HUAWEI DP300 Desktop Presence V500R002C00 Security Maintenance Issue 01 Date 2015-09-15 HUAWEI TECHNOLOGIES CO., LTD.
Copyright © Huawei Technologies Co., Ltd. 2015. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd. Trademarks and Permissions and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders.
HUAWEI DP300 Desktop Presence Security Maintenance About This Document About This Document Overview This document introduces security maintenance operations of HUAWEI DP300 desktop presence (DP300 or endpoint for short). Before you use the product, refer to the product vendor for version mapping information and to confirm compatibility with other videoconferencing equipment.
HUAWEI DP300 Desktop Presence Security Maintenance About This Document Symbol Description Calls attention to important information, best practices and tips. NOTE is used to address information not related to personal injury, equipment damage, and environment deterioration. Related Documents Document Title Description Document Location HUAWEI DP300 Desktop Presence V500R002C00 Quick Installation Guide Describes the packaged items and provides guidance for quick installation, and common configuration.
HUAWEI DP300 Desktop Presence Security Maintenance About This Document Issue 01 (2015-09-15) This issue is used for first office application (FOA). Issue 01 (2015-09-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
HUAWEI DP300 Desktop Presence Security Maintenance Contents Contents About This Document.....................................................................................................................ii 1 Overview.........................................................................................................................................1 1.1 Purpose of Security Maintenance......................................................................................................................
HUAWEI DP300 Desktop Presence Security Maintenance Contents 2.12.2 Taking Picture..........................................................................................................................................................24 2.13 Upgrading Using the Mini System.............................................................................................................................24 2.13.1 Preparing for the Upgrade............................................................................
HUAWEI DP300 Desktop Presence Security Maintenance 1 Overview 1 Overview 1.1 Purpose of Security Maintenance Now application systems face severe security threats. Once problems occur, business might be disturbed, profits reduced, or even systems break down. Users must build up and maintain the application system security from different layers, and discover and solve potential threats in advance.
HUAWEI DP300 Desktop Presence Security Maintenance 1 Overview Management Layer Security maintenance of the management layer is to strengthen people's management and avoid threats. Maintenance from the management layer involves the maintenance operations at all preceding layers. Issue 01 (2015-09-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
HUAWEI DP300 Desktop Presence Security Maintenance 2 Application Layer Security 2 Application Layer Security 2.1 Setting the Interaction Mode On the DP300 display, tap videoconferencing mode. in the lower right corner to switch between the PC mode and In PC mode, the DP300 display can be used as the PC monitor, on which you can answer calls to join conferences.
HUAWEI DP300 Desktop Presence Security Maintenance 2 Application Layer Security l On the touchscreen, tap l On the remote control screen, choose Advanced > Settings > Security > Password, and set the password. l On the web interface, choose System Settings > Security > GUI, and set the password. and choose Advanced > Settings > Security > Password.
HUAWEI DP300 Desktop Presence Security Maintenance 2 Application Layer Security Table 2-1 Web management account Account Name Default Password Description Remarks admin Change_Me This account is the default account with the highest permission and cannot be deleted. To ensure account security, you are advised to change the password at the first login and regularly change the password afterward. For details about account levels, see section Web Management Users.
HUAWEI DP300 Desktop Presence Security Maintenance 2 Application Layer Security Table 2-2 API account Account Name Default Password Description Remarks api Change_Me The account is required for a third party (for example, a touch panel) to log in to the DP300, or for the SMC2.0 to to add a manageable site. To ensure account security, you are advised to change the password at the first login and regularly change the password afterward. This account is the default account.
HUAWEI DP300 Desktop Presence Security Maintenance 2 Application Layer Security Account Name Default Password Description Remarks user Change_Me Common user account with lower permission than the admin account. - apiuser Change_Me Special account with lower permission than the user account. This is a special account and not for common users. test Change_Me Dedicated account for testing with lower permission than the user account.
