V100R011 Issue 02 Date 2013-05-28 HUAWEI TECHNOLOGIES CO., LTD.
2013. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd. Trademarks and Permissions and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders. Notice The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute a warranty of any kind, express or implied. Huawei Technologies Co., Ltd. Address: Website: Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China http://enterprise.huawei.com i
About This Document About This Document Overview This document introduces security maintenance operations of HUAWEI 9000 HD Videoconferencing Endpoint (endpoint for short). Related Documents Document Title Describes... Document Location HUAWEI 9000 HD Videoconferencing Terminal Admin Guide HUAWEI 9000 HD Videoconferencing Endpoint Command Reference HUAWEI 9000 HD Videoconferencing Endpoint Communication Matrix Configuration, management, and troubleshooting of the endpoint. Functions, parameters, formats, usage guidelines, and examples of all endpoint commands. Ports, protocols, IP addresses, and authentication modes for the communication of the endpoint. Website: http://enterprise.huawei.com Choose SUPPORT > Product Support > UC&C > Video Terminal > ViewPoint 9030 Website: http://enterprise.huawei.com Website: http://enterprise.huawei.com Intended Audience This document is intended for: Technical support engineers Maintenance engineers ii
About This Document Symbol Conventions The symbols that may be found in this document are defined as follows: Symbol Description Alerts you to a high risk hazard that could, if not avoided, result in serious injury or death. Alerts you to a medium or low risk hazard that could, if not avoided, result in moderate or minor injury. Alerts you to a potentially hazardous situation that could, if not avoided, result in equipment damage, data loss, performance deterioration, or unanticipated results. Provides a tip that may help you solve a problem or save time. Provides additional information to emphasize or supplement important points in the main text. iii
Contents Contents About This Document... ii 1 Overview... 1 1.1 Purpose of... 1 1.2 What is Layered... 1... 3 2.1 Application Layer Account List... 3 2.1.1 Administrator Password... 3 2.1.2 Web Management Account... 3 2.1.3 Touch panel Account... 3 2.1.4 Serial Port Account... 4 2.1.5 SSH and Telnet Login... 5 2.1.6 Upgrade Password... 6 2.1.7 Network Diagnostics Tool Account... 7 2.1.8 Bootrom Password... 7 2.1.9 Administrator Account... 7 2.2 Restoring Normal and Bootrom Systems to Default Settings... 8 2.3 SiteCall Security... 8 2.4 Enabling the H.235 Encryption... 9 2.5 Web User Management... 9 2.5.1 Logging In to the Web Interface... 9 2.5.2 Changing the Password... 10 2.6 Web Access Control... 10 2.7 SSH Access Control... 11 2.7.1 User Login... 11 2.7.2 Checking Whether Telnet Login is enabled... 12 2.8 Viewing Logs... 12 2.9 Enabling and Disabling FTPS... 12 2.10 Configuring an FTPS Server... 13 2.11 Site Monitoring and Management... 15 2.11.1 Enabling the Site Monitoring and Management Function... 15 2.11.2 Taking Picture... 15 2.12 Upgrading Using the Bootrom... 16 iv
Contents 2.12.1 Preparing for the Upgrade... 16 2.12.2 Performing an Upgrade... 16 2.13 Bootrom Operations... 17 2.14 Verifying a Digital Signature... 18 2.14.1 Working Environment Requirements... 18 2.14.2 Verifying FileIntergrityVerify.exe... 18 2.14.3 Verifying the Signature... 20 3 System Layer Security... 22 4 Network Layer Security... 23 5 Management Layer Security... 25 5.1 Principles of System... 25 5.1.1 Account Management... 25 5.1.2 Permission Management... 25 5.1.3 Auditing Principles... 25 5.2 Password Maintenance Recommendations... 25 5.3 Logs Maintenance Recommendations... 26 5.3.1 Checking Logs Regularly... 26 5.3.2 Backing up logs regularly... 26 5.4 Security Evaluation Recommendations... 26 5.5 Backup Recommendations... 26 5.6 Defects Feedback Recommendations... 26 5.7 Emergency-Response Mechanism... 27 6 Appendix... 28 v
