IP Link Best Practices for Network Integration and Security. Introduction...2. Passwords...4 ACL...5 VLAN...6. Protocols...6. Conclusion...



Similar documents
IP Intercom Best Installation Practices. Abstract Overview: Designed for Simplicity...2. IP Intercom Hardware Stations...2

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Multi-Homing Dual WAN Firewall Router

Lab Configuring Access Policies and DMZ Settings

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Lab Developing ACLs to Implement Firewall Rule Sets

Recommended IP Telephony Architecture

QUICK START GUIDE. Cisco C170 Security Appliance

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

CMPT 471 Networking II

Kramer Electronics, Ltd. Site-CTRL and Web Access Online User Guide (Documentation Revision 2)

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

9 Simple steps to secure your Wi-Fi Network.

H0/H2/H4 -ECOM100 DHCP & HTML Configuration. H0/H2/H4--ECOM100 DHCP Disabling DHCP and Assigning a Static IP Address Using HTML Configuration

Firewalls. Chapter 3

1 You will need the following items to get started:

The Trivial Cisco IP Phones Compromise

3.1 RS-232/422/485 Pinout:PORT1-4(RJ-45) RJ-45 RS-232 RS-422 RS-485 PIN1 TXD PIN2 RXD PIN3 GND PIN4 PIN5 T PIN6 T PIN7 R+ PIN8 R-

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Secure Networks for Process Control

User s Manual TCP/IP TO RS-232/422/485 CONVERTER. 1.1 Introduction. 1.2 Main features. Dynamic DNS

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Network Terminology Review

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

QUICK START GUIDE. Cisco S170 Web Security Appliance. Web Security Appliance

Security Technology: Firewalls and VPNs

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

Ethernet Interface Manual Thermal / Label Printer. Rev Metapace T-1. Metapace T-2 Metapace L-1 Metapace L-2

Cyber Security: An Introduction

IP Filter/Firewall Setup

CTS2134 Introduction to Networking. Module Network Security

8 Steps for Network Security Protection

Security Technology White Paper

8 Steps For Network Security Protection

Grandstream Networks, Inc. UCM6100 Security Manual

Cisco S380 and Cisco S680 Web Security Appliance

Lab Configuring Access Policies and DMZ Settings

FIREWALLS & CBAC. philip.heimer@hh.se

Intro to Firewalls. Summary

Cisco Advanced Services for Network Security

Configuring DHCP Snooping

Gigabit Content Security Router

VIA HOW TO CONFIGURE A DMZ FOR SECURE COLLABORATION KRAMER WHITE PAPER. By Lars Duziack

TotalCloud Phone System

White Paper Copyright 2011 Nomadix, Inc. All Rights Reserved. Thursday, January 05, 2012

VIP-102B IP Solutions Setup Tool Reference Manual

Symantec Endpoint Protection 11.0 Network Threat Protection (Firewall) Overview and Best Practices White Paper

MN-700 Base Station Configuration Guide

3.5 EXTERNAL NETWORK HDD. User s Manual

What is Firewall? A system designed to prevent unauthorized access to or from a private network.

8. Firewall Design & Implementation

Welcome. Unleash Your Phone

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Hills Professional Series NVRs and Cameras

Cisco Configuring Commonly Used IP ACLs

Proxy Server, Network Address Translator, Firewall. Proxy Server

Cornerstones of Security

Lab Organizing CCENT Objectives by OSI Layer

DATA COMMUNICATIONS MANAGEMENT. Gilbert Held INSIDE

Stateful Inspection Technology

ProCurve Networking. Hardening ProCurve Switches. Technical White Paper

Overview. Firewall Security. Perimeter Security Devices. Routers

Basic Network Configuration

FortKnox Personal Firewall

FIREWALLS IN NETWORK SECURITY

Logical & Physical Security

FAQs: MATRIX NAVAN CNX200. Q: How to configure port triggering?

CIT 480: Securing Computer Systems. Firewalls

Protecting the Home Network (Firewall)

Deploying Secure Internet Connectivity

Skills Assessment Student Training Exam

eprism Security Suite

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

BIT COMMANDER. Serial RS232 / RS485 to Ethernet Converter

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM

CompTIA Network+ (Exam N10-005)

CSE 4482 Computer Security Management: Assessment and Forensics. Protection Mechanisms: Firewalls

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

Interconnecting Cisco Network Devices 1 Course, Class Outline

User Manual Network Interface

Extending the range of a wireless network by using mesh topology

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Firewall Defaults and Some Basic Rules

Trouble Shooting SiteManager to GateManager access

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Gigabit Multi-Homing VPN Security Router

Cisco Secure PIX Firewall with Two Routers Configuration Example

Internet Security Firewalls

1 PC to WX64 direction connection with crossover cable or hub/switch

Networking Basics and Network Security

- Basic Router Security -

QUICK START GUIDE Cisco M380 and Cisco M680 Content Security Management Appliance