HUAWEI DP300 Desktop Presence Security Maintenance 2 Application Layer Security Table 2-5 Serial port account Account Name Default Password Description Remarks root Change_Me This account is used for a computer to log in to the DP300 through serial ports. To secure your account, it is recommended that you change the password upon the first login and regularly change the password afterwards. To change the password, run the passwd command. 2.2.
HUAWEI DP300 Desktop Presence Security Maintenance 2 Application Layer Security 2.2.8 Network Diagnostics Tool Account After the network diagnostics function is enabled, the network diagnostics tool can use the H. 323 call port, RAS source port, RAS destination port, or SIP call port to diagnose the DP300. Table 2-6 describes the network diagnostics tool account.
HUAWEI DP300 Desktop Presence Security Maintenance 2 Application Layer Security Table 2-7 Information required for connecting to the videoconferencing network management system Parameter Default Setting Description Remarks SNMP V2 Change_Pub lic Specifies the credential that the videoconferencing network management server uses to obtain DP300 settings. The parameter settings must be the same as those in the videoconferencing network management system.
HUAWEI DP300 Desktop Presence Security Maintenance 2 Application Layer Security Parameter Default Setting Description Remarks Authenti cation passwor d Change_Me management system to your DP300. attempts to connect to your DP300, Authentication protocol and New password set on your DP300 are required. Encrypti on protocol AES Encrypti on passwor d Change_Me Specify the encryption protocol and password for connecting the videoconferencing network management system to your DP300.
HUAWEI DP300 Desktop Presence Security Maintenance 2 Application Layer Security The DP300 uses Hypertext Transfer Protocol Secure (HTTPS) mode to upload the multipoint conference information and supports Transmission Control Protocol (TCP) mode when a multipoint conference is initiated. If HTTPS mode is disabled, the DP300 uses the insecure TCP mode. You are advised to use HTTPS mode for better communication security.
HUAWEI DP300 Desktop Presence Security Maintenance 1. 2 Application Layer Security Choose Advanced > Settings > Security > Encryption and select one of the following options: l Disable: No stream is encrypted. l Enable: Streams are forced to be encrypted. If you select this option, your DP300 can attend encrypted conferences only. To improve communication security, select this option. l Maximum interconnectivity: Streams are encrypted only when a call is set up.
HUAWEI DP300 Desktop Presence Security Maintenance 2 Application Layer Security Figure 2-1 Web login page Step 3 Enter the user name and password. Select a language. Step 4 Click Log In, or press Enter. NOTE To ensure data security, after accessing the web interface, close the browser and delete browser caches. ----End 2.6.
HUAWEI DP300 Desktop Presence Security Maintenance l 2 Application Layer Security You are allowed to use the remote control to control web login. To disable web login, choose Advanced > Settings > Secured > Web Login on the remote control and deselect Web Login. l The supports a maximum of 10 concurrent logins to the web interface. 2.8 SSH Access Control During remote access and data transmission, SSH commands can be run to create an encrypted channel between the application layer and client. 2.8.
HUAWEI DP300 Desktop Presence Security Maintenance 2 Application Layer Security Figure 2-2 PuTTY Configuration dialog box Step 2 In Host Name (or IP address), enter the IP address, such as 10.10.10.1. Step 3 Select SSH for Protocol. Use the default value for Port. Step 4 Click Open. The login interface is displayed. Step 5 Enter the user name and password and run the commands. For details, see the HUAWEI DP300 Desktop Presence V500R002C00 Command Reference.
HUAWEI DP300 Desktop Presence Security Maintenance 2 Application Layer Security Creating An SSH Private-Public Key Pair Create a SSH private-public key pair and associate the private-public key pair with the local computer or server. Step 1 Log in to the Linux operating system, run the ssh-keygen command in any CLI, and press Enter. Step 2 Enter the name (for example, DP300) of the SSH private-public key pair as prompted and press Enter. The SSH public key DP300.pub and SSH private key DP300 are created.