1 Overview 1 Overview 1.1 Purpose of Now application systems face severe security threats. Once problems occur, business might be disturbed, profits reduced, or even systems break down. Users must build up and maintain the application system security from different layers, and discover and solve potential threats in advance. Besides, considering the endless emergence of safety threats, a mere dependence on technology can hardly ensure the application system security. Users must build up a safety management system based on security maintenance suggestions and problems they found during the use of the endpoint to ensure a smooth and safe operation of the endpoint. 1.2 What is Layered Application Layer System Layer Network Layer According to the target and purpose of security maintenance, maintenance personnel must safeguard the service system from different layers. Security maintenance from the application layer is to protect the endpoint and its web management system so that they can provide services to users with a smooth operation. Security maintenance from the system layer is to ensure a smooth operation of the operating system, which can support the operation of application software. Security maintenance from the network layer is to ensure that network devices, such as the switch, router, and firewall, function properly and that security strategies are implemented at the network layer. 1
1 Overview Management Layer Security maintenance from the management layer is to strengthen people's management and avoid threats. Maintenance from the management layer involves the maintenance operations at all preceding layers. 2
2.1 Application Layer Account List 2.1.1 Administrator Password If an administrator password is set for the user interface controlled by the remote control, common users must enter this password to access the Settings, Utilities, Diagnostics, Customize Option Bar screens. The administrator password is left blank by default. If no administrator password is set, common users have access to all functions; therefore, you are advised to set the administrator password immediately after the endpoint starts for the first time. To set the administrator password, choose Settings > Security > Password. 2.1.2 Web Management Account The endpoint supports a maximum of three users to log in to the web interface concurrently. Users are categorized and assigned with different permissions as described in Table 2-1. Table 2-1 Web management account Account Name Default Password Description Remarks admin admin This account is the default account with the highest permission and cannot be deleted. For account levels, see section 2.6 "Web Access Control." To ensure account security, you are advised to change the password after the first login. For details about how to change the password, see section 2.5.2 "Changing the Password." 2.1.3 Touch panel Account You can log in to the endpoint from the touch panel to initiate and control the conference. Table 2-2 describes the touch panel account. 3
Table 2-2 Touch panel account Account Name Default Password Description Remarks api api The account is used to log in to the endpoint to initiate and control the conference on the conference control interface. To ensure account security, you are advised to change the password after the first login. For details about how to change the password, see section 2.5.2 "Changing the Password." 2.1.4 Serial Port Account You can log in to the endpoint using its COM1 and COM2 serial ports from a computer to debug or troubleshoot the endpoint. Table 2-3 describes the serial port account. Table 2-3 Serial port account Account Name Default Password Description Remarks DEBUG SHELL viewpoint9000 Log in to the endpoint using serial points from a computer to debug and troubleshoot the endpoint. Specifies the COM1 serial port account. To ensure account security, you are advised to change the password after the first login. To change the password: On the interface controlled by the remote control, choose Settings > Security > Telnet Login. On the web interface, choose System Settings > Network > Security and Service. DEBUG TELNET viewpoint9000 Specifies COM2 serial port account. To ensure account security, you are advised to change the password after the first login. To change the password: On the interface controlled by the remote control, choose Settings > Security > Telnet Login. On the web interface, choose System Settings > Network > Security and Service. Baud rates of COM1 and COM2 are 9600 Baud. 4
2.1.5 SSH and Telnet Login The endpoint supports the Telnet login and Security Shell (SSH) login. Telnet is an insecure protocol and enabled by default. SSH is a cybersecurity protocol for remote access using the encryption and authentication mechanism in an insecure cyber environment. During SSH login, all user data are encrypted. To ensure the security, you are advised to use the SSH login. You can log in to the endpoint through port 23 using the unencrypted Telnet. Telnet is enabled by default and the Telnet login permission configuration is provided on the web interface and remote control interface. You can log in to the endpoint through port 22 using the encrypted SSH. SSH is enabled by default and the Telnet login permission configuration is