OpenScape 4000 V7, Security Checklist For OpenScape 4000 V7 and Affiliated Products, Planning Guide, PDF

OpenScape 4000 V7 and Affiliated Products
Security Checklist
Planning Guide
A31001-H3170-P100-3-7620
Our Quality and Environmental Management Systems are
implemented according to the requirements of the ISO9001 and
ISO14001 standards and are certified by an external certification
company.
Copyright © Unify GmbH & Co. KG. 06-2014

Hofmannstr. 51, 81379 Munich/Germany
All rights reserved.
Reference No.: A31001-H3170-P100-3-7620
The information provided in this document contains merely general descriptions or
characteristics of performance which in case of actual use do not always apply as
described or which may change as a result of further development of the products.
An obligation to provide the respective characteristics shall only exist if expressly agreed in
the terms of contract.
Availability and technical specifications are subject to change without notice.
Unify, OpenScape, OpenStage and HiPath are registered trademarks of Unify GmbH & Co. KG..
All other company, brand, product and service names are trademarks or registered trademarks
of their respective holders.
unify.com
Contents
Contents
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1 Validity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2 General Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.3 Security Strategy for Unify Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.4 History of Change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.5 Customer Deployment - Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2 Hardening Measures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.1 Hardening Procedures in General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3 Server Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.1 BIOS Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.1.1 Using iRMC for the Remote Hardware Monitoring in COTS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.2 Operating System Hardening. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.2.1 Operating System Hardening according to the STIGS/DoD guidelines . . . . . . . . . . . . . . . . . . . . . . . . 15
3.3 Clean Customer Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.4 Access Protection System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
4 OpenScape 4000 V7 Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
4.1 Communication Access and Protection against Toll Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
4.1.1 Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
4.1.2 Accessing the Terminals. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.2 Data Protection for Digital (TDM) or IP (HFA or SIP) Phones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
4.3 Secure HFA Interface to Phone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
4.4 Securing HFA Terminals on the HG3500 Common IP Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
4.5 OpenScape 4000 V7 CSTA Interface with VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
4.6 Secure Remote Subscriber . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
4.7 Gateway/Portal Web/Admin Access Hardening. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
5 OpenScape Cordless Enterprise V7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
6 Terminals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
7 OpenScape 4000 Assistant V7. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
7.1 PKI Based Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
7.2 Configure Password Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
7.3 Change Predefined Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
7.4 Change Predefined Passwords for Network Single Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
7.5 Emergency Password Reset (EPR) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
7.6 Create Administrator Accounts and Assign Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
7.7 Security Mode Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
7.8 Turn off Unused Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
8 Extending and 3rd Party Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
8.1 OpenScape Fault Management V7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
8.2 OpenScape Accounting Management and DS-Win . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
8.3 Informix Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
8.3.1 Informix Accounts Necessary for Local OpenScape FM V7. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
8.3.2 Informix Accounts Necessary for External Management Application . . . . . . . . . . . . . . . . . . . . . . . . . 38
A31001-H3170-P100-3-7620, 06-2014
OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide 3
Contents
9 Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
9.1 Remote Administration via HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
9.2 Monitoring via SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
9.2.1 SNMP v1/v2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
9.2.2 SNMP v3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
10 Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
10.1 Protection of Internal LAN Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
10.2 Atlantic LAN (A-LAN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
10.3 Backup and Restore - HBR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
10.4 VPN Connection (IPSec based) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
10.5 DMZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
11 Addendum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
11.1 Password Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
11.1.1 Supported PW Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
11.1.2 PW Policy Agreed for Customers Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
11.2 Default Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
11.2.1 Machine Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
11.2.2 User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
11.3 Certificate Handling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
11.4 Port Table Generation via IFMDB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
12 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
A31001-H3170-P100-3-7620, 06-2014
4 OpenScape 4000 V7 and Affiliated Products Security Checklist, Planning Guide
Introduction
Validity
1 Introduction
Related Topics
1.1 Validity
This Security Checklist is valid for the following product versions:

• OpenScape 4000 V7 Communication Platform
• OpenScape 4000 Assistant V7
• OpenScape 4000 SoftGate V7
• OpenScape Cordless Enterprise V7
• OpenScape Access 500
• OpenScape RG8350 V7
Related Topics
1.2 General Remarks
Information and communication and their seamless integration in “Unified

Communications and Collaboration“ (UCC) are important, valuable assets
forming the core parts of an enterprise business. These assets require every
enterprise provide specific levels of protection, depending on individual require-
ments to availability, confidentiality, integrity and compliance for the communi-
cation system and IT infrastructure it utilizes.
Unifys attempts to provide a common standard of features and settings of security
parameters within delivered products. Beyond this, we generally recommend
• to adapt these default settings to the needs of the individual customer and the
specific characteristic of the solution to be deployed
• to weigh the costs of implementing security measures against the risks of
omitting a security measure and to “harden” the systems appropriately.
Product Security Checklists are published as a basis to support the customer and
service department in both direct and indirect channels, as well as self-
maintainers, to document security setting agreements and discussions.
The Security Checklists can be used for two purposes:
• In the planning and design phase of a particular customer project:
Use the Product Security Checklists of every relevant product to evaluate, if
all products that make part of the solution can be aligned with the customer’s
security requirements – and document in the Checklist, how they can be
aligned. The Product Security Checklist containing customer alignments can
be identified as Customer specific Product Security Checklist.
This ensures that security measures are appropriately considered and
included in the Statement of Work to build the basis for the agreement
between Unify and the customer: who will be responsible for the individual
security measures:
– During installation/setup of the solution
– During operation
A31001-H3170-P100-3-7620, 06-2014
Introduction
Security Strategy for Unify Products
• During installation and during major enhancements or software

upgrade activities:
The Customer specific Product Security Checklists are used by a technician
to apply and/or control the security settings of every individual product.
Figure : Usage of Security Checklists (SCL)

Update and Feedback
• By their nature, security-relevant topics are prone to continuous changes and
updates. New findings, corrections and enhancements of this checklist are
being included as soon as possible.
Therefore, we recommend using always the latest version of the Security
Checklists of the products that are part of your solution.
They can be retrieved from the Unify partner portal http://www.unify.com/us/
partners/partner-portal.aspx for the entire product .
• We encourage you to provide feedback in any cases of unclarity, or problems
with the application of this checklist.
Please contact the OpenScape Baseline Security Office (obso@unify.com).
Related Topics
1.3 Security Strategy for Unify Products
Reliability and security is a key requirement for all products, services and
solutions delivered by Unify. This requirement is supported by a comprehensive
security software development lifecycle that applies to all new products or product
versions being developed from design phase until end of life of the product.
Products of Unify are developed according to the Baseline Security Policy, which
contains the technical guidelines for the secure development, release and
sustaining of the company’s products. It defines the fundamental measures for
A31001-H3170-P100-3-7620, 06-2014
Introduction
Security Strategy for Unify Products
software security that are taken throughout the whole lifecycle of a product, from
design phase until end of life:
Product planning and design:
Threat and Risk analysis (Theoretical Security Assessment) to determine the
essential security requirements for the product.
Product development and test:
Penetration Tests (Practical Security Assessment) to discover implementation
vulnerabilities and to verify the hardening of the default system configuration.
Installation and start of operation:
Hardening Guides (Security Checklist) to support the secure configuration of the
product according to the individual customer's security policy.
Operation and maintenance:
Proactive Vulnerability Management to identify, analyse and resolve security
vulnerabilities that emerge after products have been released, and to deliver
guidance to customers how to mitigate or close these vulnerabilities.
Figure: Unify Baseline Security Policy- from Design to EOL
According to Unify’s definition of a secure product, it is imperative that any product

can be installed, operated and maintained in a secure way. The level of the
products security should be also defined by the customer.
The necessary information for that is drawn up in the Product Security Checklist.
Related Topics
A31001-H3170-P100-3-7620, 06-2014
Introduction
History of Change
1.4 History of Change
Date Version What

2013-11-13 1 Initial release
2014-01-27 1.1 OBSO’s feedback incorporation
2014-02-14 2 Document format changes to PDF form
2014-06-30 3 Updates for OpenScape V7R1, inclusion of several afflili-
ated products.
Related Topics
1.5 Customer Deployment - Overview
This Security Checklist covers the product and lists their security relevant topics
and settings in a comprehensive form.
Customer Supplier
Company
Name
Address
Telephone
E-mail
Covered Systems (e.g. System,