Wireless Cable Gateway CG3100Dv3

VIP-102B IP Solutions Setup Tool Reference Manual

TALKSWITCH VOIP NETWORK TROUBLESHOOTING GUIDE

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Transcription:

IP Link Best Practices for Network Integration and Security Table of Contents Introduction...2 Passwords...4 ACL...5 VLAN...6 Protocols...6 Conclusion...9 Abstract Extron IP Link technology enables A/V devices to be controlled, monitored and accessed from any computer connected to the network. As with all IP enabled network devices, there are security concerns that need to be addressed. Developing and implementing a solid security policy to maximize the availability of the IP Link devices on your network will ensure uninterrupted monitoring and control of your A/V systems. In this paper, we will provide an overview of several standard IT security practices that are compatible with Extron IP Link equipment. We also provide protocol and port information that may be needed by other network applications or appliances. white paper 1

white paper Introduction For the IT department, security is the never ending search for a good nights sleep! Hackers are continuously looking for that open door. These doors are at all network levels and all levels of sophistication, from dumpster-diving to IP spoofing. There are opportunities at all levels to breach security; each level needs to cooperate to prevent unintended guests from gaining network access. The Extron IP Link products connect and control A/V equipment and are another part of the network. The following describes how Extron s products fit in with common security techniques. These security techniques may or may not be implemented by your IT Administrator. Security solutions are constantly changing to keep pace with network evolution. TCP/IP Network The Corporate Network 2

white paper Trusted and Untrusted Security in one sentence is Who do you trust? IT is constantly defining who is trusted and what hoops need to be jumped through to achieve trusted status. Hackers are constantly looking for opportunities to become a trusted source. Users provide credentials such as passwords to gain trusted access; and computers are granted network access by being on selective address lists. We are all aware of the benefits gained by having access to shared resources. However, these benefits are reduced as security concerns drive the IT administrator to control resources and limit access. Taken to the extreme, perfect security would be no access. While this extreme negates the purpose and benefit of a network it does suggest a variant, the Isolated A/V Network, which does provide security by limiting access. Isolated A/V Network The Isolated A/V Network An isolated A/V network has its own hardware and creates a parallel network that is separate from the data network. This achieves a high level of security by severely limiting access. Extron network products will work in an isolated environment. The rest of this paper focuses on an integrated solution that balances the needs of security and access. User Trusted Access Procedures We begin with procedures. They depend on the cooperation of the network user and are usually the first line of defense. There are procedures for locked doors to network cabinets and server rooms; keeping reset buttons and physical access to network appliances away from abusers. There are also constant reminders of security procedures such as don t open an email attachment from an unknown source and protect your password. These procedures are just as critical, if not more so, than the latest security appliance. 3

Password Use Passwords provide access for the user and verification to the network that the user is trusted. Procedures for password use, generation and protection are critical to network security. Normal password security procedures consist of not writing down passwords, shielding passwords from others, and changing passwords regularly. IP Link products have two levels of password security: administrator and user. The administrator level permits complete access to all commands and ports, permitting configuration and maintenance of an IP Link system. The user level grants access to operational controls such On/Off, video source, volume, and other commands needed for presentations. Note: The factory default is no password is enabled. We strongly recommend that both the user and administrator passwords be assigned. If the administrator password is not set the user has unrestricted access. Any user could re-configure the system and even change or set passwords. Password Creation It is imperative to limit access to all network devices in order to protect them from both unintentional modification and malicious tampering. IP Link passwords are alphanumeric, case sensitive and have a length of up to 12 characters. Good security practices recommend that passwords be at least 8 characters in length, consisting of at least one upper case character and 1 numeric digit. When creating a password, switch letters with numbers, and avoid using dictionary words or industry acronyms. For instance, Extr0nEl3c is a stronger password than extron and is less likely to be guessed. Choose a password that can be remembered; otherwise, users might write it down, undermining security. It is recommended that you regularly change passwords: a good rule of thumb, change the administration password once a month and the user password 2-6 times a year. The longer a static password is in use and remains unchanged, the more likely it is to be compromised. 4

white paper Network Controls for Trusted Access Access Control List (ACL) The ACL is strictly a look up table created by the administrator and you are either on the trusted list or not. ACLs filter IP packets entering and/or leaving a switch/router or server. The list can filter on layer 2 MAC addresses, or layer 3 IP addresses, or layer 3 and layer 4 together; defining an IP address and port number. ACLs can perform similar functions as a firewall. A firewall is a common security appliance which blocks malicious internet traffic from a local network. Again, we are sorting clients and hosts into two bins; trusted and un-trusted. An A/V ACL can be created with IP address of all IP Link devices and all GlobalViewer hosts. There can be additional ACL filtering by limiting access to the Telnet port from specific MAC and IP addresses. As an example Telnet traffic could be restricted to just the Ethernet connections within the A/V room and administrator computers. ACL Filtering 5