provided on the web interface and remote control interface. SSH and Telnet Login to the Normal System The normal system supports the SSH and Telnet login. The accounts and default passwords for the SSH and Telnet logins are the same and described in Table 2-4. Table 2-4 SSH and Telnet login accounts Account Name Default Password Description Remarks debug debug Administrator account with the highest permission for system debugging admin admin Common user account with a permission level lower than the administrator account for test test testviewpoint Special account for debugging with a permission level lower than the administrator account for debugging You can change the account name and password for other SSH client users when you log in to the endpoint using the administrator account. - This is a special account and not for common users. apiuser By default, the password is left blank. Touch panel account with a permission level lower than the administrator account for debugging This is a special account and not for common users. user user Common user account with a permission level lower than the administrator account for debugging - Telnet Login to the Bootrom System The bootrom system supports the Telnet login. Table 2-5 describes the Telnet login accounts. 5
Table 2-5 Telnet login accounts Account Name Default Password Description Remarks debug debug Administrator account for debugging with the highest permission admin 903X_admin Common user account with a permission level lower than the administrator account for debugging user user Common user account with a permission level lower than the administrator account for debugging You can change the user name and password for other users when you log in to the endpoint using the administrator account. - - To ensure account security, you are advised to change the password after the first login. For details about how to use the debugging commands to change the password and debug, see the HUAWEI 9000 HD Videoconferencing Endpoint Command Reference. 2.1.6 Upgrade Password To upgrade the endpoint, you need the upgrade password listed in Table 2-6. Table 2-6 Upgrade password Account Name Default Password Description Remarks None viewpoint9000 or api This password is required to upgrade the endpoint. Touch panel password can also be used as the upgrade password. The default password is api. The upgrade password changes with the Touch panel password. To ensure account security, you are advised to change the password after the first login. To change the password: On the interface controlled by the remote control, choose Settings > Security > Telnet Login. On the web interface, choose System Settings > Network > Security and Service. 6
2.1.7 Network Diagnostics Tool Account You can use the network diagnostics tool to troubleshoot the endpoint. Table 2-7 describes the network diagnostics tool account. Table 2-7 Network diagnostics tool account Account Name Default Password Description Remarks admin admin This account is used to use the network diagnostics tool to troubleshoot the endpoint. The account and password are the same as those used to log in to the web interface of the endpoint. 2.1.8 Bootrom Password After the bootrom system starts, you must enter the password to log in to the system. You can access the bootrom system only through serial ports. The default password for the bootrom system is hwviewpoint. To ensure account security, you are advised to change the password after the first login. For details about how to change the password, see the HUAWEI 9000 HD Videoconferencing Endpoint Command Reference. After logging in to the bootrom system, you can: Boot from flash Boot from network Enter equipment test Set the MAC address Get the MAC address Show boot line Use last set parameters to boot Reboot Show Event Detail Record (EDR) information 2.1.9 Administrator Account The administrator needs to enter the account name and password listed in Table 2-8 to log in to the endpoint. Table 2-8 Administrator account Account Name Default Password Description Remarks v3user 12345678 Manage the endpoint using a computer. For example, you can configure endpoint settings, query the endpoint status, and restart and upgrade the endpoint. - 7
