Академический Документы
Профессиональный Документы
Культура Документы
Security Checklist
Planning Guide
A31001-H3170-P100-3-7620
Our Quality and Environmental Management Systems are
implemented according to the requirements of the ISO9001 and
ISO14001 standards and are certified by an external certification
company.
unify.com
Contents
Contents
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1 Validity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2 General Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.3 Security Strategy for Unify Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.4 History of Change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.5 Customer Deployment - Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2 Hardening Measures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.1 Hardening Procedures in General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3 Server Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.1 BIOS Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.1.1 Using iRMC for the Remote Hardware Monitoring in COTS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.2 Operating System Hardening. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.2.1 Operating System Hardening according to the STIGS/DoD guidelines . . . . . . . . . . . . . . . . . . . . . . . . 15
3.3 Clean Customer Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.4 Access Protection System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
4 OpenScape 4000 V7 Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
4.1 Communication Access and Protection against Toll Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
4.1.1 Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
4.1.2 Accessing the Terminals. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.2 Data Protection for Digital (TDM) or IP (HFA or SIP) Phones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
4.3 Secure HFA Interface to Phone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
4.4 Securing HFA Terminals on the HG3500 Common IP Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
4.5 OpenScape 4000 V7 CSTA Interface with VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
4.6 Secure Remote Subscriber . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
4.7 Gateway/Portal Web/Admin Access Hardening. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
5 OpenScape Cordless Enterprise V7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
6 Terminals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
7 OpenScape 4000 Assistant V7. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
7.1 PKI Based Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
7.2 Configure Password Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
7.3 Change Predefined Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
7.4 Change Predefined Passwords for Network Single Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
7.5 Emergency Password Reset (EPR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
7.6 Create Administrator Accounts and Assign Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
7.7 Security Mode Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
7.8 Turn off Unused Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
8 Extending and 3rd Party Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
8.1 OpenScape Fault Management V7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
8.2 OpenScape Accounting Management and DS-Win . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
8.3 Informix Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
8.3.1 Informix Accounts Necessary for Local OpenScape FM V7. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
8.3.2 Informix Accounts Necessary for External Management Application . . . . . . . . . . . . . . . . . . . . . . . . . 38
A31001-H3170-P100-3-7620, 06-2014
OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide 3
Contents
9 Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
9.1 Remote Administration via HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
9.2 Monitoring via SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
9.2.1 SNMP v1/v2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
9.2.2 SNMP v3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
10 Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
10.1 Protection of Internal LAN Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
10.2 Atlantic LAN (A-LAN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
10.3 Backup and Restore - HBR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
10.4 VPN Connection (IPSec based) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
10.5 DMZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
11 Addendum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
11.1 Password Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
11.1.1 Supported PW Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
11.1.2 PW Policy Agreed for Customers Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
11.2 Default Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
11.2.1 Machine Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
11.2.2 User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
11.3 Certificate Handling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
11.4 Port Table Generation via IFMDB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
12 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
A31001-H3170-P100-3-7620, 06-2014
4 OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide
Introduction
Validity
1 Introduction
Related Topics
1.1 Validity
A31001-H3170-P100-3-7620, 06-2014
OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide 5
Introduction
Security Strategy for Unify Products
Reliability and security is a key requirement for all products, services and
solutions delivered by Unify. This requirement is supported by a comprehensive
security software development lifecycle that applies to all new products or product
versions being developed from design phase until end of life of the product.
Products of Unify are developed according to the Baseline Security Policy, which
contains the technical guidelines for the secure development, release and
sustaining of the company’s products. It defines the fundamental measures for
A31001-H3170-P100-3-7620, 06-2014
6 OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide
Introduction
Security Strategy for Unify Products
software security that are taken throughout the whole lifecycle of a product, from
design phase until end of life:
Product planning and design:
Threat and Risk analysis (Theoretical Security Assessment) to determine the
essential security requirements for the product.
Product development and test:
Penetration Tests (Practical Security Assessment) to discover implementation
vulnerabilities and to verify the hardening of the default system configuration.
Installation and start of operation:
Hardening Guides (Security Checklist) to support the secure configuration of the
product according to the individual customer's security policy.
Operation and maintenance:
Proactive Vulnerability Management to identify, analyse and resolve security
vulnerabilities that emerge after products have been released, and to deliver
guidance to customers how to mitigate or close these vulnerabilities.