SW version, devices, MAC/IP-
addresses)
Referenced Master Security Version:
Checklist
Date:
A31001-H3170-P100-3-7620, 06-2014
Introduction
Customer Deployment - Overview
Customer Supplier
General Remark
Open issues to be resolved until
Date
Related Topics
A31001-H3170-P100-3-7620, 06-2014
Hardening Measures
Hardening Procedures in General
2 Hardening Measures
The information in this document is intended to support the service technicians,
re-sellers, customers and consultants in the examination and setting of the
required security measures in the software and at the hardware for OpenScape
4000 V7 and the affiliated products listed below.
The current security settings are to be confirmed by the customer by means of
signature in the delivery of OpenScape 4000 V7 and the affiliated products.
Deviations of the security settings on customer request are to be documented.
This manual addresses the hardening issues related mainly to the following
complexes within the OpenScape 4000 V7 and affiliated products:
• OpenScape 4000 V7 Communication Platform
• OpenScape 4000 Assistant V7
• OpenScape 4000 SoftGate V7
• OpenScape Cordless Enterprise V7
• OpenScape Access 500
• OpenScape RG8350 V7
Related Topics
2.1 Hardening Procedures in General
The new OpenScape 4000 V7 brings a new software-based abstraction of the

OpenScape 4000 converged-IP system, running within a Linux operating system
on an industry standard server, enabling new and existing customers to migrate
to a more data center-like and IT centric approach to telephony system
deployment while still maintaining support for traditional TDM and analog
resources and devices.
OpenScape 4000 V7 now offers three different deployment options.
• The compact PCI (cPCI) OpenScape 4000 Communication Server option
supports converged-IP requirements involving high analog, DECT or
specialized vertical applications and is designed for centralized deployment.
The compact hardware takes up less rack space, can be deployed in the data
center, and is highly scalable and secure.
• Deploying the OpenScape 4000 on industry standard Linux servers is suited
for converged-IP telephony requirements following an ‘IT approach’ and is
well suited for highly distributed deployments. In this deployment also an
OpenScape 4000 SoftGate (Simplex only) can be added to run on the same
server hardware.
• OpenScape 4000 can also run on a VMware infrastructure on a host
operating system Linux and is qualified for the usage in data centers. This
virtual solution offers high scalability in the same way like cPCI hardware.
High availability requirements will be ensured by VMware features (as
vMotion, High Availability). This feature is available for simplex architecture
on PSR basis only.
A31001-H3170-P100-3-7620, 06-2014
Hardening Measures
Figure: Architectural view of the OpenScape 4000 V7 Platform:
Figure: Architectural view of the OpenScape 4000 V7 Software:
INFO: The OpenScape 4000 V7 software comprises the Linux

distribution, OpenScape 4000 Assistant, OpenScape 4000 CSTA
and the RMX Operating System.
All associated components will be looked at in the framework of protecting a

communication solution based on OpenScape 4000 V7.
• System (OpenScape 4000 V7) and infrastructure (LAN, WAN):
Physical and logical protection of access to the system and architecture to
prevent manipulation of functions and sabotage.
• OpenScape 4000 V7 corresponding software, applications and other compo-
nents:
Protection of access and confidentiality through individual passwords,
protection of interfaces.
• Workstation and server PCs:
Access protection based on password, loading of current security updates,
possibly virus protection.
• Terminals (e.g. OpenStage telephones, soft clients):
Access protection in case of absence, restriction of accessible phone
numbers to protect against misuse and toll fraud.
A31001-H3170-P100-3-7620, 06-2014
Hardening Measures
The recommended measures are listed in the next sections.

The latest software version released should generally be installed for all compo-
nents.
Table: SW Status of Components
CL-SW Status Up-to-date SW. Software that is delivered by Unify as well as additionally nec-
All components essary software
Measures The following up-to-date software is installed for the components listed below:
BIOS update should be done according to HW vendor description.
Software delivered by Unify can be downloaded from the SW Server
Latest Fix Release (FR) / Hotfix installed.
References OpenScape 4000 Assistant/Manager V7, Webmin Base Administration, Administra-
tor Documentation, Issue 1References
OpenScape 4000 Manager V7, Installation and Service Manual, Issue 1References
SWS Server References
OpenScape 4000 system
OpenScape 4000 SWU Yes: No: Version
OpenScape 4000 Assistant Yes: No: Version
HG35xx Gateways Yes: No: Version
CSTA Yes: No: Version
OpenScape Cordless Enterprise Yes: No: Version
Comwin Yes: No: Version

(OpenScape 4000 Expert Access)
Clients and Terminal Devices
Web Browser Yes: No: Version
OpenStage phones Yes: No: Version
Extending / 3rd party components

(associated to the OpenScape 4000
Assistant)
OpenScape FM Yes: No: Version
A31001-H3170-P100-3-7620, 06-2014
Hardening Measures
CL-SW Status Up-to-date SW. Software that is delivered by Unify as well as additionally nec-
All components essary software
OpenScape Accounting Management Yes: No: Version
DS-Win Yes: No: Version
Customer Comments / Reasons
NOTICE: Based on the installed software, the necessary Patch

Management for the customer shall be defined. Patch
Management is out of scope of the Product Security Checklist.
Related Topics
A31001-H3170-P100-3-7620, 06-2014
Server Hardening
BIOS Settings
3 Server Hardening
Each server the OpenScape 4000 V7 runs on is conveniently delivered hardened
from the factory, as it is a software appliance. Thus, no special hardware security
settings are necessary.
However, the general requirements for all PCs/Servers which run communication
clients and applications are:
• The operating system version is released for the communication software
(see Sales Information guide).
• Current security updates are installed (see CL-SWstatus All components)
• The access to the system is protected by passwords according to the
password rules defined in chapter Password Policies.
• After Installation all software that was necessary as installation help
(Diagnostic tools like Wireshark, Putty, old software versions ...) shall be
removed from Server.
Related Topics
3.1 BIOS Settings
Access to the BIOS allows changing the boot order of the server. Once changed
an intruder may use tools that are bootable from CD-ROM or USB device that
allow a user to change the administrator password or install files.
To prevent this, BIOS needs to be password protected.
INFO: BIOS passwords should be set in accordance with

company security policies. This security policy can be found in the
addendum chapter Password Policies.
Related Topics
3.1.1 Using iRMC for the Remote Hardware Monitoring in COTS Servers
The OpenScape 4000 V7 does not rely on the iRMC interface or on any kind of
these remote monitor/control functions which are available by default in a COTS
Server in case that OpenScape 4000 V7 runs on it. These remote management
interfaces are disabled per default (BIOS).
Subsequently, the OpenScape 4000 V7 SW will not offer or deliver any BIOS/
iRMC FW updates for the COTS servers in the future.
A31001-H3170-P100-3-7620, 06-2014
Server Hardening
Operating System Hardening
Table: Usage of iRMC for remote hardware monitoring in COTS
CL-iRMC_COTS Usage of iRMC for remote hardware monitoring in COTS

Measures The Service technician has to look after the COTS hardening
measures in accordance with the documentation of the
Server supplier as no monitoring of any kind is provided by
the OpenScape 4000 V7 software.
From the OpenScape 4000 V7 software perspective, usage
of iRMC for remote hardware monitoring is disabled. The
Service technician should disable therefore the iRMC feature
in the COTS Server, if available.
References N/A
Needed Access Rights Administrator
Executed Yes No:
Customer Comments and

Reasons
Related Topics
3.2 Operating System Hardening
The solution concept of OpenScape 4000 V7 is based on the porting of the entire
software running on previous architecture to a virtual environment. The Switching
Unit (Call Control), Administration and Data Processor (ADP), OpenScape 4000
V7 Assistant and ACL/CSTA-based services were split for this purpose and now
run as separate, virtual machines on common X86-enabled hardware.
The OpenScape 4000 V7 software at the same time supports the High Availability
Framework of Linux (LINUX HA) and provides a high-availability (clustered) Linux
solution on this basis, which extends the operational security, availability and
serviceability of OpenScape 4000 V7.
The OpenScape 4000 V7 software therefore runs on DSCXL2+ boards (i.e.
central control boards) or alternatively on regular server PC hardware (so-called
COTS – 'Commercial off the Shelf' – Standard Server) or OpenScape Access 500
or even on a VMware platform.
Related Topics
3.2.1 Operating System Hardening according to the STIGS/DoD guidelines
OpenScape 4000 V7 is provided as a so-called appliance, following the

hardening measures recommended in the Security Technical Implementation
Guides (STIGs) and the National Security Agency (NSA) guidelines, which are
the configuration standards for Department of Defence (DoD) Information
Assurance (IA) and IA-enabled devices/systems. The OpenScape 4000 V7
A31001-H3170-P100-3-7620, 06-2014
Server Hardening
Clean Customer Deployment
operating system is therefore hardened already on delivery. For further details

see [19] at References.
All relevant SLES OS updates are part of Fix Releases (FR), which are released
regularly. In special cases a Hotfix can be provided for SLES security relevant
update. In both these SW packages the OS dependencies are already solved,
thus no manual or separate SLES OS maintenance is necessary, possible or
allowed. The transfer and activation of software updates takes place directly via
Assistant SWT/SWA2 or remotely from HiSPA/SIRA.
Related Topics
3.3 Clean Customer Deployment
Table: Clean Customer Deployment
CL-CleanDeployment All software coming from Unify that is not necessary for
OpenScape 4000 V7 the customer deployment has to be removed from the
Server OpenScape 4000 V7 installation
Measures After Installation all software that was necessary as installa-
tion help (Diagnostic tools like Wireshark, Putty, old software
Versions ...) shall be removed from Server.
References N/A
Executed Yes No:

Reasons
Related Topics
3.4 Access Protection System
Administration of the system and the other components involved must be

protected against unauthorized access. That means:
• Authentication of every user (user name, password, digital certificate)
• Authorization (administration roles and rights)
• Audit (activity log)
Fixed or easily guessed passwords represent a considerable security risk.
Individual, complex passwords should be assigned for all users in every case.
Every user should only be assigned the rights and roles s/he needs. For details
of the role concept see chapter Default Accountsand for details of the password
policies see chapter Password Policiesin the addendum.
A31001-H3170-P100-3-7620, 06-2014
Server Hardening
Access Protection System
Table: Access Protection
CL-SrvPwd Access to the server / PCs are protected by passwords.

