Chapter 14. System Services

Table of Contents

14.1. Protecting the FB2700
14.2. Common settings
14.3. HTTP Server configuration
14.3.1. Access control
14.3.1.1. Trusted addresses
14.3.2. HTTPS access
14.4. Telnet Server configuration
14.4.1. Access control
14.5. DNS configuration
14.5.1. Blocking DNS names
14.5.2. Local DNS responses
14.5.3. Auto DHCP DNS
14.6. NTP configuration
14.7. SNMP configuration
14.8. RADIUS configuration
14.8.1. RADIUS server (platform RADIUS)
14.8.2. RADIUS client
14.8.2.1. RADIUS client settings
14.8.2.2. Server blacklisting

A system service provides general functionality, and runs as a separate concurrent process alongside normal traffic handling.

Table 14.1 lists the services that the FB2700 can provide :-

Table 14.1. List of system services

ServiceFunction
SNMP serverprovides clients with access to management information using the Simple Network Management Protocol
NTP clientautomatically synchronises the FB2700's clock with an NTP time server (usually using an Internet public NTP server)
Telnet serverprovides an administration command-line interface accessed over a network connection
HTTP serverserves the web user-interface files to a user's browser on a client machine
DNSrelays DNS requests from either the FB2700 itself, or client machines to one or more DNS resolvers
RADIUS Configuration of RADIUS service for platform RADIUS for L2TP. Configuration of RADIUS client accessing external RADIUS servers.

Services are configured under the "Setup" category, under the heading "General system services", where there is a single services object (XML element : <services>). The services object doesn't have any attributes itself, all configuration is done via child objects, one per service. If a service object is not present, the service is disabled. Clicking on the Edit link next to the services object will take you to the lists of child objects. Where a service object is not present, the table in that section will contain an "Add" link. A maximum of one instance of each service object type can be present.

14.1. Protecting the FB2700

Whilst the FB2700 does have a comprehensive firewall, the design of the FB2700 is that it should be able to protect itself sensibly without the need for a separate firewall. You can, of course, configure the fireall settings to control access to system services as well, if you want.

Each service has specific access control settings, and these default to not allowing external access (i.e. traffic not from locally Ethernet connected devices. You can also lock down access to a specific routing table, and restrict the source IP addresses from which connections are accepted.

In the case of the web interface, you can also define trusted IP addresses which are given priority access to the login page even. When using the FB2700 as an LNS you may be allowing access to CQM graphs linked from control systems as an ISP and so have to have the web interface open to the world. You should make use of the trusted IP settings to ensure you still have access even if there is a denial of service attack against the web interface. You should also set up access restrictions for users (see Section 4.1.4 for details.