2.2 Restoring Normal and Bootrom Systems to Default Settings Normal System If you forget the passwords of the normal or bootrom system, restore the system (including the passwords) to its default settings. Set the dual in-line package (DIP) switches to Norm and restart the endpoint. When the restart is complete, toggle the No.1 DIP switch six times within 10 seconds. Figure 2-1 shows the DIP switches. Figure 2-1 ViewPoint 9030, VP9035A, ViewPoint 9039S, or VP9039A DIP switch Bootrom System Set the DIP switches to Load and restart the endpoint. When the restart is complete, toggle the No.1 DIP switch six times within 10 seconds. Figure 2-1 shows the DIP switches. 2.3 SiteCall Security The endpoint uses HTTPS (Hypertext Transfer Protocol Secure) mode to upload the multipoint conference information and supports Transmission Control Protocol (TCP) mode when a multipoint conference is initiated. If HTTPS mode is disabled, the endpoint uses the insecure TCP mode. You are advised to use HTTPS mode for better communication security. If HTTPS mode is enabled, you are advised to enable Multipoint conference authentication. Enable HTTPS mode and Multipoint conference authentication. On the interface controlled by the remote control, choose Settings > Network > IP > H.323 and enable HTTPS mode and Multipoint conference authentication. On the web interface, choose System Settings > Protocol > H.323/SIP Settings and enable HTTPS mode and Multipoint conference authentication. 8
2.4 Enabling the H.235 Encryption Background Procedure The H.235 encryption is about encrypting the media streams using a negotiated encryption algorithm and key. The media streams can be decrypted using the same algorithm and key. Therefore, unauthorized users cannot access the media streams. An IP network is not a quality-guaranteed or secure network. Encrypting the media streams can better secure video communications. Both parties in communications must support the encryption function. H.235 encryption is disabled by default. You are advised to enable it. Step 1 Choose Settings > Security > Encryption Policy, you can then set H.235 encryption to: Disable: No media streams are encrypted. Enable: Media streams are encrypted. If this option is selected, the endpoint can attend only encrypted conferences. Maximum interconnectivity: The call setup is the prerequisite for encryption or not. Step 2 Select Save to enable the settings to take effect. ----End 2.5 Web User Management The web interface of the endpoint supports two types of users: administrators and common users. Administrators: Administrators have all permissions to the web interface. Administrators can change common users' accounts and passwords. Common users: They have some permissions on the web interface and can configure only personal settings but not system settings. 2.5.1 Logging In to the Web Interface Step 1 Open a browser on the computer. In the address box, enter the IP address, such as https://192.168.1.1. Step 2 Press Enter. The interface shown in Figure 2-2 is displayed. If the security certificate is invalid, click Continue to this website to resume the login. 9
Figure 2-2 Login page Step 3 Enter the user name and password. Select a language. Step 4 Click Log In. ----End To ensure account security, you are advised to change the password after the first login. 2.5.2 Changing the Password On the web interface, you can change the passwords to the web management account, common user accounts, and Touch panel accounts. Step 1 Log in to the web interface and choose System Settings > Personal. Step 2 Click the Personal tab and change the password. Step 3 Click Save. ----End 2.6 Web Access Control The endpoint adopts HTTPS mode, which is the secure version of HTTP. Following are methods to control the web access: Support the user to submit the log out application. When you have logged in to the web interface, you can click Exit in the upper right. The login interface is displayed. Set the maximum number of users that can log in to the system concurrently. A maximum of three users can log in to the web interface simultaneously. The endpoint supports SSL encryption. 10
The endpoint supports the switchover between HTTPS and HTTP. Enable SSL encryption for secure communication using HTTPS. After SSL encryption is enabled, HTTPS is enabled. By default, SSL encryption is enabled on the system. 2.7 SSH Access Control 2.7.1 User Login During remote access and data transmission, SSH commands can be run to create an encrypted channel between the application layer and client. Following uses PuTTY as an example to describe the SSH access control methods. Step 1 Run PuTTY on your computer. The PuTTY Configuration dialog box shown in Figure 2-3 is displayed. Figure 2-3 PuTTY Configuration Step 2 In Host Name (or IP address), enter the IP address, such as 200.54.0.109. Step 3 Select SSH for Protocol. Use the default value for Port. Step 4 Click Open. 11