Desktop and other
Server PCs
Measures Customer specific PW policy is defined, see chapter Sup-
ported PW Policy
The default passwords are replaced by individual pass-
words, see chapter PW Policy Agreed for Customers
Deployment
Access right settings for user accounts are done (read/write
access to file system). For the protection of the data stored
locally (e.g. in file systems) the user accounts shall only have
limited access rights
References Assistant PW policies, see chapter Password Policies
Assistant default accounts see chapter Default Accounts
OpenScape 4000 V7, Installation, Configuration and Migra-
tion, Installation Guide, Chapter 1.3 “Default settings for Log-
ins and Network Configuration” References
Executed Yes No:

Reasons
Access to central components such as OpenScape 4000 V7 but also to LAN

switches and routers must only be possible for technicians and administrators.
The user role recommended for such action is Administrator level (user account
“engr”, see chapter 11.2.2 User Accounts).
INFO: Personal data, communication data and communication

contents, such as voice messages, are also saved in OpenScape
4000 V7. Confidentiality and privacy shall be assured by
protecting administration access, that is, by assigning appropriate
administrative access rights to the system data base where this
data is stored. The user roles recommended for such action are
the user accounts “engr”, “rsta” and “rsca”, see chapter 11.2.2
User Accounts).
Related Topics
A31001-H3170-P100-3-7620, 06-2014
OpenScape 4000 V7 Platform
Communication Access and Protection against Toll Fraud
4 OpenScape 4000 V7 Platform

Related Topics
4.1 Communication Access and Protection against Toll Fraud
Toll fraud can cause considerable financial losses. The measures listed below
shall be taken to protect against unauthorized calls via OpenScape 4000 V7.
Related Topics
4.1.1 Class of Service
OpenScape 4000 V7 offers the possibility of accessing external destinations via

direct calls from a terminal, by diverting incoming calls, or on the basis of CTI
commands. This also includes numbers abroad or other phone numbers that
attract heavy charges. To protect against misuse, the accessible destinations
should be restricted to the necessary phone numbers.
Table: Class of Service
CL-ClassServ Restricting rights to required destinations

Measures PSTN (Public Switched Telephone Network) call privileges
with suitable permitted/denied lists are set up for all terminals
Terminals that do not require external destinations have
internal or restricted trunk access (emergency calls are still
possible)
Allowed lists enable external calls required for business pur-
poses, while other destinations remain blocked
Denied lists allow connection of toll numbers or specific
countries (can be set up alternatively in Least Cost Routing),
for example, for fully authorized stations
Disabling of external call forwarding for all telephones that do
not require it, primarily for telephones in the reach of external
persons
References OpenScape 4000 V7 Feature Usage Examples, Service
Documentation References
Executed Yes No:

Reasons
A31001-H3170-P100-3-7620, 06-2014
Communication Access and Protection against Toll Fraud
INFO:
The available authorizations can also be restricted time-wise on
the basis of automatic class of service changeover / night service.
Conducted calls can be monitored with the aid of Call Data
Recording (accounting tool).
Related Topics
4.1.2 Accessing the Terminals
Access to the telephone should be protected by means of the PIN (Personal

Identification Number) function for workplaces that can also be accessed by
external persons or that have special privileges.
The manual/mobile station PIN feature is used for personal identification
purposes:
• For identifying the owner of a physical telephone (station) at his/her own
extension.
The owner of the station therefore has access to those features that are
blocked for all other users owing to class-of-service changeover to a lower
class of service.
• For identifying mobile subscribers (e.g. guest users of a phone).
If such an external user can identify him/herself on a station, the same privi-
leges and options apply for this user as s/he has on his/her own station (home
station) on the basis of his/her normal class of service.
• For all PIN types, e.g. mobile users refer to the available Service documen-
tation, as stated below in the References row.
Table: Accessing the terminals
CL-PIN terminals PIN (PIN policy can be configured by the customer, there
are no special requirements, apart from PIN length, as
only numbers can be entered at the phone set)
Measures The PIN is used for telephones that pose a risk of misuse
with the setting up of an individual password comprising a
combination of digits up to 12 positions in length that cannot
be guessed easily. It will be set up in the OpenScape 4000
V7 system database
Authentication is enabled in the expert settings of the WBM
for mobile subscribers
Users have been informed on their individual PIN and famil-
iarized with their usage
References OpenScape 4000 V7 Feature Usage Examples, Service
Documentation References
A31001-H3170-P100-3-7620, 06-2014
Data Protection for Digital (TDM) or IP (HFA or SIP) Phones
CL-PIN terminals PIN (PIN policy can be configured by the customer, there
are no special requirements, apart from PIN length, as
only numbers can be entered at the phone set)
Executed Yes No:

Reasons
Related Topics
4.2 Data Protection for Digital (TDM) or IP (HFA or SIP) Phones
This feature allows the information stored in digital (TDM) or IP phones (HFA or
SIP) to be protected against unauthorized access and manipulation (or saved
phone numbers on speed dialing keys).
The following functions are offered:
• Blocking of individual dialing aids
• Blocking of service functions
Blocking of system-activated dialing aids and check functions is supported.
The function (key/menu) for switching on and off forwarding to a saved desti-
nation, mailbox or any phone number is not restricted because these functions do
not impact the terminal currently used. The required blocking is enabled and
disabled by using the class-of-service changeover.
Table: Data Protection for Phones
CL-DataProtTerminals Data protection for digital or IP phones

Measures Activating individual security features on the basis of corre-
sponding entries in the subscriber's AMO SDAT (OpenScape
4000 V7 Expert Mode)
References OpenScape 4000 V7 AMO Descriptions, Service Documen-
tationReferences
Executed Yes No:

Reasons
Related Topics
A31001-H3170-P100-3-7620, 06-2014
Secure HFA Interface to Phone
4.3 Secure HFA Interface to Phone
Activation of "Signaling and Payload Encryption" (SPE) should be looked at also

in relation to confidentiality and integrity of VoIP communication. This covers
point-to-point connections between SPE-enabled terminals such as OpenStage
HFA telephones. This also applies for all SIP connections (to the device and
provider), regardless of whether they are implemented with OpenScape Access
modules or IPDA and Common Gateway (HG 3500).
Table: HFA Interface to Phone
CL-SPE Signaling and Payload Encryption

Measures SPE support activated in the OpenScape 4000 V7 database
(either through WBM or through Expert Mode)
Certificate for OpenScape 4000 V7 implemented (integrated
or customer certificate). A customer-specific certificate is
strongly recommended. Details about customer specific
certificate see Addendum, chapter11.3 Certificate Handling.
Payload security is activated for all relevant subscribers
It has been specified whether calls with TDM subscribers or
trunk lines (gateway calls) are regarded and displayed as
secure (solution see comments)
References OpenScape 4000 V7 IP Solutions, Service Documentation
References
Executed Yes No:

Reasons
Related Topics
4.4 Securing HFA Terminals on the HG3500 Common IP Gateway
Security mechanisms are provided in HFA both on the HFA terminal (OpenStage
and OpenScape Desktop Client) and on the associated HG3500 Common IP
Gateway.
Unauthorized login from an OpenStage or OpenScape Desktop Client can be
prevented on the basis of password input when logging in to the IP network. This
password can be administered via OpenScape 4000 Assistant in CM (Configu-
ration Management) or via AMO SBCSU. Please adhere to the password policy
in chapter 11.1 Password Policies.
Access to the administration menu in OpenStage HFA via the display and
keyboard is protected by means of an admin password. This password is
assigned by means of administration procedures in OpenScape 4000 V7.
A31001-H3170-P100-3-7620, 06-2014
OpenScape 4000 V7 CSTA Interface with VPN
Unauthorized administration of an OpenStage HFA via a web browser and input

of the IP address is prevented by entering the correct port address following on
from the IP address as well as by entering an admin password. Access authori-
zation via a password is checked by the HG 3500 IP gateway. It is recommended
to refer here to default password policy in chapter 11.1 Password Policies or to
define a customer-specific password policy that can be configured by the
technician when installing the system.
Table: HFA Terminals on the HG3500 Common IP Gateway
CL-SecTerminalCGW Security of HFA IP telephones on the HG3500

Measures Access password for login from OpenStage HFA or
OpenScape Personal Assistant to the IP network has been
set up according to Addendum, chapter 11.1 Password Poli-
cies
Access to the administration menu in OpenStage via the dis-
play and keyboard has been protected by means of an
admin password
Administration of an OpenStage HFA terminal via a web
browser has been protected accordingly by entering the IP
address, the correct port address and an admin password
References
OpenStage Telephone User Manual
Executed Yes No:

Reasons
INFO: Be aware that the above mechanism is only valid for HFA
phones. SIP phones are configured automatically via DLS.
Related Topics
4.5 OpenScape 4000 V7 CSTA Interface with VPN
The CSTA interface of the OpenScape 4000 V7 is not natively encrypted.

