Download Siemens C10 User guide

Controller, Access Points and Convergence Software configuration
Filtering at the interface level
In addition to these built-in filters, the administrator can define specific exception filters at the
interface-level to customize network access. These filters do not depend on a VNS definition.
Port-based exception filters: built-in
On the HiPath Wireless Controller, various port-based exception filters are built in and invoked
automatically. These filters protect the HiPath Wireless Controller from unauthorized access to
system management functions and services via the ports.
For example, on the HiPath Wireless Controller’s data interfaces (both physical interfaces and
VNS virtual interfaces), the built-in exception filter prohibits invoking SSH, HTTPS, or SNMP.
However, such traffic is allowed, by default, on the Management port.
To enable SSH, HTTPS, or SNMP access through a data interface, select the interface in the
IP Addresses screen and click the "Management" checkbox on. You can also enable such
management traffic in the VNS definition.
If management traffic is explicitly enabled for any interface (physical port or VNS), access is
implicitly extended to that interface through any of the other interface. (VNS).
Only traffic specifically allowed by the interface’s exception filter is allowed to reach the HiPath
Wireless Controller itself. All other traffic is dropped. Exception filters are dynamically
configured, and are regenerated whenever the system's interface topology changes (a change
of IP address for any interface).
Enabling management traffic on an interface adds additional rules to the exception filter to open
up the well-known IP(TCP/UDP) ports corresponding to the HTTPS, SSH and SNMP
The port-based built-in exception filtering rules, in the case of traffic from VNS users, operate
only on traffic that is targeted directly to one of the VNS's interfaces. For example, a VNS filter
may be generic enough to allow traffic access to the HiPath Wireless Controller's management
(Allow All [*.*.*.*]). The traffic will initially be allowed according to the VNS user’s policy, but may
then be denied by the exception filter of the VNS interface.
Port-based exception filters: user defined
You can add specific filtering rules at the port level in addition to the built-in rules. Such rules
give you the capability of restricting access to a port, for specific reasons, such as a Denial of
Service (DoS) attack.
To define filtering rules that are associated with one of the physical data ports on the HiPath
Wireless Controller rather than with a VNS, use the Port Exception Filter screen.
The filtering rules are set up in the same manner as filtering rules defined for a VNS — specify
an IP address and then either “Allow” or “Deny” traffic to that address. See Section 7.5,
“Filtering rules for a VNS”, on page 90.
A31003-W1010-A100-1-7619, July 2005
HiPath Wireless Controller, Access Points and Convergence Software V3.0: User Guide