Figure: Unify Baseline Security Policy- from Design to EOL
A31001-H3170-P100-3-7620, 06-2014
OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide 7
Introduction
History of Change
Related Topics
This Security Checklist covers the product and lists their security relevant topics
and settings in a comprehensive form.
Customer Supplier
Company
Name
Address
Telephone
A31001-H3170-P100-3-7620, 06-2014
8 OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide
Introduction
Customer Deployment - Overview
Customer Supplier
General Remark
Date
Related Topics
A31001-H3170-P100-3-7620, 06-2014
OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide 9
Hardening Measures
Hardening Procedures in General
2 Hardening Measures
The information in this document is intended to support the service technicians,
re-sellers, customers and consultants in the examination and setting of the
required security measures in the software and at the hardware for OpenScape
4000 V7 and the affiliated products listed below.
The current security settings are to be confirmed by the customer by means of
signature in the delivery of OpenScape 4000 V7 and the affiliated products.
Deviations of the security settings on customer request are to be documented.
This manual addresses the hardening issues related mainly to the following
complexes within the OpenScape 4000 V7 and affiliated products:
• OpenScape 4000 V7 Communication Platform
• OpenScape 4000 Assistant V7
• OpenScape 4000 SoftGate V7
• OpenScape Cordless Enterprise V7
• OpenScape Access 500
• OpenScape RG8350 V7
Related Topics
A31001-H3170-P100-3-7620, 06-2014
10 OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide
Hardening Measures
Hardening Procedures in General
A31001-H3170-P100-3-7620, 06-2014
OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide 11
Hardening Measures
Hardening Procedures in General
CL-SW Status Up-to-date SW. Software that is delivered by Unify as well as additionally nec-
All components essary software
Measures The following up-to-date software is installed for the components listed below:
BIOS update should be done according to HW vendor description.
Software delivered by Unify can be downloaded from the SW Server
Latest Fix Release (FR) / Hotfix installed.
References OpenScape 4000 Assistant/Manager V7, Webmin Base Administration, Administra-
tor Documentation, Issue 1References
OpenScape 4000 Manager V7, Installation and Service Manual, Issue 1References
SWS Server References
OpenScape 4000 system
OpenScape 4000 SWU Yes: No: Version
A31001-H3170-P100-3-7620, 06-2014
12 OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide
Hardening Measures
Hardening Procedures in General
CL-SW Status Up-to-date SW. Software that is delivered by Unify as well as additionally nec-
All components essary software
OpenScape Accounting Management Yes: No: Version
A31001-H3170-P100-3-7620, 06-2014
OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide 13
Server Hardening
BIOS Settings
3 Server Hardening
Each server the OpenScape 4000 V7 runs on is conveniently delivered hardened
from the factory, as it is a software appliance. Thus, no special hardware security
settings are necessary.
However, the general requirements for all PCs/Servers which run communication
clients and applications are:
• The operating system version is released for the communication software
(see Sales Information guide).
• Current security updates are installed (see CL-SWstatus All components)
• The access to the system is protected by passwords according to the
password rules defined in chapter Password Policies.
• After Installation all software that was necessary as installation help
(Diagnostic tools like Wireshark, Putty, old software versions ...) shall be
removed from Server.
Related Topics
Access to the BIOS allows changing the boot order of the server. Once changed
an intruder may use tools that are bootable from CD-ROM or USB device that
allow a user to change the administrator password or install files.
To prevent this, BIOS needs to be password protected.
3.1.1 Using iRMC for the Remote Hardware Monitoring in COTS Servers
The OpenScape 4000 V7 does not rely on the iRMC interface or on any kind of
these remote monitor/control functions which are available by default in a COTS
Server in case that OpenScape 4000 V7 runs on it. These remote management
interfaces are disabled per default (BIOS).
Subsequently, the OpenScape 4000 V7 SW will not offer or deliver any BIOS/
iRMC FW updates for the COTS servers in the future.
A31001-H3170-P100-3-7620, 06-2014
14 OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide
Server Hardening
Operating System Hardening
Related Topics
The solution concept of OpenScape 4000 V7 is based on the porting of the entire
software running on previous architecture to a virtual environment. The Switching
Unit (Call Control), Administration and Data Processor (ADP), OpenScape 4000
V7 Assistant and ACL/CSTA-based services were split for this purpose and now
run as separate, virtual machines on common X86-enabled hardware.
