Ascend Communications Pipeline 75 With Secure Access Firewall
 Pipeline 75 shines as a versatile ISDN router. Add SAF (Secure Access Firewall), Ascend's security package, and Pipeline 75 is transformed into a secure ISDN router. With SAF, Ascend's security architecture behaved much like an active firewall that dynamically opens and closes connections crossing it. Moreover, the Pipeline management applications, Java Configurator for PipeLine and SAM (Secure Access Manager) are an administrator's dream. In less than an hour we configured the Pipeline 75--firewall and all--and were making connections. Security, router and device events reports were some of the best we've seen, not only on the console, but also in events sent to syslog.
Configuring Pipeline 75 for ISDN connections with the Java Configurator was straightforward and offered an enormous improvement over simple VT100 terminal interfaces. We configured Pipeline 75 to call the lab's Cisco Systems AS5300 central site router, with both of its BRI channels. Once set up
, we were able to make subsequent changes to the configuration without having to reboot.
Unlike ADC Kentrox's PACESETTER SOHO, Ascend's SAF is more than a static packet-filter firewall. Traditional packet filters defined on the firewall permit or deny traffic between the LAN and the WAN. They are always in place, regardless of the traffic passing through. More important, they must leave open the ports above 1,024 because protocols like FTP require the server to establish a connection back to the client using a randomly selected port above 1,024. This action leaves your servers open to attack, especially when running services that use ports above 1,024, such as NFS (Network File System) and PPTP (Point-to-Point Tunneling Protocol). Additionally, outbound FTP sessions need to reconnect to the client's Port 20 for transferring data. PASV (Passive FTP) lets the client make the second connection to the server, but not all servers or clients understand PASV, so Port 20 may need to be left open as well.
Ascend
's approach, on the other hand, does provide robust security that adapts to network traffic, opening and closing ports as needed. It accomplishes this by monitoring traffic passing over the firewall and maintaining a table of authorized connections. For example, when a user telnets to a server, SAF examines the header and opens the appropriate port numbers on the firewall so that traffic can pass through. SAF also places the connection information into memory and ensures that traffic passing through the ports are between valid connections. Once the session is complete, the firewall closes down the ports. Likewise, SAF handles FTP by examining its headers and obtaining the port numbers that will be used for the second (data) connection. SAF also maintains a list of active and authorized UDP (User Datagram Protocol) connections.
Although Ascend's firewall functionality is fairly complicated, configuring it is not. In fact, SAF ships with the most commonly used IP ports already preconfigured. All you need to
do is plug in the addresses to grant inbound or outbound access, and you're on your way. We configured the firewall to allow access from our internal network to four specific hosts on the Internet, logging all sessions as well. With the firewall active, we were able to make our connections with little degradation to performance.
We even hit on Pipeline 75 with ISS' (Internet Security Systems) Firewall Scanner and found that it stood strong. More important, however, it logged the connection attempts made by ISS to our syslog, including source IP address. You can configure SAF with a high degree of granularity and add custom protocols as well.
Livingston Enterprises PortMaster ISDN Office Router
 Although easy to configure and manage, the PortMaster ISDN Office Router lacks Ascend's sophisticated firewall features. Additionally, its management interface lacks the overall utility of Ascend's Java configurator and its fir
ewall rules must be edited by hand. Overall, however, PortMaster's reporting and management functions stand above the crowd.
Configuring PortMaster for dial out was relatively clear-cut. Much like the other units we tested, you set up the router to make connections based on where user traffic needed to go; we configured them to dial on demand. In this configuration, all required information, such as user names and passwords, link information and IP addressing, are kept in a destination profile. Like the other devices we tested, PortMaster can be configured with multiple destination profiles. Attaching IP routes to the destination profiles is much like setting static routes in a router.
But configuring PortMaster with its included GUI was a challenge. We found that a number of options, including destination and routing entries, are not explained well. We opted to configure the unit with its command line. Command-line configuration is a simple process, and we were soon up and running. PortMaster offers ex
cellent debugging and tracing facilities in its command-line interface. Although we encountered some PPP problems during the installation, by using the supplied ptrace command, we were able to quickly identify the problem and resolve it. The utility also can trace ISDN calls, which is helpful when you're debugging connection problems.
|
REPORTS
ANALYTICS
Follow 