Therefore, it is strongly recommended, in case the CSTA interface will be used,
to externally look for a solution like a VPN (e.g. IPSec) where the connection is
encrypted.
The reason to need an externally supplied Trusted Network Connection is that the
CSTA interface and the CSTA protocol both contain no encryption as per
definition. Hence, the necessity to build a VPN, for example, between the CTI
application and the OpenScape 4000 V7 CSTA interfaces.
A31001-H3170-P100-3-7620, 06-2014
Secure Remote Subscriber
Please refer to Infrastructure, chapter 10.4 VPN Connection (IPSec based) to

read the recommendations.
Related Topics
4.6 Secure Remote Subscriber
The "Secure Remote Subscriber" feature provides HFA features for a remote
subscriber connected over the Internet. Signaling and payload encryption is
supported for the remote subscriber as well as the route through the Internet.
The OpenScape 4000 V7 offers an IP-based connectivity between the
OpenScape 4000 SoftGate (communication service signaling/media control unit)
and the endpoints. These endpoints offer the full OpenScape 4000 feature set.
A secure IP (TLS/SSL-based) operating mode, called SPE (Signaling and
Payload Encryption), is supported, which means that the signaling and payload
connections are always encrypted even if SPE is not activated.
The HFA features can also be used on the phones in the user's remote office. The
HFA connectivity via the public internet to OpenScape 4000 SoftGate is therefore
incorporated.
The OpenScape 4000 SoftGate is located with one interface in the public network
(WAN interface) and the other interface in a corporate network (IPDA interface).
Table: Remote Subscriber
CL-SRS Secure Remote Subscriber

Measures • [Mandatory] An IP password must be assigned to the
relevant phones in AMO SBCSU, Expert Mode in the
OpenScape 4000 V7 database, and
• [Mandatory] The phone in the remote office has to
operate in secure mode; it has to be registered with TLS
(to be configured in the OpenScape 4000 V7 database),
and
• [Mandatory] The WAN interface of the OpenScape 4000
SoftGate requires a certificate. See chapter 11.3 Certif-
icate Handling
• [Optional] For higher security requirements set up a DMZ
(see Infrastructure, chapter 10.5 DMZ, Usage of DMZ)
References
Executed Yes No:

Reasons
Related Topics
A31001-H3170-P100-3-7620, 06-2014
Gateway/Portal Web/Admin Access Hardening
4.7 Gateway/Portal Web/Admin Access Hardening
The OpenScape 4000 Gateways (HG3500/HG3575/SoftGates) as well as the

platform portal shall be hardened via the Secure Mode function within the
OpenScape 4000 Assistant. See chapter 7.7 Security Mode Configuration.
Related Topics
A31001-H3170-P100-3-7620, 06-2014
OpenScape Cordless Enterprise V7
5 OpenScape Cordless Enterprise V7

The OpenScape Cordless Enterprise V7 solution is already equipped ex-works
with a variety of technical security features that are designed to meet the most
important national and international legal requirements as well as other quality,
privacy and information security standards.
The main security aspects that are implemented in OpenScape Cordless
Enterprise V7 are summarized in the following. Thanks to these security features,
OpenScape Cordless Enterprise V7 can be safely deployed even in customer
networks with high security requirements:
• Compliance with relevant security standards in the DECT environment.
• Security for device logins, authentication and the transmission of radio
signals.
• Administration Security.
• Protection against eavesdropping for OpenScape Cordless Enterprise V7
multi-cell systems
In order to make the operation of the OpenScape Cordless Enterprise V7 even
more secure, the following measures are strongly recommended:
Table: OpenScape Cordless Enterprise V7
CL-SecOSCEV7 Hardening the OpenScape Cordless Enterprise V7

Measures Activate voice channel encryption. This can be carried out
using the Cordless Administration Tool (CATool), get to
Global Settings and set the Encryption parameter to YES.
This encrypts the radio transmissions between base stations
and cordless phones.
Activate the new Re-Keying Enhanced Security feature. Just
get to Global Settings (again in the CATool) and set the
Enhanced DECT Security flag to YES. This will make sure
that an established connection will newly be encrypted every
minute.
References OpenScape Cordless Enterprise V7, Service Documentation
References
Executed Yes No:

Reasons
Related Topics
A31001-H3170-P100-3-7620, 06-2014
Terminals
6 Terminals
Please refer to the individual product security checklists / administration and
service documents for the terminals (e.g. OpenStage T / OpenStage HFA IP /
OpenStage SIP) and clients (e.g. OpenScape Personal Edition) that can be
connected to OpenScape 4000 V7 and used across systems.
Only released terminals as per the current sales information should be used.
Related Topics
A31001-H3170-P100-3-7620, 06-2014
OpenScape 4000 Assistant V7
PKI Based Authentication
7 OpenScape 4000 Assistant V7

Related Topics
7.1 PKI Based Authentication
With the OpenScape 4000 Assistant V7 the password authentication method has
been extended with the certificate based authentication. Now the user can use
smartcard with saved PKI certificate to login into the Assistant web GUI. No PKI
certificates are delivered with the Assistant product. The customer must deliver
his own PKI certificates and import them into the product.
PKI usage principles are described in PKI Manual References. Please get to
know them before using PKI authentication mode. The PKI authentication mode
can be selected in Access Management > Security Mode Configuration.
Customer’s certification authorities and revocation lists can be configured in
Access Management > Configuration of PKI Authentication. Personal certif-
icates can be assigned to user accounts in the Access Management > Account
Management > User Account Administration.
A31001-H3170-P100-3-7620, 06-2014
PKI Based Authentication
Table: PKI Based Authentication
CL-PKI PKI based authentication (remote Admin authenticates

at Assistant)
Measures • Prior to configuring PKI, please make sure the mode
“Password and PKI authentication” is enabled in the
OpenScape 4000 Assistant V7 Administration window.
WARNING: Enable both authentication modes during
system setup. Access to system can be blocked when
configuration is not done properly and only PKI authenti-
cation is enabled.
• If your company already uses PKI based employees
authentication, e.g. via smartcards, these can be reused
for the Assistant authentication. If not, please choose the
appropriate certification authority and order the personal
certificates to be used with OpenScape 4000 Assistant
V7.
• Import your Root CA (that is the origin of the chain of
trust) into the “Configuration of PKI Authentication”.
• Import your Intermediate Certificate Authorities in the
same place.
• Choose your preferred type of certificate validation
control. Either Certificate Revocation List (CRL) or Online
Certificate Status Protocol (OCSP) is supported.
• Assign the personal certificate to the user account in
Access Management > Account Management > User
Account Administration. The certificates’ common
name list is maintained by your certification authority.
• When finished with user certificate assignment, please
first test the PKI authentication functionality. Logout and
try to re-login with your smartcard’s certificate.
• If the test succeeded, it is safe now to disable the
password authentication completely and enable the “Only
PKI” mode.
References PKI Manual References
http://en.wikipedia.org/wiki/Public-key_infrastructure
Executed Yes No:

Reasons
Related Topics
A31001-H3170-P100-3-7620, 06-2014
Configure Password Policy
7.2 Configure Password Policy
Passwords must have certain quality in order to avoid unauthorized access.