The OpenScape 4000 V7 software at the same time supports the High Availability
Framework of Linux (LINUX HA) and provides a high-availability (clustered) Linux
solution on this basis, which extends the operational security, availability and
serviceability of OpenScape 4000 V7.
The OpenScape 4000 V7 software therefore runs on DSCXL2+ boards (i.e.
central control boards) or alternatively on regular server PC hardware (so-called
COTS – 'Commercial off the Shelf' – Standard Server) or OpenScape Access 500
or even on a VMware platform.
Related Topics
A31001-H3170-P100-3-7620, 06-2014
OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide 15
Server Hardening
Clean Customer Deployment
CL-CleanDeployment All software coming from Unify that is not necessary for
OpenScape 4000 V7 the customer deployment has to be removed from the
Server OpenScape 4000 V7 installation
Measures After Installation all software that was necessary as installa-
tion help (Diagnostic tools like Wireshark, Putty, old software
Versions ...) shall be removed from Server.
References N/A
Needed Access Rights Administrator
Related Topics
A31001-H3170-P100-3-7620, 06-2014
16 OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide
Server Hardening
Access Protection System
A31001-H3170-P100-3-7620, 06-2014
OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide 17
OpenScape 4000 V7 Platform
Communication Access and Protection against Toll Fraud
Toll fraud can cause considerable financial losses. The measures listed below
shall be taken to protect against unauthorized calls via OpenScape 4000 V7.
Related Topics
A31001-H3170-P100-3-7620, 06-2014
18 OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide
OpenScape 4000 V7 Platform
Communication Access and Protection against Toll Fraud
INFO:
The available authorizations can also be restricted time-wise on
the basis of automatic class of service changeover / night service.
Conducted calls can be monitored with the aid of Call Data
Recording (accounting tool).
Related Topics
CL-PIN terminals PIN (PIN policy can be configured by the customer, there
are no special requirements, apart from PIN length, as
only numbers can be entered at the phone set)
Measures The PIN is used for telephones that pose a risk of misuse
with the setting up of an individual password comprising a
combination of digits up to 12 positions in length that cannot
be guessed easily. It will be set up in the OpenScape 4000
V7 system database
Authentication is enabled in the expert settings of the WBM
for mobile subscribers
Users have been informed on their individual PIN and famil-
iarized with their usage
References OpenScape 4000 V7 Feature Usage Examples, Service
Documentation References
Needed Access Rights Administrator
A31001-H3170-P100-3-7620, 06-2014
OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide 19
OpenScape 4000 V7 Platform
Data Protection for Digital (TDM) or IP (HFA or SIP) Phones
CL-PIN terminals PIN (PIN policy can be configured by the customer, there
are no special requirements, apart from PIN length, as
only numbers can be entered at the phone set)
Related Topics
This feature allows the information stored in digital (TDM) or IP phones (HFA or
SIP) to be protected against unauthorized access and manipulation (or saved
phone numbers on speed dialing keys).
The following functions are offered:
• Blocking of individual dialing aids
• Blocking of service functions
Blocking of system-activated dialing aids and check functions is supported.
The function (key/menu) for switching on and off forwarding to a saved desti-
nation, mailbox or any phone number is not restricted because these functions do
not impact the terminal currently used. The required blocking is enabled and
disabled by using the class-of-service changeover.
Table: Data Protection for Phones
Related Topics
A31001-H3170-P100-3-7620, 06-2014
20 OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide
OpenScape 4000 V7 Platform
Secure HFA Interface to Phone
Related Topics
Security mechanisms are provided in HFA both on the HFA terminal (OpenStage
and OpenScape Desktop Client) and on the associated HG3500 Common IP
Gateway.
Unauthorized login from an OpenStage or OpenScape Desktop Client can be
prevented on the basis of password input when logging in to the IP network. This
password can be administered via OpenScape 4000 Assistant in CM (Configu-
ration Management) or via AMO SBCSU. Please adhere to the password policy
in chapter 11.1 Password Policies.