The login interface is displayed. Step 5 Enter the user name and password and run the commands. For details, see the HUAWEI 9000 HD Videoconferencing Endpoint Command Reference. ----End The administrator name and password for both Telnet and SSH logins are debug. 2.7.2 Checking Whether Telnet Login is enabled By default, Telnet Login is enabled. You can disable it from the user interface controlled by the remote control or the web interface. To enable or disable Telnet Login from the user interface controlled by the remote control: Choose Settings > Security. Check whether Telnet Login is selected. To enable or disable Telnet Login from the web interface: Choose System Settings > Network. Click the Security and Service tab and check whether Allow is selected for Telnet Login. Telnet is an insecure communications protocol. You are advised to disable Telnet Login. 2.8 Viewing Logs Logs record all non-query events during the endpoint running, such as user operations commands. Logs can be exported from the web interface. Step 1 Log in to the web interface and choose Maintenance > Logs. Step 2 On the Logs page, click Export. Step 3 Click Save in the displayed dialog box. Step 4 Choose the folder to save the logs and click Save. Step 5 Open the exported logs using the Internet Explorer. ----End 2.9 Enabling and Disabling FTPS The endpoint supports the switchover between File Transfer Protocol over SSL (FTPS) and File Transfer Protocol (FTP). To ensure communications security, enable SSL encryption. After SSL encryption is enabled, FTPS is enabled. Run the following commands to enable or disable FTPS. main cpu->ui config set Security.IsUseFtpsInDownload 12
IsUseFtpsInDownload(1) :0 1 refers to enable the function. 0 refers to disable the function. 2.10 Configuring an FTPS Server FTPS is an extension of the commonly used FTP to support the SSL. The FTPS server ensures the security of the endpoint network address book. Following uses the FileZilla server as an example to describe how to configure an FTPS server. Step 1 Set the IP address of the computer on which the FileZilla server is to be installed. Ensure that the IP addresses of the computer and endpoint are in the same network segment. Step 2 Run the FileZilla_Server-0_9_41.exe on the computer. Step 3 Double-click Figure 2-4. to launch the FTPS server. Click OK in the displayed dialog box shown in Figure 2-4 Connect to Server Step 4 Choose Edit > Settings. The dialog box shown in Figure 2-5 is displayed. 13
Figure 2-5 Server settings Step 5 Click SSL/TLS settings in the left column and select Enable FTP over SSL/TLS support(ftps), click Browse to import the certificate, and click OK. If no certificate is available, click Generate new certificate. Step 6 Choose Edit > Users. The dialog box shown in Figure 2-6 is displayed. Figure 2-6 Adding a user Step 7 Click Add to add a user. Select Enable account and Password and enter the password. 14
Step 8 Choose Shared folders > Add and set the directory for the software to be used for upgrade in the dialog box shown in Figure 2-7. Figure 2-7 Setting the directory for the software to be upgraded Step 9 Click OK. ----End After the FTPS server configuration is complete, configure the network address book. For details, see the HUAWEI 9000 HD Videoconferencing Endpoint Administrator Guide. 2.11 Site Monitoring and Management This function involves privacy protection. Ensure that its use complies with local laws and regulations. To ensure the conference security and protect its privacy, this site monitoring and management function is disabled by default. You can enable it from the user interface controlled by the remote control. 2.11.1 Enabling the Site Monitoring and Management Function 2.11.2 Taking Picture To enable the site monitoring and management function: On the user interface controlled by the remote control, choose Settings > Security > Web Login and enable Video Control. After the site monitoring and management function is enabled, you can capture and view local and remote videos and presentations on the web interface. Step 1 On the web interface, choose Device Control > Video Control. 15
