OpenScape Desk Phone IP openStage SIP V3R3 Security Checklist Planning Guide A31003-D3000-P100-01-76A9
Our Quality and Environmental Management Systems are implemented according to the requirements of the ISO9001 and ISO14001 standards and are certified by an external certification company. Copyright © Siemens Enterprise Communications GmbH & Co. KG. 10-2013 Hofmannstr. 51, 81379 Munich/Germany All rights reserved. Reference No.
Contents Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1 History of Change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2 General Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.
Contents 6.5 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Introduction History of Change 1 Introduction Related Topics 1.1 History of Change Date Version What 2013-09-20 0.1 Initial Draft 2013-10-14 0.2 Update with comments received. There are structural changes in some areas to better align with the SCL template 2013-10-23 1.0 Update with comments received. Added References into CLs. Changed Siemens to Unify Related Topics 1.
Introduction Security Strategy for Unify Products • – During installation/setup of the solution – During operation During installation and during major enhancements or software upgrade activities: The Customer specific Product Security Checklists are used by a technician to apply and/or control the security settings of every individual product. Figure: Usage of Security Checklists (SCL) Update and Feedback • By their nature, security-relevant topics are prone to continuous changes and updates.
Introduction Security Strategy for Unify Products Products of Unify are developed according to the Baseline Security Policy, which contains the technical guidelines for the secure development, release and sustaining of the company’s products.
Introduction Customer Deployment - Overview The necessary information for that is drawn up in the Product Security Checklist. Related Topics 1.4 Customer Deployment - Overview This Security Checklist covers the product and lists their security relevant topics and settings in a comprehensive form. Customer Supplier Company Name Address Telephone E-mail Covered Systems (e.g.
OpenStage Interfaces and Ports Customer Deployment - Overview 2 OpenStage Interfaces and Ports Considering hardening for OpenStage and Desk Phone IP SIP V3R3 all interfaces and ports have to be analysed. The interfaces for OpenStage and Desk Phone IP SIP V3R3 phones are shown in a landscape diagram below. Complete information about used interfaces/IP ports is part of the release notes as well as from the Unify Partner Portal. http://www.unify.com/us/partners/partner-portal.
Phone Hardening Measures at a Glance Customer Deployment - Overview 3 Phone Hardening Measures at a Glance To improve the security on OpenStage and Desk Phone IP SIP V3R3 phone the following measures are recommended (http://www.unify.com/us/partners/partner-portal.aspx Latest Software • Install latest (“Up-to-date”) Desk Phone IP 35G V3R2 phone software during initial startup phase. The software is ready to download from the partner portal Siemens Enterprise Business Area (https://www.siemens-enterprise.
Phone Hardening Measures at a Glance Customer Deployment - Overview Enable IEEE 802.
Phone Hardening Measures Install latest (“Up-to-date”) OpenStage / Desk Phone IP Phone Software 4 Phone Hardening Measures Related Topics 4.1 Install latest (“Up-to-date”) OpenStage / Desk Phone IP Phone Software The latest (“up-to-date”) released OpenStage /Desk Phone IP SIP V3R3 software version should be installed during initial setup. The software is ready to download from the Unify Partner Porta (http://www.unify.com/us/partners/partnerportal.aspx).
Phone Hardening Measures Secure Administration Access to the Phone 4.2.1 Harden Local phone Admin Access Table: Harden Local phone Admin Access CL-Secure Admin Access Measures • Setup the password policy for Admin password • Set a secure Admin password for each phone • If not needed, disable local administration access at the phone.
Phone Hardening Measures Secure Administration Access to the Phone 4.2.2 Harden Local phone User Access In addition to setting an individual secure password for each phone the following can be done to harden user access to the phone. • Where phones should only be used by specific users – for example for phones in secure areas where visitors are not allowed access to use the phone, or in public areas where public use of the phone is not allowed then the Phone Lock feature should be turned on.
Phone Hardening Measures Secure Administration Access to the Phone CL-Secure User Access Setup User Password Pol- Yes icy No: Secure User password Set Yes No: Set Phone Lock ON Yes No: Lock Down required configuration data Yes No: Disable User Access to Diagnostic Data Yes No: Customer Comments and Reasons Related Topics 4.2.3 Harden DLS Interface to the Phone The communication between DLS and Phone can be configured in default mode.
Phone Hardening Measures Secure Administration Access to the Phone Setting communication between phone and DLS to “secure mode” "Secure mode" offers mutual authentication between DLS and the phone. The connection between DLS and phone will be established, if DLS has successfully authenticated the phone and vice versa. Secure mode with or without PIN (Personal Identification Number) will be set by the DLS. The PIN has to be inputted at the phone when requested.
Phone Hardening Measures Secure Administration Access to the Phone 4.2.4 Harden Software Deployment and File Download to the Phone To provide a secure file download for the files (for example ringer files) and software updates loaded onto the phone HTTPS should be used. A separate HTTPS download server will be needed. Authentication of the HTTPS server at the phone is also needed and this can be setup by loading the HTTPS server CA certificate into the phone and configuring the authentication policy.