Access to the administration menu in OpenStage HFA via the display and
keyboard is protected by means of an admin password. This password is
assigned by means of administration procedures in OpenScape 4000 V7.
A31001-H3170-P100-3-7620, 06-2014
OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide 21
OpenScape 4000 V7 Platform
OpenScape 4000 V7 CSTA Interface with VPN
INFO: Be aware that the above mechanism is only valid for HFA
phones. SIP phones are configured automatically via DLS.
Related Topics
A31001-H3170-P100-3-7620, 06-2014
22 OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide
OpenScape 4000 V7 Platform
Secure Remote Subscriber
The "Secure Remote Subscriber" feature provides HFA features for a remote
subscriber connected over the Internet. Signaling and payload encryption is
supported for the remote subscriber as well as the route through the Internet.
The OpenScape 4000 V7 offers an IP-based connectivity between the
OpenScape 4000 SoftGate (communication service signaling/media control unit)
and the endpoints. These endpoints offer the full OpenScape 4000 feature set.
A secure IP (TLS/SSL-based) operating mode, called SPE (Signaling and
Payload Encryption), is supported, which means that the signaling and payload
connections are always encrypted even if SPE is not activated.
The HFA features can also be used on the phones in the user's remote office. The
HFA connectivity via the public internet to OpenScape 4000 SoftGate is therefore
incorporated.
The OpenScape 4000 SoftGate is located with one interface in the public network
(WAN interface) and the other interface in a corporate network (IPDA interface).
Table: Remote Subscriber
Related Topics
A31001-H3170-P100-3-7620, 06-2014
OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide 23
OpenScape 4000 V7 Platform
Gateway/Portal Web/Admin Access Hardening
A31001-H3170-P100-3-7620, 06-2014
24 OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide
OpenScape Cordless Enterprise V7
Gateway/Portal Web/Admin Access Hardening
Related Topics
A31001-H3170-P100-3-7620, 06-2014
OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide 25
Terminals
Gateway/Portal Web/Admin Access Hardening
6 Terminals
Please refer to the individual product security checklists / administration and
service documents for the terminals (e.g. OpenStage T / OpenStage HFA IP /
OpenStage SIP) and clients (e.g. OpenScape Personal Edition) that can be
connected to OpenScape 4000 V7 and used across systems.
Only released terminals as per the current sales information should be used.
Related Topics
A31001-H3170-P100-3-7620, 06-2014
26 OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide
OpenScape 4000 Assistant V7
PKI Based Authentication
With the OpenScape 4000 Assistant V7 the password authentication method has
been extended with the certificate based authentication. Now the user can use
smartcard with saved PKI certificate to login into the Assistant web GUI. No PKI
certificates are delivered with the Assistant product. The customer must deliver
his own PKI certificates and import them into the product.
PKI usage principles are described in PKI Manual References. Please get to
know them before using PKI authentication mode. The PKI authentication mode
can be selected in Access Management > Security Mode Configuration.
Customer’s certification authorities and revocation lists can be configured in
Access Management > Configuration of PKI Authentication. Personal certif-
icates can be assigned to user accounts in the Access Management > Account
Management > User Account Administration.
A31001-H3170-P100-3-7620, 06-2014
OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide 27
OpenScape 4000 Assistant V7
PKI Based Authentication
Related Topics
A31001-H3170-P100-3-7620, 06-2014
28 OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide
OpenScape 4000 Assistant V7
Configure Password Policy
Related Topics
During the installation all OpenScape 4000 Assistant V7 accounts are created
with default passwords which are generally known. Thus, all passwords need to
be changed upon first usage of the corresponding account.
A31001-H3170-P100-3-7620, 06-2014
OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide 29
OpenScape 4000 Assistant V7
Change Predefined Passwords for Network Single Logon
CL-Predef pass Change default passwords for engr, rsta, rsca and cusa
accounts
Measures The user is asked to change the password during the first log
in with engr account.
For each of the three other accounts please execute:
• On the Start Page of Access Management navigate to
Account Management > System Account Adminis-
tration.
• Select an account.
• Enter a new password in "New password" and "Retype
Password" fields.