Password quality is enforced using the configurable password policy. The
password policy rules are described in chapter 11.1 Password Policies.
Table: Password Policy
CL-Password policy Configure the Password Policy in accordance to cus-

tomer’s Password Policy.
Measures Configure a customer specific password policy according to
the recommendation described in 11.1 Password Policies.
References Access Management References, Chapter 2.7
Executed Yes No:

Reasons
Related Topics
7.3 Change Predefined Passwords
During the installation all OpenScape 4000 Assistant V7 accounts are created
with default passwords which are generally known. Thus, all passwords need to
be changed upon first usage of the corresponding account.
A31001-H3170-P100-3-7620, 06-2014
Change Predefined Passwords for Network Single Logon
Table: Change Predefined Passwords
CL-Predef pass Change default passwords for engr, rsta, rsca and cusa
accounts
Measures The user is asked to change the password during the first log
in with engr account.
For each of the three other accounts please execute:
• On the Start Page of Access Management navigate to
Account Management > System Account Adminis-
tration.
• Select an account.
• Enter a new password in "New password" and "Retype
Password" fields.
• Evaluate if all the available accounts are necessary for
administration. If not, lock unused accounts. For infor-
mation on these accounts see Access Management Refer-
ences, chapter 1.2.1 and Addendum, chapter 11.2 Default
Accounts
References Access Management References, Chapter 2.7 and chapter
3.3
Executed Yes No:

Reasons
Related Topics
7.4 Change Predefined Passwords for Network Single Logon
Network Single Logon (NSL) accounts are used for secure user-independent
access e.g. for some types of communication between Manager and Assistant.
During the installation all NSL accounts are created with default empty password.
Thus, all passwords need to be changed to prevent unauthorized access to
system.
NSL accounts are not used for interactive login to system. They are used for some
data connections from the Manager to assigned Assistant. When you change
NSL passwords on the Assistant don't forget to change the corresponding
passwords in System Management on the OpenScape 4000 V7 Manager -
please see the Security Checklist of the OpenScape 4000 Manager V7 Refer-
ences for further details.
A31001-H3170-P100-3-7620, 06-2014
Emergency Password Reset (EPR)
Table: Predefined Passwords for Network Single Logon
CL-NSL pass Change default passwords for NSL accounts – nsl-syst,

nsl-engr, nsl-rsta, nsl-rsca, nsl-cusa and nsl-cust
accounts.
Measures For each of these accounts do separately:
Account Management > System Account Adminis-
tration .
• Select an account.
• Enter a new password in "New password" and "Retype
Password" fields.
• If the Assistant is assigned to the Manager, fill in the same
passwords in: System Management > OpenScape 4000
Administrationcorresponding Assistant, enable Access
Management checkbox and select Access Management
tab sheet Set Passwords for Network Single Logon.
See Addendum, chapter 11.2 Default Accounts
References Access Management References, chapter 2.9.1; chapter 3.5
Executed Yes No:

Reasons
Related Topics
7.5 Emergency Password Reset (EPR)
Emergency Password Reset (EPR) provides a means to reset the administrator

(user "engr") password in case the password was lost or the system was
corrupted.
Prior to using that feature, the system must be configured appropriately, and the
feature must be enabled by the system administrator.
To allow the feature to be functional, the configuration must include an import of
a certificate from a Trusted Authority of the system. The certificate is expected in
X.509 PEM format
A31001-H3170-P100-3-7620, 06-2014
Create Administrator Accounts and Assign Privileges
Table: Emergency Password Reset (EPR)
CL-EPR Emergency Password reset for admin account engr.

Measures Configure OpenScape 4000 Assistant V7 appropriately:
• Import certificate from Trusted Authority
• Enable feature
References Access Management References, chapter 2.6
Executed Yes No:

Reasons
INFO: These steps do not necessarily have to be followed at

installation, but only if needed.
Related Topics
7.6 Create Administrator Accounts and Assign Privileges
You can create individual administrator accounts and assign them appropriate
access rights. This enables you to manage user access to and accommodate
users with sufficient rights. While this is not a proper hardening procedure, but
rather a normal administrator action, it is mentioned here for purposes of
completeness since it is very important to create admin accounts and assign privi-
leges.
A31001-H3170-P100-3-7620, 06-2014
Security Mode Configuration
Table: Administrator Accounts and Privileges
CL-Account_admin Administrator Accounts

Measures Create administrator accounts for customer administrators if
needed and assign appropriate access rights:
Account Management > User Account Administration.
• For each new user account do:
– Select User > Add … in menu.
– Enter user name, description and desired security
profile
– Set password and/or password properties.
Account Management > Access Right Configuration
• For each new user account do:
– Select user in Users list.
– Select access rights in Access Rights Groups list to
be assigned to the selected user.
– Select Assign in context menu.
– Check in the Users list that the access rights were
assigned.
• See Addendum, chapter 11.2 Default Accounts. In this
chapter customer specific accounts can be added.
References Access Management References, chapter 2.8; Chapter 3.5
Executed Yes No:

Reasons
Related Topics
7.7 Security Mode Configuration
For enhanced security, it is recommended to enable the following options on the

Access Management > Security Mode > Configuration page.
These mechanisms should be used to harden the system in a way that all for the
operation of the system not relevant interfaces and protocols will be closed, e.g.
Web access to the gateways and portal. Please refer to References to see how
Security Mode features affect the communication between the Manager and the
Assistant.
A31001-H3170-P100-3-7620, 06-2014
Security Mode Configuration
Table: Security Mode Configuration
CL-Security Mode Security Mode configuration

Measures For enhanced security, it is recommended to enable the fol-
lowing options on the Access Management Security Mode
Configuration page. > Security Mode Configuration page
References Access Management References, chapter 2.14; Chapter 3.5
Restricted access to Plat- Enabled Disabled

form Portal
Maintenance Mode: Enabled Disabled

Enable SSH and web
access from Assistant
Restricted access of Com- Enabled Disabled
win to ADP
Restricted access to sys- Enabled Disabled

tem shell from customer
network
Restricted access to sys- Enabled Disabled
tem and HG3550M shell
from web via "SSH con-
nection to Assistant" appli-
cation and via "Gateway
Dashboard" application
Restricted access to Enabled Disabled
Security Management API
from customer network
Disable unencrypted Enabled Disabled
remote ODBC access
Disable unencrypted Enabled Disabled

remote JDBC access
Enable Gateway Secure Enabled Disabled

Mode
Enable FIPS 140-2 Mode Enabled Disabled

Reasons
Related Topics
A31001-H3170-P100-3-7620, 06-2014
Turn off Unused Applications
7.8 Turn off Unused Applications
Table: Unused Applications
CL-ApplicationControl Application control

Measures Disable applications which are not used by the customer or
service.
• On the Start Page of Base Administration navigate to
Application Control.
• Uncheck the applications, which are not used, for sure.
• Click Submit when you are finished with the selection.
The unchecked applications will be disabled. You can enable
them later, if necessary.
References OpenScape 4000 Assistant/Manager V7, Webmin Base
Administration, Administrator Documentation References
Executed Yes No:

Reasons
Related Topics
A31001-H3170-P100-3-7620, 06-2014
Extending and 3rd Party Components
OpenScape Fault Management V7
8 Extending and 3rd Party Components

For an overview of the Unify OpenScape extending software and 3rd party
components please refer to the table CL-SWstatus All Components in the chapter
2.1 Hardening Procedures in General.
In these components the security settings must be adapted at the Assistant instal-
lation time. In the security checklist table it has to be stated if the component is
installed or not.
Related Topics
8.1 OpenScape Fault Management V7
Hardening Measures for OpenScape Fault Management V7 are mainly handled

in the OpenScape Fault Management V7 Security Checklist [14] References.
As OpenScape Fault Management V7 and OpenScape 4000 Assistant V7 are
located on the same server no additional hardening measures are necessary.
Related Topics
8.2 OpenScape Accounting Management and DS-Win
Older version of OpenScape Accounting Management (aka OS AM) and DS-Win

communicate with OpenScape 4000 Assistant V7 using insecure FTP protocol.
SFTP support on OS AM exists since OS AM V2 R6 Patch 27, therefore FTP is
not activated by default and has to be activated manually. All data including
authentication passwords are transferred in plaintext via FTP and thus can be
intercepted. FTP should be used only if the customer agrees with the security
risks involved.
Table: OpenScape Accounting Management and DS-Win
CL-Accounting Accounting Management and DS Win

Management
Measures If OpenScape Accounting Management and/or DS-Win are
used, install the applications preferably on the same LAN
segment as OpenScape 4000 Assistant Server:
• Use OpenScape AM V2.0 R6 Patch 27 or newer which
supports SSH/SFTP
• Use DS-Win V4 R6.10 or newer which supports SSH/
SFTP
References OpenScape Accounting Management Security Checklist
Documentation [13]
HiPath DS-Win Administrator Documentation [17]
For securing FTP connection please refer to OpenScape
4000 V7, Section 4 - IP Solutions, Service Documentation
References
A31001-H3170-P100-3-7620, 06-2014
Informix Database
CL-Accounting Accounting Management and DS Win

