Configuring ALSMS Remote Navigation Alcatel-Lucent Security Products Configuration Example Series
Remote Administration of the ALSMS The ALSMS solution allows for remote navigation through a secure tunnel or in the clear so that administrators can check the status and health of the network remotely as well as configure any changes that might need to be made. This feature comes in handy if an administrator is traveling or working from home. It also allows flexibility for an administrator if he/she gets a page while they are not at the office. Remember that the ALSMS allows for direct paging as a trigger for events. Another common use of this feature is for network operations centers to have status monitors set up to monitor remote networks. As well as to have multiple administrators working on the system at the same time. The ALSMS has “Concurrency Controls” that prevent administrators from getting into an object if another administrator is already in that object. The ALSMS also allows administrators to IM each other through the system.
Remote Administration of the ALSMS Before we go load the ALSMS Remote Navigator we need to do a couple of things on the ALSMS. We need to add a couple of rules in our Administrative Zone, which is the zone that we are using to protect the ALSMS server. We need to add rules that will allow for remote administration. The next few slides will walk you through this setup. The last section of this configuration assistant will show you a few optional ways to further secure the remote navigation application.
Remote Administration of the ALSMS Next we need to add two rules to the Administrative Zone that will allow the remote administrators to make a connection with the ALSMS. From the main menu double click on Brick Zone Rulesets then double click on AdministrativeZone. This is the rule set that is protecting the ALSMS.
Remote Administration of the ALSMS In the Brick Zone Ruleset Editor click the + button on the lower left to add a rule. This rule will allow traffic to pass into the administrative zone. Active Yes, direction In to Zone. Source * Destination ALSMS (host group) or the actual IP Address of the ALSMS. Service Secure_Remote_Admin _to_ SMS Action Pass.
Remote Administration of the ALSMS Next click on the Advanced tab. Here we are going to change the Session Time out (sec) from 300 seconds to 3600 seconds. This will allow an idle time of one hour rather than 5 minutes Uncheck Strict TCP State Enforcement. This is optional. If you leave strict TCP enforcement turned on and the session times out you will need to reinitiate a new session and login again. When you are done click OK. Now we will create a rule allowing traffic from the ALSMS out to the remote administrator.
Remote Administration of the ALSMS In the Brick Zone Ruleset Editor click the + button on the lower left to add a rule. This rule will allow traffic to pass out of the administrative zone. Active Yes, direction out of Zone. For source click Host then enter the IP address of the ALSMS or choose the ALSMS host group. For destination keep * Service should be Secure_ Remote_admin_from_SMS. Action should be Pass
Remote Administration of the ALSMS Next click on the Advanced tab. Here we are going to change the Session Time out (sec) from 300 seconds to 3600 seconds. This will allow an idle time of one hour rather than 5 minutes Uncheck Strict TCP State Enforcement. This is optional. If you leave strict TCP enforcement turned on and the session times out you will need to reinitiate a new session and login again. When you are done click OK.
Remote Administration of the ALSMS In the Brick Zone Ruleset Editor take a look at the rules that you just created. They should be rules 1000 & 1001. When you are done looking be sure to click File>Save and Apply to apply the new rules to the Brick. Close the Brick Zone Ruleset Editor.
Remote Administration of the ALSMS We now have our rules established to allow remote administrators. If you need to create new administrators proceed with the following steps. If your administrators are already setup, proceed to slide 13. From the navigator window click on Administrators. Right click and select “New Administrator”.
Remote Administration of the ALSMS Click on Enable Administrator. Click ALSMS Administrator. Fill in the administrators information. Click on Authentication.
Remote Administration of the ALSMS Select Local Password. Fill in your password and verify it. Note that for SOX compliance we added “password complexity” features each password must have one capital letter and one numeric. Select File>Save and Close.
Remote Administration of the ALSMS The ALSMS CD includes software for remote administration called the ALSMS Remote Navigator. This software allows administrators to use the ALSMS from a remote location. Go to the PC that is designated for remote administration. Load the software. Loading the software is a simple process of installing from the ALSMS CD. Click on NT or Solaris depending on which operating system you are using. Click on the Remote Navigator folder and then click on ALSMSremotenav-9.xxxx. Another way to load the software is to download it from the ALSMS. To do this open a browser and point it to the IP address of the ALSMS in this format; http://<IP-Address>:<port>/ALSMS. Example: http://192.168.1.30:80/ALSMS Accept all defaults during the installation. This is covered in more detail in the ALSMS Admin. Guide.
Remote Administration of the ALSMS Next go to Start>Programs>Lucent Security Management Server>ALSMS Remote Navigator 9.1. Log in using your user name and password that you set up earlier. For ALSMS URL use http://<ip-address>:<Port>/ALSMS. Example http://192.168.1.30:80/ALSMS Click Connect. Once you are connected you can manage the network just the same as if you were logged directly into the ALSMS server.
Remote Administration of the ALSMS NOTES: If you are already logged in with the same user name and Password on the ALSMS host the remote navigator will log you off before logging you on remotely. If your log in doesn’t work, go back to your Brick and look at Policy Assignments on the Brick. Make sure that no policy is assigned on the port that your Remote Navigator is connected to or that there are rules in that ports firewall allowing remote navigation. Next go back and look at the rules that you created in the Administrative Zone to make sure that they are all done right have the right direction and an action of Pass.
Remote Administration of the ALSMS NOTES: At this point you have the Remote Navigator application working. There are a few ways to further secure this application. These steps are optional and may not be necessary given your use of the Remote Navigator. If you are running the application locally, behind a firewall and using administrator password authentication you are probably secure enough. If you are running the Remote Navigator from remote sites you may want to consider one or more of the following ways to keep the ALSMS secure. Running the Remote Navigator through an IP Sec Tunnel. Certificate Authentication for the Administrators Running the Remote Navigator through HTTPS (Secure). Creating a Host Group to restrict who can navigate remotely. See the section on Remote Administration in the Administration Guide for further details on configuring these options.
Remote Administration of the ALSMS For more detailed information on configuring this feature click Help>On Line Product Manuals>Administration Guide See the section on Remote Administration. The Product Manuals can also be found on your ALSMS CD.