• Evaluate if all the available accounts are necessary for
administration. If not, lock unused accounts. For infor-
mation on these accounts see Access Management Refer-
ences, chapter 1.2.1 and Addendum, chapter 11.2 Default
Accounts
References Access Management References, Chapter 2.7 and chapter
3.3
Needed Access Rights Administrator
Related Topics
Network Single Logon (NSL) accounts are used for secure user-independent
access e.g. for some types of communication between Manager and Assistant.
During the installation all NSL accounts are created with default empty password.
Thus, all passwords need to be changed to prevent unauthorized access to
system.
NSL accounts are not used for interactive login to system. They are used for some
data connections from the Manager to assigned Assistant. When you change
NSL passwords on the Assistant don't forget to change the corresponding
passwords in System Management on the OpenScape 4000 V7 Manager -
please see the Security Checklist of the OpenScape 4000 Manager V7 Refer-
ences for further details.
A31001-H3170-P100-3-7620, 06-2014
30 OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide
OpenScape 4000 Assistant V7
Emergency Password Reset (EPR)
Related Topics
A31001-H3170-P100-3-7620, 06-2014
OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide 31
OpenScape 4000 Assistant V7
Create Administrator Accounts and Assign Privileges
You can create individual administrator accounts and assign them appropriate
access rights. This enables you to manage user access to and accommodate
users with sufficient rights. While this is not a proper hardening procedure, but
rather a normal administrator action, it is mentioned here for purposes of
completeness since it is very important to create admin accounts and assign privi-
leges.
A31001-H3170-P100-3-7620, 06-2014
32 OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide
OpenScape 4000 Assistant V7
Security Mode Configuration
Related Topics
A31001-H3170-P100-3-7620, 06-2014
OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide 33
OpenScape 4000 Assistant V7
Security Mode Configuration
Related Topics
A31001-H3170-P100-3-7620, 06-2014
34 OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide
OpenScape 4000 Assistant V7
Turn off Unused Applications
Related Topics
A31001-H3170-P100-3-7620, 06-2014
OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide 35
Extending and 3rd Party Components
OpenScape Fault Management V7
A31001-H3170-P100-3-7620, 06-2014
36 OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide
Extending and 3rd Party Components
Informix Database
Related Topics
A31001-H3170-P100-3-7620, 06-2014
OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide 37
Extending and 3rd Party Components
Informix Database
Related Topics
A31001-H3170-P100-3-7620, 06-2014
38 OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide
Extending and 3rd Party Components
Informix Database
If 3rd party components are not used lock uas_read and/or uas_rdwr accounts
with Lock user account checkbox.
Related Topics
A31001-H3170-P100-3-7620, 06-2014
OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide 39
Administration
Remote Administration via HTTPS
9 Administration
Related Topics
The access to the OpenScape 4000 Assistant V7 GUI occurs always encrypted
via HTTPS. Each administration access is logged.
Server Side Authentication is performed with TLS. Client side authentication is
performed by Username/PW. Security settings for that see chapters 7.2
Configure Password Policyand 7.3 Change Predefined Passwords as well as
chapters 11.1 Password Policies and 11.2 Default Accounts.
The security strength of HTTPS depends heavily on which TLS cipher suite is
negotiated, which kind of authentications is established (none, server only, client
and server) and the strength of the certificates used for authentication.
A self-signed server certificate for HTTPS encryption is delivered by default. (This
has to be accepted as trusted by the user in the browser.) Since the web-server
certificate and its private key are part of the general installation package, each
customer gets the same key material.
For server authentication and against man-in-the-middle attacks, an individual
certificate is necessary, which relies on a root certificate authority. This enables
the browser, used for administration, to set up a secure end-to-end connection
with OpenScape 4000 Assistant V7. It is recommended to the customer to use
his/her individual certificate. Please refer to Addendum, chapter 11.3 Certificate
Handling.
Table: Remote Administration via HTTPS
A31001-H3170-P100-3-7620, 06-2014
40 OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide
Administration
Monitoring via SNMP
Related Topics
In practical experience the SNMP v2c version from 1996 is used equivalent to
SNMP v2.From the security point of view this version provides the same as SNMP
v1. The SNMP v3 is supported by OpenScape 4000 Assistant V7 and its usage
is recommended. See cahpter SNMP v3for details.