HUAWEI DP300 Desktop Presence Security Maintenance 2 Application Layer Security Figure 2-3 Initial Quick Connect dialog box Step 2 Select SSH2 for Protocol. Step 3 In Hostname, enter the IP address, such as 10.10.10.1. Use the default value for Port. Step 4 In the Authentication area, select PublicKey only. Step 5 Click PublicKey, then click Properties.... The Public Key Properties dialog box is displayed. Step 6 In the Use identity or certificate file text box, click ...
HUAWEI DP300 Desktop Presence Security Maintenance 2 Application Layer Security Figure 2-4 Selecting the SSH public key Step 7 Click OK to return to the Quick Connect dialog box, as shown in Figure 2-5. Figure 2-5 Quick Connect dialog box Step 8 In the Username text box, enter the SSH login account, for example, SSH administrator account debug. Step 9 Click Connect. The login interface is displayed. Step 10 Run the commands.
HUAWEI DP300 Desktop Presence Security Maintenance 2 Application Layer Security For details, see the HUAWEI DP300 Desktop Presence V500R002C00 Command Reference. ----End 2.9 Viewing Logs Logs record all non-query events during the DP300 running, such as non-query user operations and commands. These events can help you locate and rectify faults, as well as assist you in auditing. l On the touchscreen, tap l Select Advanced > Diagnostics > Logs on the remote control UI.
HUAWEI DP300 Desktop Presence Security Maintenance 2 Application Layer Security Step 1 Set the IP address of the computer on which the FTPS server (for example, FileZilla server) is to be installed. Ensure that the IP addresses of the computer and DP300 are in the same network segment. Step 2 Run the FTPS server installer (for example, FileZilla_Server-0_9_41.exe) to install the FTPS server on the computer. Step 3 Double-click Figure 2-6. to run the FTPS server.
HUAWEI DP300 Desktop Presence Security Maintenance 2 Application Layer Security Figure 2-7 FTPS Server Options dialog box Step 6 Choose Edit > Users. The Users dialog box is displayed, as shown in Figure 2-8. Figure 2-8 Adding a user Issue 01 (2015-09-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
HUAWEI DP300 Desktop Presence Security Maintenance 2 Application Layer Security Step 7 Click Add to add a user. Select Enable account and Password and enter the Password. Step 8 Click Shared folders under Page, then click Add, and set the path for the user root directory of FTPS server, as shown in Figure 2-9. Figure 2-9 Specifying the path for the user root directory of FTPS server Step 9 Click OK. ----End 2.12 Video Monitoring This function involves personal privacy.
HUAWEI DP300 Desktop Presence Security Maintenance 2 Application Layer Security On the remote controlled UI, choose Advanced > Settings > Security > Web Login and select Monitor video. 2.12.2 Taking Picture After the video monitoring and management function is enabled, you can capture and view local and remote videos and presentations on the web interface. Step 1 On the web interface, choose Device Control > Device Control > Video Control.
HUAWEI DP300 Desktop Presence Security Maintenance 2 Application Layer Security NOTE At this time, the DP300 has two IP addresses available: the static IP address of the normal system and the default IP address (192.168.1.1). If the connection setup using the normal system IP address fails or the DP300 IP address is dynamic and unknown, you can use the default IP address for the upgrade. Step 2 Use Telnet to log in to the DP300 and run mnt upgswitch on to enable the mini system upgrade function.
HUAWEI DP300 Desktop Presence Security Maintenance 2 Application Layer Security Step 4 Enter the password to the U-boot system as shown in Figure 2-11. The default password is 12345678. To improve device security, set a password at your first login and regularly change the password afterward. Use the passwd command to change the password. The new password must be a string of eight characters, consisting of digits, letters, and special characters.
HUAWEI DP300 Desktop Presence Security Maintenance 2 Application Layer Security Background Each software package corresponds to one digital signature file. A digital signature file is a .asc file named after a software package. For example, the digital signature file for the software package HUAWEI-DP300.exe is HUAWEI-DP300.exe.asc. Procedure 1. Obtain the verification tool package. Open http://support.huawei.com/enterprise/toolsinfo?lang=en to enter the Tools and Resources page. 2.