Phone Hardening Measures Configure Password Policy and Passwords CL-Secure Software Deployment and File download Configure OCSP checking Yes No: Customer Comments and Reasons Related Topics 4.3 Configure Password Policy and Passwords The OpenStage and Desk Phone IP phones are delivered with default passwords and password policy. These must be changed to the customer specific passwords and password policy. The recommended password and PIN policy is in chapter Password and PIN Policies.
Phone Hardening Measures Authentication of phone at SIP Server CL-Secure passwords Set Secure Admin password Yes No: Set Secure User passwords for phones Yes No: Customer Comments and Reasons If some measures are not executed then please explain here. Related Topics 4.4 Authentication of phone at SIP Server To ensure that only authorized phones contact the SIP Server Unify provides the state-of –the-art Digest Authentication mechanismThe Digest Authentication uses a Challenge Response Algorithm.
Phone Hardening Measures Secure Signalling and Voice/Video Access to the Phone 4.5 Secure Signalling and Voice/Video Access to the Phone To give privacy for Voice and Video connections, the Openstage and Desk Phone IP phones should use TLS for the signalling and Secure RTP for the voice and video connections. Related Topics 4.5.1 Harden Signalling to Secure Signalling To provide a secure signalling mechanism TLS signalling should be used.
Phone Hardening Measures Secure Signalling and Voice/Video Access to the Phone Table: SIP Secure Signalling CL-SIP Secure Signalling Measures • Configure use of TLS on the SIP server and install server certificates • Configure TLS on the phone – the port will need to be set to 5061 • Install the SIP Server CA certificate on the phone using DLS • Configure the TLS certificate validation policy to trusted or full – full is recommended • Configure OCSP checking to allow revocation checking of the SIP server
Phone Hardening Measures Secure Signalling and Voice/Video Access to the Phone CL-SIP Secure Signalling Configure Backup Proxy address to 0.0.0.0 Yes: No: Customer Comments and Reasons. If some measures are not executed then please explain here. Related Topics 4.5.2 Harden Phone to use Secure (Encrypted) Voice and Video To provide secure encrypted communication for voice and video calls, secure calls and the key exchange protocol (SDES or MIKEY) must be configured.
Phone Hardening Measures Secure Interfaces and Services to the Phone 4.6 Secure Interfaces and Services to the Phone To allow easy initial use of Openstage and Desk Phone IP phones, the majority of services and interfaces are enabled by default. To harden the phone, services and interfaces not used should be disabled. Also where a more secure protocol is available for a service then that should be configured, for example use TLS instead of UDP or TCP. Related Topics 4.6.
Phone Hardening Measures Secure Interfaces and Services to the Phone Table: SIP Secure Signalling CL-Openstage Manager Connection Measures • Disable CCE access References See Phone Administration Manual chapter on Security -> Access Control Can be done via Needed Access Rights Administrator Executed Disable CCE access if not Yes: needed by user for Openstage Manager application No: Customer Comments and Reasons Related Topics 4.6.
Phone Hardening Measures Secure Interfaces and Services to the Phone CL-USB port Disable USB Backup / Restore Yes: No: Customer Comments and Reasons Related Topics 4.6.4 Remote Call Control (CSTA) Call Setup is possible by remote CTI clients running on a PC or server. The call control is performed using CSTA and uaCSTA protocol in SIP messages from the SIP server. It is possible for this to be used in a malicious way and the service should only be enabled where needed.
Phone Hardening Measures Secure Interfaces and Services to the Phone CL-SIP Secure Signalling If CTI is allowed and Auto Yes: Answer is not wanted or used then set Auto Answer to No No: Customer Comments and Reasons. If some measures are not executed then please explain here. Related Topics 4.6.5 Bluetooth Access On OpenStage 60 and OpenStage 80 phones Bluetooth is available and allows use of Bluetooth headsets or transfer of contact information (vcard).
Phone Hardening Measures Secure Interfaces and Services to the Phone CL-Bluetooth If Bluetooth is enabled then inform user to set pairing mode to prompt and to configure the pairing PIN Yes: No: If Bluetooth is enabled then inform user to set Discoverable to NO except when needed for setup of pairing. Yes: No: Customer Comments and Reasons. If some measures are not executed then please explain here. Related Topics 4.6.
Phone Hardening Measures Secure Access to Network (Use IEEE 802.1x Access Control) CL-Secure phone access to LDAP Server Set LDAP Transport to use TLS Yes: No: Customer Comments and Reasons. If some measures are not executed then please explain here. Related Topics 4.7 Secure Access to Network (Use IEEE 802.1x Access Control) The customer has the option to enable IEEE 802.1x in the network and at the phone by installing the appropriate certificates. This should be done in a secure “staging” area.
Phone Hardening Measures XML Applications CL- Enable 802.1x Load RADIUS server CA certificate onto the phone Yes: No: Load RADIUS server CA certificate onto the phone Yes: No: Set MSCHAP-Identity and Yes: Password for PEAP mod No: Customer Comments and Reasons Related Topics 4.8 XML Applications An XML Application runs on a remote server and provides a mechanism for the application to provide information and interact with the phone user using the phone screen.