Communities:
A community string is available in SNMP v1 and SNMP v2. It is comparable with
a user ID or a password that allows access to statistical data of a device. The
standard community string names „public" (read only; get) and "private" (read and
write access; get, set) should be changed into individual names.By default trap
managers make use of the community string “public”.
Allowed Hosts:
As the community string is transmitted in clear text it can be eavesdropped easily.
Thus also IP addresses of systems that may contact the monitored system via
SNMP shall be defined.
A31001-H3170-P100-3-7620, 06-2014
OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide 41
Administration
Monitoring via SNMP
Related Topics
9.2.2 SNMP v3
Since HiPath 4000 V6 R2, the Assistant supports SNMP v3 and it is recom-
mended to be used for the communication with all remote SNMP servers, as it
supports secure authentication and data encryption.
In small scenarios, OpenScape Fault Management is located on the same server
as OpenScape 4000 Assistant, for normal security requirements this connection
needs not to be secured with SNMP v3 authentication and encryption.
For all scenarios with a separate Fault Management (e.g with OpenScape Fault
Management) the SNMP v3 communication should be secured.
This step is an administrative task, which should not be performed only once after
installation but continuously during the operation of e.g. OpenScape FM
whenever new network elements are added for monitoring. It also involves the
network elements themselves. They have to be configured to use SNMPv3. Other
SNMP versions should be deactivated.
A31001-H3170-P100-3-7620, 06-2014
42 OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide
Administration
Monitoring via SNMP
Table: SNMP v3
Related Topics
A31001-H3170-P100-3-7620, 06-2014
OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide 43
Infrastructure
Protection of Internal LAN Communications
10 Infrastructure
Related Topics
Related Topics
For some Internet (C-LAN) applications, specific ports have to be enabled and
forwarded to the Atlantic (internal) LAN (A-LAN) by Network Address translation
(NAT). This port forwarding is protected by IP address based firewall, configurable
from the component Webmin Base Administration.
However, the Assistant’s A-LAN itself is not firewall protected. The boxes
connected to the A-LAN shall meet extended security standards e.g. by
encryption and efficient access control and robustness against denial-of-service
attacks and message floods.
A31001-H3170-P100-3-7620, 06-2014
44 OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide
Infrastructure
Backup and Restore - HBR
Related Topics
In Backup and Restore (HBR) component the backup can be made to the remote
NFS or SFTP server. SFTP stands for Secure FTP based on SSH. The following
Windows based SFTP servers are successfully tested with HBR:
• Free edition of SilverSHielD SSH/SFTP server – Free SSH (SSH2) and SFTP
server for Windows
• CopSSH
• KpyM
• SSHWindows
• CYGWIN OpenSSH
On Linux, the most common OpenSSH is supported. Nevertheless, others
generally should work.
We recommend enforcing the use of SFTP per default instead of NFS.
Table: Backup and Restore
A31001-H3170-P100-3-7620, 06-2014
OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide 45
Infrastructure
VPN Connection (IPSec based)
Related Topics
A31001-H3170-P100-3-7620, 06-2014
46 OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide
Infrastructure
DMZ
Related Topics
10.5 DMZ
A31001-H3170-P100-3-7620, 06-2014
OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide 47
Addendum
Password Policies
11 Addendum
Related Topics
OpenScape 4000 with extended password handling rules activated supports the
Unify Password and Login Policies. These are as follows:
In order to switch on the Extended Password Policy follow the steps given in the
Access Management documentation, see documentation References.
A31001-H3170-P100-3-7620, 06-2014
48 OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide
Addendum
Default Accounts
In the following table please insert the values that have been agreed with the
customer for the PW Policy.
Password
Minimal Length
Minimal number of upper case letters
Minimal number of numerals
Minimal number of special characters
Maximal number of repeated characters
Maximal number of sequential characters
Change interval
Maximum number of erroneous login attempts
Password History
Related Topics
Here are Assistant Default Accounts including accounts of other systems that can
access the OpenScape 4000 Assistant V7. Each system listed the Security
Checklist in should be represented here as well. User Accounts are listed here as
well as machine accounts that are used for authentication between SW applica-
tions.
Each account is locked after the installation or a default password is available.
