can do while they are connected.


More features to prevent unauthorized access:

  • Usernames and Passwords - are the primary method of allowing connected users access to the unit. Login options are to accept the Username/Password, the Password/Username, or only the Password. Giving incorrect login credentials three times will terminate the users connection.
  • Single Use Password – is a higher level of security where when a user attempts to connect, the unit sends a single-use password to preconfigured pager numbers and/or email addresses. A period of time can also be set which determines how much time can pass before that password is not accepted if it’s not used.
  • Shared Secret Challenge/Response – is a means of allowing remote access only to users who have been given a “secret” code that is used with the Response Code Generator (RCG), a program supplied by Asentria. When a user makes a network or modem connection, they are issued a “challenge” code. They must open the RCG program and enter both the challenge code and the secret code. The RCG then gives them a response code, which they enter on their connection screen to gain access to the unit. If the response code is incorrect, no access is granted.
  • Secure Callbacks – are another higher level of security for users attempting remote access via modem. The unit can be configured to call back from one to three phone numbers whenever an incoming modem connection is attempted. The user at that number must issue the correct login credentials to be given access to the unit.
  • User Connections – can be limited to one or all of the different types of access available (local, modem, Telnet, Real-Time Sockets, FTP (and Secure FTP, if available).
  • Global Password/Security Settings – can be configured to enable the login options for each method of access (serial, modem, Telnet, passthrough, Real-Time Sockets) for all users of the unit.

Fine-tuning what a connected user can do:

  • User Profile Expiration Date/Time – is a means of limiting the time that a user can be allowed access. For example, you might give a PBX technician a specific window of time that he could connect to the unit and make a passthrough connection to the maintenance port of the connected PBX.
  • Setup/Status Rights – are a means of setting a category of rights that determines what commands a user can execute and what Setup and Status menu information the user can see and/or change. Categories are None, View, Admin1, Admin2, Admin3 and Master.
  • Additional functions that can be configured for each user individually are:
    • Where they are taken when they log in: Menu, Command line or a passthrough connection to one of the serial ports
    • Which of the ports a user who has only passthrough access will be able to access.
    • Where a user can go after terminating a passthrough connection: Menu, Command line or Disconnected.
    • What type of PPP connection a user can initiate, if any: Local, Routing or None.
    • Individual file permissions for each user to allow or deny access to data stored in specific data files, and either release it for viewing, or delete it.

As you can see, there are a wide variety of options available when it comes to locking down security on an Asentria product. Not all of the above options are available on all Asentria products, so consult your User Manual for further details, or contact Asentria Technical Support.


Next month we will go into further detail on how to configure some of the more advanced security features, such as IP Address Restrictions, Shared Secret Challenge/Response and Setup/Status Rights.