TCP/IP Network Virtual Local Area Network (VLAN) A VLAN, as its name suggests, creates a private or virtual network within a network. The VLAN creates the concept, of the previously mentioned isolated A/V network, within the corporate network but without the drawbacks. Through administration controls, VLANs can access important shared resources and still maintain a community of trusted members. VLANs are defined in the IEEE 802.1Q specification. They are configurable on network switches and routers that support the VLAN protocol. When implementing the IP Link technology, it is good practice to create a dedicated VLAN for IP Link devices. The Whole Network Supporting Protocols and Port Specifications TCP/IP Network Server Applications The IP Link device hosts 2 server applications: Telnet for control and status and HTTP for the embedded Web server. The factory default is the standard Telnet port of 23 and port 80 for HTTP. VLAN A: The A/V Network Changing the well known port 23 for Telnet and 80 for HTTP to any other random port number is a good security practice. Telnet and HTTP ports can be remapped to any other valid port between 1024 thru 65,535. Remapping the standard ports help deter automated attacks that scan well known ports looking for an opportunity to gain trusted access. TCP/IP Network Note: Before changing the default port number verify that the new port number is not already in use by another application in your network. VLAN B: The Rest of the Network 6

Client Applications The IP Link device supports 2 client applications. The IP Link device includes a DHCP - Dynamic Host Configuration Protocol client which allows the device to dynamically get its TCP/IP parameters - IP address, subnet mask and default gateway - from a DHCP server. The SMTP - Simple Mail Transfer Protocol client allows an administrator to set up monitoring processes which trigger an e-mail to be sent when certain conditions are met. SMTP Authentication IP Link devices can be programmed to automatically send e-mail notices. E-mail systems may be configured to reject incoming messages from an unauthorized source to prevent SPAM relay attacks. Because an IP Link device does not have an account in the internal system, some e-mail systems would reject any e-mail coming from the IP Link device and would consider it as SPAM. If the SMTP server supports it, the IP Link device can authenticate against the server prior to sending a message. If your SMTP server doesn t support authentication, one option is to create an account in your e-mail system for each IP Link device. DHCP Client Support and Configuration Every IP Link device includes an embedded DHCP client in the hardware that can be enabled through its Web server. By default, DHCP is turned off. Extron recommends that IP Link devices be given a static IP address for better management when using Extron Global Configurator Software. Global Configurator uses the IP address assigned to the IP device when compiling and configuring the XML and HTML files that are uploaded to the device. Any changes to the IP address of the IP Link device after configuration will require a recompiled GC project file. When the DHCP client is enabled on an IP Link device, it will get its IP parameters from the DHCP service. Prior to enabling DHCP, make sure that a DHCP server is available on the network and that it is able to distribute IP addresses for the subnet where the IP Link device is installed. 7

The purpose of a DHCP server is to provide dynamic-addressing, each IP address is selected by the DHCP server in sequence from a list or range of addresses. It is probable that an IP Link device will not receive the same IP address every time it requests an IP address. To avoid this situation, the IP address for each IP Link device needs to be a static entry in the DHCP server. Typically, this can be accomplished by reserving a specific IP address based on the MAC address of the IP Link device. Auto Discovery Ports The Extron Device Manager application communicates using UDP ports 1230 and 1231 to monitor the IP Link device and is used for auto-discovery. These ports cannot be remapped. Please make sure that ports 1230 and 1231 are accessible through network appliances. Direct Access Ports Many of the IP Link products have unidirectional or bi-directional serial ports. Extron defines these as Direct Access Ports. Direct Access Ports are assigned unique TCP ports for direct communication. Factory defaults start at port 2001 and are assigned in ascending order as needed. The starting base port can be changed to any other available port number beyond 1024 or be turned off to reject connections all together. Conclusion Network security must be approached on a system level. IP Link devices require the normal security measures that IT deems necessary for any network connection: Passwords, ACLs, VLANs and port re-mapping put up significant barriers for the malicious intruder. At the device level, IP Link products are inherently secure because they are dedicated appliances. They are not subject to many threats because they do not run a Windows Operating System. This eliminates many of IT s security concerns when integrating new products. For IP link devices, the security measure that needs compliance is password enforcement. Close that open door into the network, enforce both user and administrator passwords on IP Link devices. 8

Extron Electronics, headquartered in Anaheim, CA, is a leading manufacturer of professional A/V system products including computer-video interfaces, switchers, matrix switchers, distribution amplifiers, video scalers, scan converters, signal processing devices, Ethernet control interfaces, and high resolution cables. Extron products are used to integrate video and audio into presentation systems for today s high tech boardrooms, presentation/training centers, university lecture halls, and other applications. For additional information, please call an Extron Customer Support Representative at: 800.633.9876 (inside USA and Canada only) or 714.491.1500 for Extron USA; +800.3987.6673 (inside Europe only) or +31.33.453.4040 for Extron Europe; +800.7339.8766 or +65.6383.4400 for Extron Asia; +81.3.3511.7655 for Extron Japan. www.extron.com Copyright 2009 All rights reserved. 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information