Phone Hardening Measures XML Applications Table: IEEE 902.1x enabling CL- XML Application Measures • Harden XML Application: – configure to use HTTPS – Install the ServerCA certificate for the XML application server – Set the XML certificate authentication policy to Trusted or Full – Enable OCSP checking • Delete XML Application configuration for XML Applications that are not needed by user.
Administration System Access 5 Administration Related Topics 5.1 System Access Access to the administration of the phone has to be protected from unauthorised access. Access to the configuration of the phone is available two levels: • User level access – see chapter "Harden Local phone User Access" for details how to harden the user access • Admin level access – see chapter "Harden Local phone Admin Access" for details how to harden the admin access Related Topics 5.1.
Administration Web Services 5.3 Web Services Web services are provided on the phone to provide access to User and Admin configuration menus for use by web-based clients. Access is only available using HTTPS. Attempts to access using the standard HTTP port are automatically redirected to HTTPS. On delivery a default Web Server certificate is provided on the phone for this port. This must be replaced with a customer generated certificate.
Administration Diagnostics A community string is available in SNMP V1 which is comparable with a userid or a password that allows access to read the MIBs on the phone. This must be set to allow access for SNMP query. Similarly, servers receiving the Traps also make use of a community string . These are configured separately for traps and diagnostic traps (QDC data) in the phone. As the community strings are transmitted in clear text they can be eavesdropped easily.
Administration SSH Interface Table: Diagnostic Access CL-Diagnostic Access Measures • Disable the remote trace facility (only needed for debug/ service fault finding) • Enable the Remote Trace User Notification function.
Administration SSH Interface CL- SSH Interface Access Executed Set secure shell allowed to OFF (via DLS only):? Yes No: Customer Comments and Reasons Related Topics A31003-D3000-P100-01-76A9, 10-2013 OpenStage and Desk Phone IP SIP V3, Security Checklist, Planning Guide 35
Addendum Default Accounts 6 Addendum Related Topics 6.1 Default Accounts There are two access levels available on the phone. These are fixed as User and Admin and cannot be changed. Each access level has its own password and password policy. Related Topics 6.2 Password and PIN Policies A password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly.
Addendum Password and PIN Policies # Password policy of Recommended SetOpenStage and ting Desk Phone SIP V3R3 Default value (range of possible values) Password 10 Number of days password is kept in history 11 180 (1 – 999) Recommended Set- Recommended Settings tings PIN * Password PIN* 180 (1 – 999) 180 180 Maximum password 0(0-99) age in days 0 (0-99) 90 90 12 Minimum password age in hours 0 (0-24) 0 (0-24) 1 1 13 Notification before 0 (0-99) password expiration in days 0 (0-99)
Addendum Password and PIN Policies Admin Password User Password Minimal Length Minimal number of upper case letters Minimal number of lower case letters Minimal number of numerals Minimal number of special characters Maximal number of repeated characters Change interval Maximum number of erroneous login attempts Minimum character count for changed characters Password History Number of days password is kept in history Maximum password age in days Minimum password age in hours Notification bef
Addendum Certificate Handling Admin Password User Password Maximum number of erroneous login attempts Account lockout duration in minutes Automatic logoff after not used period in minutes Related Topics 6.3 Certificate Handling Certificates are used to provide authentication of connected servers and Digital keys. Customer generated certificates must be installed on the phone.This section gives a list of the certificates used on the phone.
Addendum Certificate Handling 6.3.
Addendum Certificate Handling # Interface Credential Customer requirement for OpenStage / Desk Phone IP Phone credentials Expiration Date for Customer specific key material Unify Usage Default credentials 10 XML App 1 HTTPS Server CA Certificate None Authentication for XML Application 1. The XML App certificates 1 and 2 can also be used as current and next to allow changeover of certificate for a single server 11 XML App 2 HTTPS Server CA Certificate None Authentication for XML Application 2.
Addendum Port Table CL-SIP Secure Signalling Needed Access Rights Administrator Executed Set authentication policy Yes: for https secure file transfer: No: Set authentication policy for secure SIP signalling: Yes: No: Set authentication policy for secure Send URL Yes: No: Set authentication policy for 802.1x:? Yes: No: Set authentication policy for XML Applications : Yes: No: Set authentication policy for DLS /WPI Yes: No: Customer Comments and Reasons Related Topics 6.
Addendum References • VoIP security please http://wiki.unify.com/index.php/VoIP_Security • DLS – Certificate Management for 802.1x / EAP-TLS http://wiki.unify.com/images/a/ae/DLS__Certificate_Management_for_802_1x.pdf • OpenStage and Desk Phone IP - Provisioning Interface http://wiki.unify.com/images/c/c7/ OpenStage_Provisioning_Interface_Developer%27s_Guide.pdf • Interface Management Database (IFMDB) available via Unify Partner Porta available via SEBA Portal https://www.unify.com/seba/default.
Index Index Index 44 A31003-D3000-P100-01-76A9, 10-2013 OpenStage and Desk Phone IP SIP V3, Security Checklist, Planning Guide