Management
Executed Yes No:

Reasons
Related Topics
8.3 Informix Database

Related Topics
8.3.1 Informix Accounts Necessary for Local OpenScape FM V7
The hp_dbr account is created on the Informix database to establish JDBC

access from the OpenScape Fault Management. By default hp_dbr account is
locked. Open and use this account only if the OpenScape Fault Management
is used. The password of the hp_dbr account must be manually distributed to the
OpenScape Fault Management.
The OpenScape Fault Management is by default installed on the OpenScape
4000 Assistant machine itself. In this case all Informix data including user authen-
tication are transferred just locally and cannot be exploited. In this case the JDBC
remote access can be disabled, see chapter 7.7 Security Mode Configuration.
If a remote OpenScape FM is used, e.g. running on the Manager, the JDBC
remote access must be enabled. It must be taken into account that JDBC is
unsecured plain text protocol and the communication between OpenScape FM
and Assistant cannot be secured. To minimize the risk of exploit, the OpenScape
Fault Management should be installed on the same LAN segment.
A31001-H3170-P100-3-7620, 06-2014
Informix Database
Table: Informix Accounts for Local OpenScape FM V7
CL-OpenScapeFM OpenScape FM JDBC account

Measures Evaluate if OpenScape Fault Management is used:
• If YES, then change the default password for account
hp_dbr:
– On the Start Page of OpenScape 4000 Assistant
navigate to Access Management > Account
Management > System Account Administration
– Select hp_dbr account.
– Enter a new password in New password and Retype
Password fields.
– Distribute the password of the hp_dbr account to the
OpenScape Fault Management according to valid
OpenScape Fault Management documentation.
• If NOT, you don’t have to do anything, because the hp_dbr
account is locked by default.
References Access Management References, chapter 2.9.1; Chapter 3.5
Addendum, chapter 11 Addendum
Executed Yes No:

Reasons
Related Topics
8.3.2 Informix Accounts Necessary for External Management Application
The same deployment as with OpenScape FM (see8.1 OpenScape Fault

Management V7) can exist with a 3rd party component using ODBC/JDBC
access to Informix DB. The uas_read and uas_rdwr accounts are created on the
Informix database to establish ODBC/JDBC access from 3rd party components.
3rd party components connect to Informix DB via ODBC/JDBC. This solution

brings a risk because both authentication and data are transferred in plaintext. By
default uas_read and uas_rdwr accounts are locked. Open and use these
accounts only if 3rd party components are used.
On the Start Page of OpenScape 4000 Assistant navigate to Access
Management > Account Management > System Account Administration .
Select uas_read and/or uas_rdwr accounts.
Enter a new password in New password and Retype Password fields.
A31001-H3170-P100-3-7620, 06-2014
Informix Database
If 3rd party components are not used lock uas_read and/or uas_rdwr accounts
with Lock user account checkbox.
Distribute uas_read and/or uas_rdwr accounts’ passwords to 3rd party compo-

nents according to documentation obtained from components’ suppliers.
Table: Informix Accounts for External Management Application
CL-Informix clients Informix DB / 3rd party components connecting to Infor-

mix DB
Measures • Change default passwords for accounts uas_read
uas_rdwr .
– If no 3rd party component connecting to Informix DB is
used, ensure that the accounts uas_read and/or
uas_rdwr are locked.
– Else install 3rd party component on the same LAN
segment as the OpenScape 4000 Assistant machine.
Allow the unencrypted remote ODBC/JDBC access in
Security Mode Configuration. Evaluate if 3rd party
component needs read-only or read-write access to
data stored on Informix DB and distribute the
password of either uas_read or uas_rdwr account to
the component supplier.
• Evaluate on which positions in LAN 3rd party components
are deployed. Configure external firewall according to the
deployment.
References Access ManagementReferences chapter 2.9.1; chapter 3.5
Executed
Default password for Yes No:
uas_read uas_rdwr
cahnged
Firewall configured protec- Yes No:

tive

Reasons
Related Topics
A31001-H3170-P100-3-7620, 06-2014
Administration
Remote Administration via HTTPS
9 Administration
Related Topics
9.1 Remote Administration via HTTPS
The access to the OpenScape 4000 Assistant V7 GUI occurs always encrypted
via HTTPS. Each administration access is logged.
Server Side Authentication is performed with TLS. Client side authentication is
performed by Username/PW. Security settings for that see chapters 7.2
Configure Password Policyand 7.3 Change Predefined Passwords as well as
chapters 11.1 Password Policies and 11.2 Default Accounts.
The security strength of HTTPS depends heavily on which TLS cipher suite is
negotiated, which kind of authentications is established (none, server only, client
and server) and the strength of the certificates used for authentication.
A self-signed server certificate for HTTPS encryption is delivered by default. (This
has to be accepted as trusted by the user in the browser.) Since the web-server
certificate and its private key are part of the general installation package, each
customer gets the same key material.
For server authentication and against man-in-the-middle attacks, an individual
certificate is necessary, which relies on a root certificate authority. This enables
the browser, used for administration, to set up a secure end-to-end connection
with OpenScape 4000 Assistant V7. It is recommended to the customer to use
his/her individual certificate. Please refer to Addendum, chapter 11.3 Certificate
Handling.
Table: Remote Administration via HTTPS
CL-IndivServerkey Provide customer specific key material for TLS if possi-

ble.
Measures Generate and activate TSL certificate as described in the
documents referred below.
References OpenScape 4000 Manager V7, Installation and Service Man-
ual, Issue 1 References, chapter 3.14.4 Generating and Acti-
vating an Individual Certificate (this description is also valid
for the OpenScape 4000 Assistant V7 but it does not appear
yet in its own guide)
Access Management References, chapter 2.11.1; Chapter
3.8
Executed Yes No:

Reasons
A31001-H3170-P100-3-7620, 06-2014
Administration
Monitoring via SNMP
Related Topics
9.2 Monitoring via SNMP
The OpenScape 4000 Assistant V7 offers SNMP V3 interface through SNMP

Proxy Agent. For its configuration see the OpenScape 4000 Manager V7, Instal-
lation and Service Manual Referenceschapter 6 as well as the OpenScape 4000
Manager V7 Security Checklist References
This step is an administrative task, which should not be performed only once after
installation but continuously during the operation of Assistant whenever new
network elements are added for monitoring. It also involves the network elements
themselves (see the security checklists of the monitored devices).
The Simple Network Management Protocol (SNMP) can be used for sending
error messages from the monitored device to the SNMP server/host by trap.From
the standard security point of view this is unproblematic.
If the SNMP server/host sends “get” or “set” advices to the monitored devices
there is a risk for them. Thus in this case the SNMP interface should be configured
more secure. See the details below.
Related Topics
9.2.1 SNMP v1/v2
In practical experience the SNMP v2c version from 1996 is used equivalent to
SNMP v2.From the security point of view this version provides the same as SNMP
v1. The SNMP v3 is supported by OpenScape 4000 Assistant V7 and its usage
is recommended. See cahpter SNMP v3for details.
Communities:
A community string is available in SNMP v1 and SNMP v2. It is comparable with
a user ID or a password that allows access to statistical data of a device. The
standard community string names „public" (read only; get) and "private" (read and
write access; get, set) should be changed into individual names.By default trap
managers make use of the community string “public”.
Allowed Hosts:
As the community string is transmitted in clear text it can be eavesdropped easily.
Thus also IP addresses of systems that may contact the monitored system via
SNMP shall be defined.
A31001-H3170-P100-3-7620, 06-2014
Administration
Monitoring via SNMP
Table: SNMP v1/v2
CL-SNMPv1/v2 SNMP (v1/v2) security settings

Measures • Check if the SNMP v3 can be used. If yes, then please
deactivate the SNMP v1/v2
• Set individual Community String name; delete default
community string names
• Restrict hosts that may contact the monitored system by
giving the hosts IP addresses
References OpenScape 4000 Manager V7, Installation and Service
Manual References, Issue 1 chapter 6.5 (this description is
also valid for the OpenScape 4000 Assistant V7 but it does
not appear yet in its own guide)
OpenScape 4000 Assistant V7, Simple Network Manage-
ment Protocol OpenScape SNMP, Administrator Documen-
tation References
Executed Yes: No: Deactivated

Reasons
Related Topics
9.2.2 SNMP v3
Since HiPath 4000 V6 R2, the Assistant supports SNMP v3 and it is recom-
mended to be used for the communication with all remote SNMP servers, as it
supports secure authentication and data encryption.
In small scenarios, OpenScape Fault Management is located on the same server
as OpenScape 4000 Assistant, for normal security requirements this connection
needs not to be secured with SNMP v3 authentication and encryption.
For all scenarios with a separate Fault Management (e.g with OpenScape Fault
Management) the SNMP v3 communication should be secured.
This step is an administrative task, which should not be performed only once after
installation but continuously during the operation of e.g. OpenScape FM
whenever new network elements are added for monitoring. It also involves the
network elements themselves. They have to be configured to use SNMPv3. Other
SNMP versions should be deactivated.
A31001-H3170-P100-3-7620, 06-2014
Administration
Monitoring via SNMP
Table: SNMP v3
CL- SNMPv3 SNMP v3 security settings