HUAWEI DP300 Desktop Presence Security Maintenance 2 Application Layer Security 2.17 Importing Web Certificates To help ensure communication security, import web certificates, including the trusted Certificate Authority (CA) file, local certificate file, local private key file, and local private key password file, to the DP300 through the DP300 web interface. NOTICE Professional guidance is required for importing certificates.
HUAWEI DP300 Desktop Presence Security Maintenance 2 Application Layer Security Import Settings on the USB Device NOTICE Use the USB device to import the configuration file only in videoconferencing mode. Step 1 Use the USB configuration tool to import the configuration file to a USB device. Step 2 Insert the USB device into the DP300's USB port. Step 3 Using the remote controlor on the touchscreen, enter the administrator password as prompted.
HUAWEI DP300 Desktop Presence Security Maintenance 3 System Layer Security 3 System Layer Security Security maintenance of the system layer is to ensure a smooth operation of the operating system, which can support the operation of application layer. The DP300 uses Linux, which is more secure and immune to viruses than Windows. Patches are released regularly. To improve system security, it is recommended that users download latest patches at http://e.huawei.
HUAWEI DP300 Desktop Presence Security Maintenance 4 Network Layer Security 4 Network Layer Security Figure 4-1 show the DP300 security networking. Figure 4-1 DP300 security networking Issue 01 (2015-09-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
HUAWEI DP300 Desktop Presence Security Maintenance 4 Network Layer Security Over the network: The DP300 is connected to the Multipoint Control Unit (MCU) through the private network, which connects to different networks through different ports. The DP300s in the private or public network can join the conference even if you do not change H.323 protocol or the firewall settings (such as opening the port). Issue 01 (2015-09-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
HUAWEI DP300 Desktop Presence Security Maintenance 5 Management Layer Security 5 Management Layer Security This chapter describes some management recommendations on users' daily security maintenance and can be referred to when users set the rules on security management. Issue 01 (2015-09-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
HUAWEI DP300 Desktop Presence Security Maintenance 5 Management Layer Security 5.1 Principles of System Security Maintenance 5.1.1 Account Management l Manage the accounts strictly. l Control the permissions of accounts of different levels. Only users of higher levels can change the passwords for users of lower levels. 5.1.2 Permission Management l Minimize permissions to the system service and permissions of accounts. l Strictly control the operation authorization on the web interface. 5.1.
HUAWEI DP300 Desktop Presence Security Maintenance 5 Management Layer Security Check the system logs, applications logs, and security logs regularly and report to the department of a higher level once abnormal logs are found. Ask the local representative office for help if the issues cannot be located or resolved. 5.3.2 Backing Up Logs Regularly Back up logs regularly by exporting them manually and store the logs on devices, such as the disc, tape, or compact disc.
HUAWEI DP300 Desktop Presence Security Maintenance 5 Management Layer Security 5.8 Common Measures Against Attacks l Deploy firewall devices on the network where the DP300 is located. l Disable protocols that may impose attacks, such as Telnet and SSH. By default, Telnet and SSH are disabled. To check the settings of Telnet and SSH, choose System Settings > Security > SSH/Telnet on the DP300 web interface. l If the DP300 is deployed on a public network, power off the DP300 when it is not in use. 5.
HUAWEI DP300 Desktop Presence Security Maintenance A Appendix A Appendix The communication matrix is used for checking the firewall strategy. For details, see the HUAWEI DP300 Desktop Presence V500R002C00 Communication Matrix. Issue 01 (2015-09-15) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
HUAWEI DP300 Desktop Presence Security Maintenance B Default Settings B Default Settings To better use your DP300, get to know the default values of common user names and passwords. NOTE To secure your account, it is recommended that you change the password upon the first login and regularly change the password afterwards. Table B-1 lists the default user names and passwords for the DP300.
HUAWEI DP300 Desktop Presence Security Maintenance B Default Settings Item Default Setting User name and password for logging in to the DP300 in SSH/ Telnet mode l Debug user: The default user name and password are debug and Change_Me respectively. l Common user: The default user name and password are admin and Change_Me respectively. l Common user: The default user name and password are user and Change_Me respectively.