In response to John Stanley's posting on January 21, 1999. 1) The perceived problem is that upon manualling disabling the diversion of incoming telnet requests to the webramp, and not setting up a Visible Computer, or telnet Local Server, telnet traffic continues to divert to the Webramp. This is largely due to the Webramp's logic. Upon receiving incoming traffic on port 23 the WebRamp checks it's divert port options, notices that telnet diversion is off, then looks for a visible computer or local server to pass the traffic to. Failing this the WebRamp then defaults back to diverting the port 23 traffic to itself. We designed this box with being able to access the CLI or HTTP interface from the WAN in mind. This feature allows for remote management and trouble shooting of the WebRamp, and has proved to be an essential tool to our support department. If security is a concern change the Administrative password on your WebRamp, and do so frequently. The Divert Port options were never intended to be a security feature, rather they are there so that you can bypass the webramps built in telnetd and httpd and pass packets to your in-house server. 2) This is true for every M3/M3t/M3i/300 user who is not using Visible Computers or telnet Local Servers. I would approximate this number to be in the 90% or higher range. The number of customers who have actively tried to disable incoming telnet sessions that we are aware of is much lower than 1%. 3) There are workarounds readily available. The easiest way to prevent unwanted access to your WebRamp is to change the Admin Password, and as with all things security related, change it often. To completely block telnet access (so that the session can't even be initiated) from the WAN you have two options. Method 1: Enable a Visible Computer for each active modem port and pointing to IP addresses that are not being used in your LAN (e.g. 192.168.1.254 is a good place to start as DHCP is not likely to ever pass it out), and uncheck both of the divert incoming boxes. Method 2: Enable a Local Server of the Telnet and Web type and point them to an IP address that is not in use on your network. Then telnet into the webramp and use the divertport to disable all incoming diversions. This will only work for modem 1. If you are using 2 or more modems use method one. 4) Last but not least, engineering has agreed to incorporate a change in the M3 families code to mimic the 310. This would allow the user to simply check one box to disallow WAN access to the httpd and telnetd processes. Since there are workarounds available, and useability/functionality is not impaired, this is considered to be a priority 4 and may be incorporated in the next point release. Robert Ward Senior Customer Support Engineer Ramp Networks
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:32:28 PDT