IMPORTANT: BEWARE:
Be aware that most successful attacks to Unify systems base
on unchanged default passwords. Since the default PW are
publicly available, it is absolutely necessary to change them
into customer specific passwords immediately after instal-
lation process.
A31001-H3170-P100-3-7620, 06-2014
OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide 49
Addendum
Default Accounts
nsl-rsca
nsl-cusa
nsl-cust
Related Topics
A31001-H3170-P100-3-7620, 06-2014
50 OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide
Addendum
Certificate Handling
# Type/ Customer requirement Expiration Date for Cus- Unify Default Usage/Comment
for OpenScape 4000 tomer specific key
Interface Credentials
Assistant V7 credentials material
1 PKI none Application: client authentication
– for login into web based GUI.
PKI is used when authentication
mode is “Only PKI” or “Password
and PKI”. Customer delivered
PKI is supported. See chapter
7.1 PKI Based Authentication
2 SSL on server delivered, issued by Application: used over HTTPS for
encryption and server authentica-
Unify I&C Security
tion, e.g. apache web server
CA
authentication and traffic encryp-
tion, i.e. web based manage-
ment, Tomcat Servlets, etc.,
authentication and encryption of
various application daemons to
Java Applet clients.
Since the web-server certificate
and its private key are part of the
general installation CD, each
customer gets the same key
material. This key material is not
used for client authentication, but
for web server authentication
only. It must be replaced after
installation.
A31001-H3170-P100-3-7620, 06-2014
OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide 51
Addendum
Port Table Generation via IFMDB
To get all information that is necessary for the Security Checklist Port Table you
should proceed the following way in IFMDB:
Step by Step
1) Choose, for example, “Firewall Scenario Report”
2) in “Select Generic Scenarios list”, please select“OSC Management”
3) Select Entities:
For example, select “OpenScape 4000 Assistant”
4) Select SW- Version:
For example, select latest released of “OpenScape 4000 Assistant client V7
<XX>” and “OpenScape 4000 Assistant V7 <XX>”
5) Select Interfaces: select all
6) Select left and right Side of Firewall:
Put, for example, “OpenScape 4000 Assistant client V7 <XX>” on one side of
the firewall
Put, for example, “OpenScape 4000 Assistant V7 <XX>” on the other side
7) Select information to be shown in the report:
Keep as it is for port table view
Related Topics
A31001-H3170-P100-3-7620, 06-2014
52 OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide
References
Port Table Generation via IFMDB
12 References
[1] OpenScape 4000 V7, Installation, Configuration and Migration, Instal-
lation Guide, Issue 1
[2] Interface Management Database (IFMDB)
available via Unify Partner Portal
https://www:unify.com/us/partners/partner-portal.aspx
[3] OpenScape 4000 V7, Section 4 - IP Solutions, Service Documentation,
Issue 1
[4] Access Management
OpenScape 4000 Assistant V7 Access Management (Assistant/Manager) online
help is available from GUI
[5] OpenScape 4000 Manager V7, Installation and Service Manual, Service
Documentation, Issue 1
[6] The configuration of PKI authentication
service manual appendix
[7] OpenScape 4000 Assistant/Manager V7, Webmin Base Administration,
Administrator Documentation, Issue 1
[8] OpenScape 4000 V7, Section 3 - Feature Usage Examples, Service
Documentation, Issue 1
[9] OpenScape Cordless Enterprise V7, Service Documentation, Issue 1
[10] OpenScape 4000 Assistant/Manager V7, Security Mode configuration
[11] OpenScape 4000 Assistant V7, Simple Network Management Protocol
OpenScape SNMP, Administrator Documentation
[12] Software Supply Server
http://sw-download.unify.com:8080/en/p_nav1.htmll
[13] OpenScape Accounting Management, Security Checklist
[14] OpenScape Fault Management V7, Security Checklist
[15] OpenScape 4000 Manager V7, Security Checklist
[16] OpenScape 4000 V7 AMO Descriptions, Service Documentation
[17] HiPath DS-Win Administrator Documentation
[18] OpenScape 4000 Assistant/Manager V7, Backup and Restore, Admini-
strator Documentation
[19] DoD Security Technical Information Guides (STIGs) http://iase.disa.mil/
stigs/index.html
Related Topics
A31001-H3170-P100-3-7620, 06-2014
OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide 53