On the Video Control interface, appears on the endpoint display to indicate that the video monitoring and management function is enabled. Step 2 Select the source you want capture of and click Capture. Step 3 In the displayed interface, right-click the picture. Step 4 From the displayed shortcut menu, choose Save Picture As to save the picture. ----End 2.12 Upgrading Using the Bootrom If you fail to upgrade the software locally, you can use the bootrom system. 2.12.1 Preparing for the Upgrade Before the upgrade, note the following prerequisites: Save the software package for upgrading on the computer. Connect the computer to the endpoint through a crossover cable or a switch. 2.12.2 Performing an Upgrade Step 1 Set the IP address of the computer to a static IP address, such as 172.16.21.115, and then set the subnet mask to 255.255.252.0. Step 2 Turn the switch on the rear panel of the endpoint to Load. When you are using the HUAWEI VP9030, HUAWEI VP9035A, HUAWEI VP9036S, HUAWEI VP9039S, or HUAWEI VP9039A, you can turn both switches to Load (the IP address of the endpoint remains unchanged) or turn switch 1 to Load (the IP address of the endpoint changes to 172.16.21.114 When you are using the HUAWEI VP9033, HUAWEI VP9035, HUAWEI VP9036, or HUAWEI VP9039, turn switch 1 to Load. The IP address of the endpoint changes to 172.16.21.114. After you turn the switch to a different position, the IP address of the endpoint may change. Ensure that the IP addresses of the computer and endpoint are in the same network segment. Step 3 Restart the endpoint. Step 4 Log in to the endpoint using Telnet and run the main enableupg 1 command to enable the bootrom system upgrade function. By default, the upgrade function is disabled. Step 5 Extract the upgrade software from the compressed file on the computer. Step 6 Run UpgradeTool.exe to display the upgrade window. Step 7 Choose all files and click Browser to find the.dat files. Step 8 Enter the IP address of the endpoint, such as 172.16.21.114. Then click Upgrade. 16
Step 9 In the displayed dialog box, click OK to start the upgrade. Step 10 When the upgrade is complete, log in to the endpoint using Telnet and run the main enableupg 0 command to disable the bootrom system upgrade function. Step 11 Turn the switch on the rear panel of the endpoint to Norm. Step 12 Restart the endpoint. ----End 2.13 Bootrom Operations Step 1 Use a serial cable to connect the serial port on the computer to the COM1 serial port on the endpoint. Step 2 Power on the endpoint and press Ctrl+C for three times after the information shown in Figure 2-8 is displayed. The system prompts you to enter the password. Figure 2-8 Starting the system Step 3 Enter the password to the bootrom system. The information shown in Figure 2-9 is displayed. Figure 2-9 Selecting a step 17
Step 4 Enter a number after Please input your choice. The system performs the operation. ----End 2.14 Verifying a Digital Signature To ensure the integrity of software received by Huawei customers, all software or software packages must be digitally signed. Any change to the software or software package after signature will invalidate the signature. Customers can check whether software or software package has been altered during delivery by verifying the digital signature. Following lists the software to be verified using the digital signature. ShowTool.exe UpgradeTool.exe Network Diagnostician.exe Address Book Editor (TIP).xls Address Book Editor.xls FileIntergrityVerify.exe is a digital signature verification tool provided for Huawei technical support engineers and enterprise customers. Huawei technical support engineers can get the verification tool from the UC&C Security Competence Center of Enterprise BG. 2.14.1 Working Environment Requirements FileIntergrityVerify.exe works in the following environment: Operating system: Window Vista, Windows Server 2008, or later Libeay32.dll (provided with FileIntergrityVerify.exe) 2.14.2 Verifying FileIntergrityVerify.exe Step 1 Right-click the FileIntergrityVerify.exe icon. Step 2 From the displayed shortcut menu, choose Properties and click Digital Signatures. Step 3 Select a signature for Signature list and click Details. The dialog box shown in Figure 2-10 is displayed. 18
Figure 2-10 Digital Signature Details Step 4 Click View Certificate. Check the information about Issued to, Issued by, Valid from...to... from the dialog box shown in Figure 2-11. If the certificate is changed, the digital signature tool may have been changed. In this case, you cannot use the existing tool for verification and must get a secure signature tool from the UC&C Security Competence Center of Enterprise BG. 19
Figure 2-11 Certificate ----End 2.14.3 Verifying the Signature Step 1 Save the signature file (.sign file) and the software (to be verified) in the same folder. Step 2 Double-click the FileIntergrityVerify.exe icon to run the digital signature verification tool. Step 3 Select the file to be verified as shown in Figure 2-12. 20
Figure 2-12 Selecting a file Step 4 Click Verify. Figure 2-13 indicates that the verification succeeds. Figure 2-13 Verification success ----End 21
