Nortel Host Tools, R10.0, Annex Communications Server R10.0B, Annex Host Tools R14.2 New Features Manual
Annex Communications Server R10.0B and
Annex Host Tools R14.2 Release Notes
These release notes apply to the following:
❑
The Annex Communications Server Operational Code
Version R10.0
❑
The Annex Host Tools Version R14 .2. 24
❑
Quick2Config Annex R2.3
❑
Annex Manager R2.3
The release notes for Quick2Config Annex can be found by selecting
the Readme notepad icon in the Bay Networks Program Group.
Included in these release notes are the following topics:
❑
New Features
New Features
❑
Special Considerations
❑
Supported Platforms
❑
Known Problems/Lim itations
❑
Problems Resolved wi th this Release
These release notes supersede the notes pr ovided on the distribution
media.
Ease of Use Installation
The installation process has been significantly improved and more
binaries have been added to the distribution media. The new
installation script will give users the following options:
❑
Installing the Annex H os t Tools and/o r Annex Manager 2.3
❑
Extracting only the necessary files from the medium
❑
Editing the necessary system files
1302565-A Rev. 00
Annex Communications Server R10.0B and Annex Host Tools R14.2 Release Notes
Blacklisting and Password Hist or y
Two new security features, user blacklisting and password history,
have been added to the ACP security functionality. The blacklisting
enhancement logs and monitors the number of failed login attempts for
users. The administrator may configure erpcd to disallow a user fr om
logging into the system based on the number of consecutive failed
login attempts, or the total number of failures over a period of time.
An acp_dbm utility was added to access the database used to store
the user's login history. This feature is not enabled by default.
ch_passwd
The ch_passwd utility has been enhanced to keep a history of a user's
passwords and can be configured to prevent a user from setting a
previously used password. This feature is not enabled by default
unless the system uses shadow passwords.
One-to-Many Dynamic Dial-up Routing
The Annex now provides for dynamic dialout to multiple destinations
via a single modem or modem pool.
Chap Security for PPP
This feature allows for the use of encrypted passwords for PPP.
Enigma Security
The Annex can now authenticate a user via the Enigma SafeWord
Authentication Server.
2
302565-A Rev. 00
Annex Communications Server R10.0B and Annex Host Tools R14.2 Release Notes
CIDR
The Annex now supports Classless Interdomain Routing (CIDR),
which provides for supernetting of Class C addresses. Supernetting
allows you to use a subnet mask that is shorter than the intrinsic mask
derived from the class of the Internet address.
IP Basic Security Option (IPSO)
The Annex partially implements this security option by adding the
IPSO classification level to packets generated by telnet or rlogin
running on an Annex dedicated, adaptive, or CLI port.
ACP Port Statistics Logging
This feature tracks the number of packets sent and received and the
total number of bytes sent and received for each session.
TAP Identification Protocol
The Annex now supports this feature as defined in RFC 1413. TAP
Identification Protocol can determine the identity of a user of a
particular TCP connection. Given a TCP port number pair, TAP
returns a character string that identifies the owner of that connection
on the server's system.
Filtering Improvements
Changes have been made to the filter-action algorithm. There are four
filter lists for any interface:
❑
global filter list for input (interface set to the * symbol)
❑
global filter list for output (interface set to the * symbol)
❑
local filter list for input (interface set to other than *)
❑
local filter list for output (interface set to other than *)
302565-A Rev. 00
3
Annex Communications Server R10.0B and Annex Host Tools R14.2 Release Notes
When a packet is sent by the Annex, the local output filter is scanned
first, followed by the global output filter list. When a packet is
received by the Annex, the local input filter list is scanned first,
followed by global input fi lter list. For the purposes of the algorithm,
local and global ar e combined into one large list, and input and output
are considered separately.
The algorithm scans each filter, and if the filter conditions match the
packet under consideration, the associated actions are appended to
one of two lists. If the filter is an inclu de, the actions are placed on the
to-do list. If the filter is an exclude, the actio ns are placed on the inhibit
list.
Once the complete list (both local and global) has been scanned, one
more check is done. If at least one include filter with the netact action
was seen (not necessarily matched, just scanned) and there were no
exclude filters with netact, the default action is none, that is, not netact.
If there were no include netact filters scanned or if any exclude netact
filters were seen, the default action is netact. This default is added to
the to-do list. Finally, the inhibit values are subtracted from the
to-do list.
The following are examples of this process:
Example 1
No filters at all; all traffic is activity.
Example 2
in include proto tcp dst_port telnet netact
in include proto icmp discard
out include proto icmp discard
Packets received that are destined for the standard telnet port (23) are
considered activity and may tri gger a dial if the interface is a dial-out
type. No other IP packets are considered activity, and icmp packets
(such as ping) going either way are discarded. (This shows how
include netact works by itself.)
4
302565-A Rev. 00
Loading...