Measures • Please make sure that SNMPv3 is used for all devices
which support it. To check/configure this, select “IP
Configuration” from context menu of the corresponding IP
node object in OpenScape FM
• Also check if SNMPv3 is the only protocol activated on
the device.
• Activate secure Authentication
• Activate Encrypted Communication
• Define access classes for MIB sub trees
• SNMP over TLS
• SNMP over SSH
References OpenScape 4000 Manager V7, Installation and Service Man-
ual, Issue 1 References chapter 6.5 (this description is also
valid for the OpenScape 4000 Assistant V7 but it does not
appear yet in its own guide)
Executed Yes No:

Reasons
Related Topics
A31001-H3170-P100-3-7620, 06-2014
Infrastructure
Protection of Internal LAN Communications
10 Infrastructure
Related Topics
10.1 Protection of Internal LAN Communications
For the internal IP network, the requirements according to the administrator

documentation have to be met. Access to central components like switches and
routers shall be restricted to technicians and administrators.
A logical or physical decoupling of voice and data network should be considered
depending on the existing infrastructure. The IT service provider of the customer
may have to be involved.
The internal LAN, e.g. Corosync LAN & Atlantic LAN – aka Cross Connect in
Separated Duplex Deployments has to operate only within trusted environments.
Table: Internal LAN Communications
CL-VLAN Protect infrastructure

LAN infrastructure
Measures Access to routers and switchesonly for authorized persons
and trusted devices
[Optional] Use separate VLAN or IP network for voice com-
munication
References N/A
Executed Yes No:

Reasons
Related Topics
10.2 Atlantic LAN (A-LAN)
For some Internet (C-LAN) applications, specific ports have to be enabled and
forwarded to the Atlantic (internal) LAN (A-LAN) by Network Address translation
(NAT). This port forwarding is protected by IP address based firewall, configurable
from the component Webmin Base Administration.
However, the Assistant’s A-LAN itself is not firewall protected. The boxes
connected to the A-LAN shall meet extended security standards e.g. by
encryption and efficient access control and robustness against denial-of-service
attacks and message floods.
A31001-H3170-P100-3-7620, 06-2014
Infrastructure
Backup and Restore - HBR
Table: Atlantic LAN
CL-A-LAN boxes and A-LAN connected boxes secured

routers
Measures Necessity and risk checked.
References N/A
Executed Yes: No: Non active

Reasons
Related Topics
10.3 Backup and Restore - HBR
In Backup and Restore (HBR) component the backup can be made to the remote
NFS or SFTP server. SFTP stands for Secure FTP based on SSH. The following
Windows based SFTP servers are successfully tested with HBR:
• Free edition of SilverSHielD SSH/SFTP server – Free SSH (SSH2) and SFTP
server for Windows
• CopSSH
• KpyM
• SSHWindows
• CYGWIN OpenSSH
On Linux, the most common OpenSSH is supported. Nevertheless, others
generally should work.
We recommend enforcing the use of SFTP per default instead of NFS.
Table: Backup and Restore
CL-HBR Backup Restore

Measures In HBR – Administration - Backup Server configure the
backup server via SFTP.
References OpenScape 4000 Assistant/Manager V7, Backup and
Restore, Administrator Documentation References
A31001-H3170-P100-3-7620, 06-2014
Infrastructure
VPN Connection (IPSec based)
CL-HBR Backup Restore
Executed Yes No:

Reasons
Related Topics
10.4 VPN Connection (IPSec based)
It is recommended to install an external VPN (Virtual Private Network) solution to

provide encryption of the connection, for instance, by means of IPSec. This will
help, for example, in the case of securing the CSTA interface of the OpenScape
4000 V7.
VPNs (virtual private network) also known as secure tunnel can be implemented
in different ways. Most used mechanism to build a VPN is using IPSec.
Many modern Operating systems contain components which a VPN can be built
with. Linux contains an IPSec implementation since Kernel 2.6. Older kernel
versions need the KLIPS-IPSec-Kernel module, by openswan.
VPN offers you:
• Secure connection via an unprotected medium (Internet)
• Protection of confidential data against manipulation
• Secure business processes
• Reliable integration of external partners in the corporate network
• Access to corporate information for field service
Secure tunnels are recommended for networking as well as for remote access.
For every VPN remote subscriber a dedicated authentication shall be selected.
This allows easy blocking of a remote access e.g. when an employee leaves the
company.
In VPN, the encryption of data occurs via different security mechanisms such as
IPSec tunnelling, Security Associations and authentication methods (peer-to-
peer, digital signatures).
IPSec is used to encrypt data and can generally be implemented with and without
tunnels. IPSec is an option for implementing VPN. You can encrypt the entire IP
packet here with the IP header, this occurs in tunnel mode. Tunnels must always
be configured for both VPN peers.
IPSec supports the automatic key management system, Internet Key Exchange
(IKE). This is a standard that is integrated in IPSec.
Since OpenScape 4000 V7 does not incorporate an own VPN module, this is left
to the customer/partner as a means to further secure the underlying infra-
structure.
A31001-H3170-P100-3-7620, 06-2014
Infrastructure
DMZ
Related Topics
10.5 DMZ
A DMZ (Demilitarized Zone) is recommended if higher security protection

measures are required, for example, when setting up the OpenScape 4000 V7.
feature “Secure Remote Subscriber” (see chapter 4.6 Secure Remote
Subscriber).
In most cases where the customer requires additional protection, both a primary
DMZ firewall and a secondary DMZ firewall should suffice where possible. These
additional firewalls could be activated between the Internet and the OpenScape
4000 SoftGate.
Related Topics
A31001-H3170-P100-3-7620, 06-2014
Addendum
Password Policies
11 Addendum
Related Topics
11.1 Password Policies

Related Topics
11.1.1 Supported PW Policy
OpenScape 4000 with extended password handling rules activated supports the
Unify Password and Login Policies. These are as follows:
Password Policy Topic PW Default PW Range

Rules for Selection of Password
Minimal Length 15 1-20
Maximal PW length that is sup- 20 min length
ported by product (not security rel-
20
evant, but implementation relevant)
Minimal number of upper case let- 1 0 – 20
ters
Minimal number of lower case let- 1 0 – 20
ters
Minimal number of numerals 1 0 - 20
Minimal number of special charac- 1 0 – 20
ters
Use blacklist of strings which may false true/false
not be contained in password
Minimum character count for 4 char. 0-20
changed characters
Password history 10 0-10
Administrative Rules for Passwords
Maximum password age standard 180 days 1-180 days
Minimum password age 1 day 0-7 days
Password change requires knowl- true true/false
edge of old password
Force change default passwords/ true true/false
PINs after the first use
In order to switch on the Extended Password Policy follow the steps given in the
Access Management documentation, see documentation References.
A31001-H3170-P100-3-7620, 06-2014
Addendum
Default Accounts
INFO: Do not use trivial or easy to guess passwords. Take care

that password entry cannot be observed.
Related Topics
11.1.2 PW Policy Agreed for Customers Deployment
In the following table please insert the values that have been agreed with the
customer for the PW Policy.
Password
Minimal Length
Minimal number of upper case letters
Minimal number of numerals
Minimal number of special characters
Maximal number of repeated characters
Maximal number of sequential characters
Change interval
Maximum number of erroneous login attempts
Password History
Related Topics
11.2 Default Accounts
Here are Assistant Default Accounts including accounts of other systems that can
access the OpenScape 4000 Assistant V7. Each system listed the Security
Checklist in should be represented here as well. User Accounts are listed here as
well as machine accounts that are used for authentication between SW applica-
tions.
Each account is locked after the installation or a default password is available.
IMPORTANT: BEWARE:
Be aware that most successful attacks to Unify systems base
on unchanged default passwords. Since the default PW are
publicly available, it is absolutely necessary to change them
into customer specific passwords immediately after instal-
lation process.
The following shall be described for every account:

• Component, that provides this account (e.g. Database…).
• Purpose (e.g. administration, diagnostics…).
• Privileges (read/write access to the following components…).
A31001-H3170-P100-3-7620, 06-2014
Addendum
Default Accounts
• Change instruction for PW (refer to manual where it is described how the PW

can be changed.
Related Topics
11.2.1 Machine Accounts
# User Name Necessary PW Policy Unify Default PW Description

