Firewall Lockdown Settings in Z/IPStream R/2

Updated by Bryan Jones

Scope

This document applies only to the Telos Z/IPStream R/2.


Description

Telos is aware of the security concerns of our users. With more and more devices connected to networks, Telos is taking steps to help you mitigate your risks.

As part of this effort, we are offering this Firewall Lockdown Patch for the Z/IPStream R/2 free to all users. Specifics are listed at the end of this document.

Please note this version also fixes some additional SSL/TLS vulnerabilities and updates a self-signed SSL certificate.

If your Z/IPStream R/2 is running a version higher than 1.08.17, you already have these features. If not, click below to download this update.


Checking Your Version

  1. Using a web browser navigate to the main Control Panel of your Z/IPStream R/2
  2. Observe the version at the bottom-right corner of this page


Upgrading your Z/IPStream R/2

If you are using the integrated Triton encoder you must coordinate this update with Trition. Please contact them directly and ask them to make sure your system is set for AT LEAST version 1.06.00.
THIS IS A GOOD TIME TO TAKE A BACKUP OF YOUR SYSTEM
  1. Using a web browser navigate to the main Control Panel of your Z/IPStream R/2
  2. Click Options on the top menu
  3. Click Software Update on the top men

You will be presented with two software banks. One of them will show Running... with a Reboot button. The other will show Inactive with a button that says Update software.

  1. Click the Update software button
  2. Browse for and locate the update file you downloaded from above.
  3. Click Open or Okay on the upload window and the update is loaded to the Inactive bank.
  4. When you are ready, click the Run this version button for the updated software bank.

Your Z/IPStream will reboot and the browser will reconnect automatically after 180 seconds.

  1. When the browser reconnects, verify that the new version shows Running...

Adjusting the Firewall settings

The only place to change firewall settings is from the Startup Console. The Startup Console is accessed using either a local monitor and keyboard or via the IPMI management port

The Startup Console has an additional Menu item labeled[l] Lock down firewall inbound rules. Access this by pressing the letter L on your keyboard.

The following firewall rules are explained below. Allow or Block each rule by pressing the number next to each one. Choose Allow to allow it, Block to block it, or Cancel to make no changes. The current status is shown on the firewall options page.

Livewire Routing Protocol

The following Livewire traffic is blocked

  • Advertisement
  • Advertisement and Source Allocation
  • Audio
  • Clock
  • Communication Protocol
  • GPIO Commands
  • GPIO Events
Miscellaneous

The following are blocked

  • Core Networking - Destination Unreachable (ICMPv6-In)
  • Core Networking - Destination Unreachable Fragmentation Needed (ICMPv4-In)
  • Core Networking - Dynamic Host Configuration Protocol (DHCP-In)
  • Core Networking - Dynamic Host Configuration Protocol for IPv6(DHCPV6-In)
  • Core Networking - IPv6 (IPv6-In)
  • Core Networking - Internet Group Management Protocol (IGMP-In)
  • Core Networking - Multicast Listener Done (ICMPv6-In)
  • Core Networking - Multicast Listener Query (ICMPv6-In)
  • Core Networking - Multicast Listener Report (ICMPv6-In)
  • Core Networking - Multicast Listener Report v2 (ICMPv6-In)
  • Core Networking - Neighbor Discovery Advertisement (ICMPv6-In)
  • Core Networking - Neighbor Discovery Solicitation (ICMPv6-In)
  • Core Networking - Packet Too Big (ICMPv6-In)
  • Core Networking - Parameter Problem (ICMPv6-In)
  • Core Networking - Router Advertisement (ICMPv6-In)
  • Core Networking - Router Solicitation (ICMPv6-In)
  • Core Networking - Teredo (UDP-In)
  • Core Networking - Time Exceeded (ICMPv6-In)
  • Message Queuing Multicast Inbound
  • Message Queuing TCP Inbound
  • Message Queuing UDP InboundProximity sharing over TCP (TCP sharing-In)
Ping Response

Allows or disallows ping response

Remote Desktop and VNC
  • Remote Desktop Server on TCP port 43389
  • Remote Desktop Server on UDP port 43389
  • vncviewer.exe
  • winvnc.exe
SNMP
  • SNMP Service (UDP In)
Triton Digital
Can be disabled if Triton's streaming service is not used
  • StationManager Server - Bank 1
  • StationManager Server - Bank 2
  • StationManager WCF
  • Windows Communication Foundation Net.TCP Listener Adapter (TCP-In)
Z/IPStream R/2 Encoder and Metadata

Required if other than Triton streaming servers are used.

Z/IPStream R/2 Web Interface
Access to the web interface is BLOCKED. Users must return to this Startup Console and enable this option to allow ANY configuration.


Let us know how we can help

If you have further questions on this topic or have ideas about improving this document, please contact us.


How did we do?