3 System Layer Security 3 System Layer Security Security maintenance from the system layer is to ensure a smooth operation of the operating system, which can support the operation of application software. The endpoint uses the embedded operating system VxWorks, which is more secure and immune to viruses than Windows or Linux. 22
4 Network Layer Security 4 Network Layer Security Figure 4-1 shows the endpoint security networking diagram. Figure 4-1 Endpoint networking diagram HD endpoint Private network HD endpoint Public network HD videoconferencing endpoint HD videoconferencing endpoint HD videoconferencing endpoint 23
4 Network Layer Security Over the network: The endpoint is connected to the Multipoint Control Unit (MCU) through the private network, which connects to different networks through different ports. The endpoints in the private or public network can join the conference even if you do not change H.323 protocol or the firewall settings (such as opening the port). 24
5 Management Layer Security 5 Management Layer Security This chapter describes some management recommendations on users' daily security maintenance and can be referred to when users set the rules on security management. 5.1 Principles of System 5.1.1 Account Management Manage the accounts strictly. Control the permissions of accounts of different levels. Only users of higher levels can change the passwords for users of lower levels. 5.1.2 Permission Management Minimize permissions to the system service and permissions of accounts. Strictly control the operation authorization on the web interface. 5.1.3 Auditing Principles Use logs and other feasible methods to monitor operations on the endpoint. Audit the failed access to the system's important resources. Audit the successful access to the system's important resources. Audit the failed and successful access control strategy modification. 5.2 Password Maintenance Recommendations User identity authentication is a must for accessing the application system. Configure the user account, password, and validity period as required. Following are recommendations on password maintenance: Keep system administrators' accounts and passwords secret. Encrypt the password before its transmission. Remind the user to change the password before handing over the system. 25
5 Management Layer Security 5.3 Logs Maintenance Recommendations Use logs to identify suspicious activities. The system must record the operations, such as system parameter settings, and tariff configuration and release, in the logs. Reinforce the system to protect the logs. 5.3.1 Checking Logs Regularly Check the system logs, applications logs, and security logs regularly and report to the department of a higher level once abnormal logs are found. Ask the local representative office for help if the issues cannot be located or resolved. 5.3.2 Backing up logs regularly Back up logs regularly by exporting them manually and store the logs on devices, such as the disc, tape, or compact disc. The system supports a maximum of 10,000 logs. Once the number of logs exceeds 10,000, new logs will replace the old ones. In this case, users must back up timely. 5.4 Security Evaluation Recommendations You are advised to look for a qualified organization to evaluate the system security and contact Huawei technical support engineers when problems occur during the evaluation. 5.5 Backup Recommendations Back up the logs for security maintenance: Before daily security maintenance. Before and after troubleshooting. Before patches installation. Before the system upgrading. For details, see the HUAWEI 9000 HD Videoconferencing Endpoint Administrator Guide. 5.6 Defects Feedback Recommendations You are advised to give feedback to Huawei once an accident happens when the endpoint is used. Huawei will take the following actions accordingly. If an accident happens, Huawei technical support engineers will support customers remotely or on site to reduce the impact on the system and improve the report on the accident treatment. If no accident happens, Huawei technical support engineers record defects in to the database and send to the R&D team. Once the R&D team prescribes a solution, the technical support engineers will analyze the solution's possible impact on the site operations and provide a final solution. 26
5 Management Layer Security 5.7 Emergency-Response Mechanism Users must set up an emergency-response mechanism to minimize the loss, solve security issues, and restore the operation once an accident happens. Users can also report security issues to Huawei by PSIRT@huawei.com. 27
6 Appendix 6 Appendix The communication matrix is used to check the firewall strategy. For details, see the HUAWEI 9000 HD Videoconferencing Endpoint Communications Matrix. 28