Privileges configured (to be changed imme-
diately)
1 hp_dbr Yes, as agreed in account is locked by Informix DB account for OpenScape
chapter 11.1.2 PW Pol- default FM JDBC access.
icy Agreed for Custom-
ers Deployment
2 uas_read, Yes locked by default The uas_read and uas_rdwr accounts
uas_rdwr are created on the Informix RDBMS to
establish ODBC/JDBC access from
3rd party components.
3 nsl-syst Yes <empty> NSL accounts are used for secure
user-independent access, e.g. commu-
nsl-engr
nication between Manager and
nsl-rsta Assistant.
nsl-rsca
nsl-cusa
nsl-cust
Related Topics
11.2.2 User Accounts
# User Necessary PW Policy Unify Default PW Description

Name Privileges
configured (to be changed imme-
diately)
1 engr Yes, as agreed in 4K-admin These are predefined accounts for web based GUI
chapter 11.1.2 access and SSH access.
rsta
PW Policy
rsca Agreed for Cus-
tomers Deploy-
cusa ment
2 epruser No, not needed, - Account epruser is used for access to system in
account is locked emergency case when Emergency Password
Reset (EPR) feature is configured.
Related Topics
A31001-H3170-P100-3-7620, 06-2014
Addendum
Certificate Handling
11.3 Certificate Handling
IMPORTANT: Since the default certificates don’t even fulfill

minimum security requirements, it is absolutely necessary to
change them into customer specific certificates immediately
after installation process.
Be aware that most successful attacks to Unify systems base on unchanged

default values.
The product handles the following types of certificates:
# Type/ Customer requirement Expiration Date for Cus- Unify Default Usage/Comment
for OpenScape 4000 tomer specific key
Interface Credentials
Assistant V7 credentials material
1 PKI none Application: client authentication
– for login into web based GUI.
PKI is used when authentication
mode is “Only PKI” or “Password
and PKI”. Customer delivered
PKI is supported. See chapter
7.1 PKI Based Authentication
2 SSL on server delivered, issued by Application: used over HTTPS for
encryption and server authentica-
Unify I&C Security
tion, e.g. apache web server
CA
authentication and traffic encryp-
tion, i.e. web based manage-
ment, Tomcat Servlets, etc.,
authentication and encryption of
various application daemons to
Java Applet clients.
Since the web-server certificate
and its private key are part of the
general installation CD, each
customer gets the same key
material. This key material is not
used for client authentication, but
for web server authentication
only. It must be replaced after
installation.
INFO: Please make sure that pre-shared keys and certificates

are stored and transmitted confidentially.
Related Topics
A31001-H3170-P100-3-7620, 06-2014
Addendum
Port Table Generation via IFMDB
11.4 Port Table Generation via IFMDB
INFO: It is not the purpose of this section to list all available

ports in the OpenScape 4000 V7 but rather to provide a hint
on how to automatically produce them in a structured
manner by using the IFMDB tool. Please follow the steps
below once logged on to the Unify Partner Portal.
OpenScape 4000 Assistant V7 port list is published in the Interface Management

Data Base (IFMDB) . For the latest updates of the Assistant port tables refer to
the Interface Management Database (IFMDB) Referencesat the Unify Partner
Portal.
To get all information that is necessary for the Security Checklist Port Table you
should proceed the following way in IFMDB:
Step by Step
1) Choose, for example, “Firewall Scenario Report”
2) in “Select Generic Scenarios list”, please select“OSC Management”
3) Select Entities:
For example, select “OpenScape 4000 Assistant”
4) Select SW- Version:
For example, select latest released of “OpenScape 4000 Assistant client V7
<XX>” and “OpenScape 4000 Assistant V7 <XX>”
5) Select Interfaces: select all
6) Select left and right Side of Firewall:
Put, for example, “OpenScape 4000 Assistant client V7 <XX>” on one side of
the firewall
Put, for example, “OpenScape 4000 Assistant V7 <XX>” on the other side
7) Select information to be shown in the report:
Keep as it is for port table view
Related Topics
A31001-H3170-P100-3-7620, 06-2014
References
Port Table Generation via IFMDB
12 References
[1] OpenScape 4000 V7, Installation, Configuration and Migration, Instal-
lation Guide, Issue 1
[2] Interface Management Database (IFMDB)
available via Unify Partner Portal
https://www:unify.com/us/partners/partner-portal.aspx
[3] OpenScape 4000 V7, Section 4 - IP Solutions, Service Documentation,
Issue 1
[4] Access Management
OpenScape 4000 Assistant V7 Access Management (Assistant/Manager) online
help is available from GUI
[5] OpenScape 4000 Manager V7, Installation and Service Manual, Service
Documentation, Issue 1
[6] The configuration of PKI authentication
service manual appendix
[7] OpenScape 4000 Assistant/Manager V7, Webmin Base Administration,
Administrator Documentation, Issue 1
[8] OpenScape 4000 V7, Section 3 - Feature Usage Examples, Service
Documentation, Issue 1
[9] OpenScape Cordless Enterprise V7, Service Documentation, Issue 1
[10] OpenScape 4000 Assistant/Manager V7, Security Mode configuration
[11] OpenScape 4000 Assistant V7, Simple Network Management Protocol
OpenScape SNMP, Administrator Documentation
[12] Software Supply Server
http://sw-download.unify.com:8080/en/p_nav1.htmll
[13] OpenScape Accounting Management, Security Checklist
[14] OpenScape Fault Management V7, Security Checklist
[15] OpenScape 4000 Manager V7, Security Checklist
[16] OpenScape 4000 V7 AMO Descriptions, Service Documentation
[17] HiPath DS-Win Administrator Documentation
[18] OpenScape 4000 Assistant/Manager V7, Backup and Restore, Admini-
strator Documentation
[19] DoD Security Technical Information Guides (STIGs) http://iase.disa.mil/
stigs/index.html
Related Topics
A31001-H3170-P100-3-7620, 06-2014

OpenScape 4000 V7, Security Checklist For OpenScape 4000 V7 and Affiliated Products, Planning Guide, PDF

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

OpenScape 4000 V7, Security Checklist For OpenScape 4000 V7 and Affiliated Products, Planning Guide, PDF

Загружено:

Авторское право:

Доступные форматы

OpenScape 4000 V7 and Affiliated Products

Copyright © Unify GmbH & Co. KG. 06-2014

This Security Checklist is valid for the following product versions:

1.2 General Remarks

Information and communication and their seamless integration in “Unified

• During installation and during major enhancements or software

Figure : Usage of Security Checklists (SCL)

1.3 Security Strategy for Unify Products

According to Unify’s definition of a secure product, it is imperative that any product

1.4 History of Change

Date Version What

1.5 Customer Deployment - Overview

Covered Systems (e.g. System,

Open issues to be resolved until

2.1 Hardening Procedures in General

The new OpenScape 4000 V7 brings a new software-based abstraction of the

Figure: Architectural view of the OpenScape 4000 V7 Platform:

Figure: Architectural view of the OpenScape 4000 V7 Software:

INFO: The OpenScape 4000 V7 software comprises the Linux

All associated components will be looked at in the framework of protecting a

The recommended measures are listed in the next sections.

OpenScape 4000 Assistant Yes: No: Version

HG35xx Gateways Yes: No: Version

CSTA Yes: No: Version

OpenScape Cordless Enterprise Yes: No: Version

Comwin Yes: No: Version

OpenStage phones Yes: No: Version

Extending / 3rd party components

DS-Win Yes: No: Version

Customer Comments / Reasons

NOTICE: Based on the installed software, the necessary Patch

3.1 BIOS Settings

INFO: BIOS passwords should be set in accordance with

Table: Usage of iRMC for remote hardware monitoring in COTS

CL-iRMC_COTS Usage of iRMC for remote hardware monitoring in COTS

Executed Yes No:

Customer Comments and

3.2 Operating System Hardening

3.2.1 Operating System Hardening according to the STIGS/DoD guidelines

OpenScape 4000 V7 is provided as a so-called appliance, following the

operating system is therefore hardened already on delivery. For further details

3.3 Clean Customer Deployment

Table: Clean Customer Deployment

Executed Yes No:

Customer Comments and

3.4 Access Protection System

Administration of the system and the other components involved must be

Table: Access Protection

CL-SrvPwd Access to the server / PCs are protected by passwords.

Executed Yes No:

Customer Comments and

Access to central components such as OpenScape 4000 V7 but also to LAN

INFO: Personal data, communication data and communication

4 OpenScape 4000 V7 Platform

4.1 Communication Access and Protection against Toll Fraud

4.1.1 Class of Service

OpenScape 4000 V7 offers the possibility of accessing external destinations via

CL-ClassServ Restricting rights to required destinations

Executed Yes No:

Customer Comments and

4.1.2 Accessing the Terminals

Access to the telephone should be protected by means of the PIN (Personal

Executed Yes No: