Siveillance™ Video Hardening Guide 2019
Copyright ............................................................................ 5 What is “Hardening?” ......................................................................... 6 Target audience ................................................................................................. 6 Resources and references .................................................................................... 7 Hardware and device components....................................................................
Devices - basic steps ........................................................................................ 40 Use strong passwords instead of default passwords ................................................ 40 Stop unused services and protocols ..................................................................... 40 Create dedicated user accounts on each device ...................................................... 41 Scanning for devices ...............................................................
Management Server ......................................................................... 53 Adjust the token time-out ................................................................................... 53 Enable only the ports used by the management server ............................................. 53 Disable non-secure protocols ............................................................................. 53 Recording Server ............................................................................
Copyright Copyright © 2019. Siemens Switzerland Ltd. All rights reserved. The information contained in this publication is company-proprietary to Siemens Switzerland Ltd. This publication and related software are provided under a license agreement containing restrictions on use and disclosure and are also protected by copyright law. Reverse engineering / copying of any Siemens Switzerland Ltd hardware, software, documentation, or training materials is strictly prohibited.
Introduction This guide describes security and physical security measures and best practices that are required to achieve a minimum level of IT security. For high security requirements, we recommend to do a threat and risk analysis and to derive additional measures. This includes security considerations for the hardware and software of servers, clients and network device components of a video surveillance system.
Resources and references The following organizations provide resources and information about best practices for security: • International Standards Organization (ISO)1, • United States (US) National Institute of Standards and Technology (NIST) • Security Technical Implementation Guidelines (STIGs) from the US Defense Information Systems Administration (DISA) • Center for Internet Security • SANS Institute • Cloud Security Alliance (CSA) • Internet Engineering Task Force (IETF) • British Stand
1 See Appendix 1 for a list of references and Appendix 2 for a list of acronyms Cyber threats and cyber risks There are many sources of threats to a VMS, including business, technology, process and human attacks or failures. Threat takes place over a lifecycle, as shown in Figure 4. The threat lifecycle, sometimes called the “cyber kill” or “cyber threat chain,” was developed to describe the stages of advanced cyber threats. Each stage of a threat lifecycle takes time.
• Identify information and security risks • Assess and prioritize risks • Implement policy, procedures, and technical solutions to mitigate these risks The overall process of risk and threat assessment, and the implementation of security controls, is referred to as a risk management framework. This document refers to NIST security and privacy controls and other publications about risk management frameworks.
2 http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf pages 8 and 9. 3 http://www.nist.gov/cyberframework/ 4 http://csrc.nist.gov/publications/nistpubs/800-18-Rev1/sp800-18-Rev1-final.pdf Figure 3: Balancing security and business goals (SP 800-39) When hardening a system, you balance the impact on business productivity and usability for the sake of security, and vice versa, in the context of the services you deliver.
Figure 4: Example of a risk management framework (SP 800-53 Rev 4) To document its risk management framework, NIST produced multiple special publications (see Figure 4). It includes the following components: 1. Categorization (identification of risk level) 2. Selection of security and privacy controls 3. Implementation 4. Assessment of the effectiveness of security controls 5. Creating an improved system security profile, and what’s called an Authority to Operate (ATO) 6.
Privacy by design Siemens products are designed to deliver secure, end-to-end communication. Siemens products are designed to protect privacy and to secure data. Data protection is always important, but especially if you intend to be General Data Protection Regulation (GDPR) compliant in the EU.
Siveillance Video Format with encryption enabled. AVI and JPEG exports should not be allowed, because they can not be made secure. This makes export of any evidence material password protected, encrypted and digitally signed, making sure forensic material is genuine, untampered with and viewed by the authorized receiver only. • Enable privacy masking – permanent or liftable Use privacy masking to help eliminate surveillance of areas irrelevant to your surveillance target.
Hardening requires that you keep your knowledge about security up-to-date: • Be aware of issues that affect software and hardware, including operating systems, mobile devices, cameras, storage devices, and network devices. Establish a point-of-contact for all of the components in the system. Ideally, use reporting procedures to track bugs and vulnerabilities for all components. • Keep current on Common Vulnerabilities and Exposures (CVEs)5 for all system components.
for public access, and one for private communication to other servers. • o Many precautions can be taken when it comes to general set up. In addition to firewalls11, these include techniques to segment the network and control access to the servers, clients and applications. o Separate the VMS server network from the office network by isolating to its own network zone. Configure the firewalls and VLANs to allow only required and specified traffic.
11 AC-3, AC-4, AC-6, CA-3, CM-3, CM-6, CM-7, IR-4, SA-9, SC-7, SC-28, SI-3, SI-8 in Appendices D and F in NIST 800-53 Rev4 (AC stands for Access Controls), (CM stands for Configuration Management) (IR stands for Incident Response) (SA stands for System and Service Acquisition) (SI stands for Systems and Information Integrity) 12 AC-2, AC-3, AC-6, AC-16, AC-25, AU-6, AU-9, CM-5, CM-11, IA-5, PL-8, PS-5, PS-7, SC-2, SI-7, in Appendices D and F in NIST 800-53 Rev4 (AU stands for Audit and Accountability), (IA
• NIST SP 800-53 SA-4 Acquisition Process 13 Specifics of surveillance objectives can be found in other documents, for example “BS EN 62676-11: Video surveillance systems for use in security applications. System requirements. General”. Establish a formal security policy and response plan Siemens recommends that you establish a formal security policy14 and a response plan that describe how your organization addresses security issues, in terms of practical procedures and guidelines.
• Reference to Secured password policy setting guidelines. If your organization does not use AD, you can add Windows users to workgroups on the management server instead. Workgroups give you some of the same advantages as Windows users with AD. You can enforce a password policy, which helps protect against brute force attacks, but Siemens recommends that you use a Windows Domain because this gives you central control over user accounts.
3. Select the role to which you want to add the Windows users. 4. On the Users and Groups tab, click Add, and select Windows user. A pop-up window appears. 5. If the domain name does not appear in the from this location field, click Locations. 6. Specify the Windows user, and then click OK. To verify that the Windows user is an AD user, the domain name must appear as a prefix, for example "Domain\John".
NIST SP 800-53 SA-5 Information System Documentation NIST SP 800-53 SA-13 Trustworthiness Secure Communication (Explained) Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP) for secure communication over a computer network. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS), or its predecessor, Secure Sockets Layer (SSL).
• • • • A CA certificate acts as a trusted third party, trusted by both the Subject/owner (management server) and by the party that verify the certificate (recording servers) The public CA certificate must be trusted on all recording servers.
• • • • • • Siveillance Video Event Server Siveillance Video LPR ONVIF Bridge Siveillance Video DLNA Server Sites that retrieve data streams from the recording server through VMS Interconnect Some third-party MIP SDK integrations Note: For solutions built with MIP SDK 2018 R3 or earlier that accesses recording servers: If the integrations are made using MIP SDK libraries, they need to be rebuild with MIP SDK 2019 R1; if the integrations communicate directly with the Recording Server APIs without using MIP
Note: If you enable encryption on the recording servers and your system applies failover recording servers, Siemens recommends that you also prepare the failover recording servers for encryption. Encryption from the management server You can encrypt the two-way connection between the management server and the recording server. When you enable encryption on the management server, it applies to connections from all the recording servers that connect to the management server.
• • Trusted on the management server, by trusting the CA certificate that was used to issue the recording server certificate The service account that runs the recording server must have access to the private key of the certificate on the recording server. Mobile server data encryption (explained) In Siveillance Video, encryption is enabled or disabled per mobile server.
• The service account that runs the mobile server must have access to the private key of the CA certificate About Kerberos authentication Kerberos is a ticket-based network authentication protocol. It is designed to provide strong authentication for client/server or server/server applications. Use Kerberos authentication as an alternative to the older Microsoft NT LAN (NTLM) authentication protocol.
Use Windows update Siemens recommends that you use Windows Update to protect your VMS against vulnerabilities in the operating system by making sure that the latest updates are installed. Siveillance Video is Windowsbased, so security updates from Windows Update are important. Updates can require a connection to the Internet, so Siemens recommends that this connection is open only as required, and that it is monitored for unusual traffic patterns. Windows Updates often require a restart.
that the device pack supports is listed in the Tested Firmware column. Figure 7 Learn more The following control(s) provide additional guidance: • NIST SP 800-53 SI-2 FLAW REMEDIATION How to configure IPSEC Please refer to the Annexure in the guide "How to configure IPSec ". (Refer page number: 58) Use secure and trusted networks connection Network communications must be secure, whether or not you are on a closed network. By default, secure communications should be used when accessing the VMS.
between the client devices and the VMS servers. Learn more The following control(s) provide additional guidance: • NIST SP 800-53 SI-2 FLAW REMEDIATION • NIST SP 800-53 CM-6 Configuration Settings • NIST SP 800-53 SC-23 Session Authenticity 16 https://datatracker.ietf.org/wg/tls/charter/ 17 https://datatracker.ietf.org/wg/pkix/documents/, https://cabforum.
7475 TCP Management Server service Windows SNMP Service Communication with the SNMP extension agent. Do not use the port for other purposes even if your system does not apply SNMP. In Siveillance Video 2014 systems or older, the port number was 6475. 8080 TCP Management Server Local connection only. Communication between internal processes on the server. 9993 TCP Management Server Service Recording Server services Authentication, configuration, token exchange.
Port number Protocol Process Connections from… Purpose 7609 HTTP IIS On the Management Server computer: Data Collector services on all other servers. On other computers: Data Collector service on the Management Server. System Monitor Event Server Service Port number Protocol Process Connections from… Purpose 1234 TCP/UDP Event Server Service Any server sending generic events to your Siveillance Video system. Listening for generic events from external systems or devices.
Recording Server Service Port number Protocol Process Connections from… Purpose 25 SMTP Recording Server Service Cameras, Encoders and I/O devices Listening for event messages from devices. The port is disabled per default. 5210 TCP Recording Server Service Failover Recording Servers Merging of databases after a failover recording server had been running. 5432 TCP Recording Server Service Cameras, Encoders and I/O devices Listening for event messages from devices.
Failover Server service and Failover Recording Server service Port number Protocol Process Connections from… Purpose 25 SMTP Recording Server service Cameras, encoders, and I/O devices. Listening for event messages from devices. The port is disabled per default. 5210 TCP Recording Server service Failover recording servers Merging of databases after a failover recording server had been running. 5432 TCP Recording Server service Cameras, encoders, and I/O devices.
8081 HTTP Mobile Server Service Mobile clients, Web clients, and Management Client. Sending data streams; video and audio. 8082 HTTPS Mobile Server Service Mobile clients and Web clients. Sending data streams; video and audio. LPR Server service Port number Protocol Process Connections from… Purpose 22334 TCP LPR Server Service Event server Retrieving recognized license plates and server status. In order to connect, the Event server must have the LPR plug-in installed.
Cameras, encoders, and I/O devices Inbound connections Port number Protocol Connections to… Purpose 80 TCP Recording servers and failover recording servers Authentication, configuration, and data streams; video and audio. 443 HTTPS Recording servers and failover recording servers Authentication, configuration, and data streams; video and audio. 554 RTSP Recording servers and failover recording servers Data streams; video and audio.
7563 TCP Recording server service Retrieving video and audio streams, PTZ commands. 22331 TCP Event Server service Alarms Web Client, Siveillance Video Mobile client Port number Protocol Connections to… Purpose 8081 HTTP Siveillance Video Mobile Server Retrieving video and audio streams 8082 HTTPS Siveillance Video Mobile Server Retrieving video and audio streams Unless otherwise specified, the ports are both inbound and outbound. The port numbers are the default numbers.
section “About virus scanning” in the Siveillance Video Administrator Guide.
1. Open Management Client. 2. Expand the Server Logs node. 18 Many businesses use syslog servers to consolidate logs. You can use syslog to note activities at a Windows level, however, Siveillance Video Advanced VMS does not support syslog 3. Click Audit Log.
Adopt standards for secure network and VMS implementations Siemens recommends that you adopt standards for secure networking and Siveillance Video implementations. The use of standards is a basic component of Internet and network engineering, and the basis of interoperability and system conformance. This also applies to the use of cryptographic solutions, where standards-based cryptography is the most commonly accepted approach.
Siemens recommends that you use physical access control, and use the VMS to monitor and protect its sensitive VMS components. Physical restriction and role-based physical access control are countermeasures that keep servers and workstations secure. Administrators and users should only have access to the information they need in order to fulfill their responsibilities. If all internal users have the same access level to critical data, it’s easier for attackers to access the network. 19 http://www.nist.
Siemens recommends that you follow IT and vendor best practices to ensure that devices on your network are securely configured. Ask your vendors to provide this information. It is important to open and maintain a security dialogue, and a discussion of best practices is a good place to start. It is important to deny access to the VMS by not using vulnerable network settings.24 20 https://technet.microsoft.com/en-us/magazine/ff721825.aspx, http://scap.nist.gov/validation/ 21 http://csrc.nist.
To help avoid unauthorized access or information disclosure, Siemens recommends that you stop unused services and protocols on devices. For example, Telnet, SSH, FTP, UPnP, Ipv6, SMTP and Bonjour. It is also important to use strong authentication on any services that access the VMS, network, or devices. For example, use SSH keys instead of user names and passwords, and use certificates from a Certificate Authority for HTTPS.
3. Under Authentication, enter the new user name and password. Learn more The following control(s) provide additional guidance: • NIST SP 800-53 AC-2 Account Management • NIST SP 800-53 AC-4 Least Privilege Scanning for devices Scanning for devices (for example, Express scan or Address range scanning when adding hardware) is done using broadcasts that may contain user names and passwords in plain text.
Use a firewall between the VMS and the Internet The VMS should not connect directly to the Internet. If you expose parts of the VMS to the Internet, Siemens recommends that you use an appropriately configured firewall between the VMS and the Internet. It is recommended to use a separate network segment for VMS servers. Expose only the Siveillance Video Mobile server component to the Internet, and locate it in a demilitarize zone (DMZ) with firewalls on both sides.
Learn more The following control(s) provide additional guidance: • NIST SP 800-53 SI-4 Event Monitoring Network - advanced steps Use secure wireless protocols If you use wireless networks, Siemens recommends that you use a secure wireless protocol to prevent unauthorized access to devices and computers. For example, use standardized configurations. The NIST guidance on wireless local area networks provides specific details on network management and configuration.
Learn more The following control(s) provide additional guidance: • NIST 800-53 CM-1 Configuration Management Policy and Procedures • NIST 800-53 CM-2 Baseline Configuration • NIST 800-53 AC-4 Least Privilege • NIST 800-53 CM-6 Configuration Settings • NIST 800-53 CM-7 Least Functionality Run the VMS on a dedicated network Siemens recommends that, whenever possible, you separate the network where the VMS is running from networks with other purposes.
Disable automatic administrative logon to recovery console • Reference to Disable automatic administrative logon to recovery console to be provided Use Screen Savers • Configure a screen-saver to lock the console's screen automatically if the host is left unattended.
• NIST 800-53 MP-7 Media Use Use individual administrator accounts for better auditing As opposed to shared administrator accounts, Siemens recommends using individual accounts for administrators. This lets you track who does what in Siveillance Video. This helps prevent malware from entering the network. You can then use an authoritative directory such as Active Directory to manage the administrator accounts. You assign administrator accounts to roles in Management Client under Roles.
To mitigate this, you must first set up verifiable server certificates. After the certificates are set up, you must modify the ConnestionString in the Windows registry by removing trustServerCertificate=true, as follows: Registry key: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\VideoOS\Server\Common\ConnectionString Current connection string: Data Source=localhost;initial catalog='Surveillance';Integrated Security=SSPI;encrypt=true;trustServerCertificate=true Hardened connection string: Data Source=localhost;initi
https://msdn.microsoft.com/en-us/library/ms144228.aspx and http://download.microsoft.com/download/8/f/a/8fabacd7-803e-40fc-adf8355e7d218f4c/sql_server_2012_security_best_practice_whitepaper_apr2012.docx. Siemens recommends securing the communication to the Database Server via TLS. Step 1: (Management Server Side) Create the SSL certificate that is used for securing the communication between VMS Management Server and Database Server machines.
Step 4: (Database Server Side) - The following properties dialog opens. In the ‘Flags’ tab, select ‘Force Encryption’ to Yes. In the ‘Certificate’ tab, select the certificate that is created in Step 1.
With the above four steps, it is observed that the communication between Management Server and Database server is secured with SSL.
Insecure SMB service When the VMS Management Server uses SQL server 2016 R2 as the Database, the protocol that is used is SMBv2, which is not a supported message encryption and signing verification protocol. It is recommended to enforce message signing in the host's configuration. On Windows, this is found in the policy-setting 'Microsoft network server: Digitally sign communications (always)'. On Samba, the setting is called 'server signing'. Refer the below mentioned links for further information.
Management Server Disable the remote registry access. Refer to the following URL for more details: Adjust the token time-out Siveillance Video uses session tokens when it logs in to the management server using SSL (basic users) or NTLM (Windows users) protocols. A token is retrieved from the management server and used on the secondary servers, for example the recording server and sometimes also the event server. This is to avoid that NTLM and AD lookup is performed on every server component.
• NIST 800-53 CM-6 Configuration Settings • NIST 800-53 CM-7 Least Functionality Recording Server Available functionality depends on the system you are using. See Product comparison chart for more information. In the Storage and Recording Settings dialog box, specify the following: Name Name Description Rename the storage if needed. Names must be unique. Path Specify the path to the directory to which you save recordings in this storage.
Encryption Select the encryption level of the recordings: o None o Light (Less CPU usage) o Strong (More CPU usage) The system uses the AES-256 algorithm for encryption. If you select Light, a part of the recording is encrypted. If you select Strong, the whole recording is encrypted. Both options are equally secure. If you choose to enable encryption, you must also specify a password below. Enter a password for the users allowed to view encrypted data. Siemens recommends that you use strong passwords.
Use a “demilitarized zone” (DMZ) to provide external access Siemens recommends that you install mobile server in a DMZ, and on a computer with two network interfaces: • One for internal communication • One for public Internet access This allows mobile client users to connect to mobile server with a public IP address, without compromising the security or availability of the VMS network.
Set up users for two-step verification via email Available functionality depends on the system you are using. See Product comparison chart for more information. To impose an additional login step on users of the Siveillance Video Mobile client or Siveillance Video Web Client, set up two-step verification on the VMS Mobile server. In addition to the standard user name and password, the user must enter a verification code received by email.
4. Specify the number of characters for the code. Default length is 6. 5. Specify the complexity of the code that you want the system to compose. Assign login method to users and Active Directory groups On the Two-step verification tab, in the User settings section, the list of users and groups added to your Siveillance Video system appears. 1. In the Login method column, select between no login, no two-step verification, or delivery method of codes. 2.
Email subject Specify the subject title for the email. Example: Your two-step verification code. Email text Type the message you want to send. Example: Your code is {0}. If you forget to include the {0} variable, the code is added at the end of the text by default. Verification code settings : Name Users and groups Verification method User details Description Lists the users and groups added to the Siveillance Video system.
Server. Log Server uses port 80. Learn more The following control(s) provide additional guidance: • • NIST 800-53 CM-6 Configuration Settings NIST 800-53 CM-7 Least Functionality Client programs This section provides guidance about how to protect the Siveillance Video client programs.
3. On the tabs at the bottom, you can set permissions and restrictions for the role. Figure 11 Note: By default, all users associated with the Administrator role have unrestricted access to the system. This includes users who are associated with the Administrator role in AD as well as those with the role of administrator on the management server.
specific to the device. Learn more The following control(s) provide additional guidance: • NIST SP 800-53 SC-7 Boundary Protection • NIST SP800-53 CM-6 Configuration Settings Siveillance Video Client - advanced steps Restrict physical access to computers running Siveillance Video Client Siemens recommends that you restrict physical access to computers running Siveillance Video Client. Allow only authorized personnel to access the computers.
Note: Login authorization is currently not supported by mobile client, Siveillance Video Web Client, and any Siveillance Video Integration Platform (MIP) SDK integrations. To turn on login authorization for a role, follow these steps: 1. Open Management Client. 2. Expand the Security node, select Roles, and then select the relevant role. 3. Select the Login authorization required check box. Figure 12 To configure the roles that authorize and grant access, follow these steps: 1.
Figure 13 Learn more The following control(s) provide additional guidance: • NIST SP 800-53 AC-2 Account Management • NIST SP 800-53 AC-6 Least Privilege • NIST SP 800-53 AC-17 Remote Access • NIST SP 800-53 CM-6 Configuration Settings Do not store passwords Siveillance Video Client provides the option to remember passwords for users. To reduce the risk of unauthorized access, Siemens recommends that you do not use this feature. To turn off the remember password feature, follow these steps: 1.
logs into Siveillance Video Client. Figure 14 Learn more The following control(s) provide additional guidance: • NIST SP 800-53 AC-2 Account Management • NIST SP 800-53 CM-6 Configuration Settings • NIST SP 800-53 IA-1 Identification and Authentication Policy and Procedures Turn on only required client features Turn on only required features, and turn off features that a surveillance operator does not need. The point is to limit opportunities for misuse or mistakes.
2. Expand the Client node, select Video Client Profiles, and then select the relevant Video Client profile. 3. Use the tabs to specify settings for features in Video Client. For example, use the settings on the Playback tab to control features used to investigate recorded video. Note: Before you assign a user to a Video Client profile, ensure that the permissions for the user’s role are appropriate for the profile.
Learn more The following control(s) provide additional guidance: • NIST SO 800-53 MP-7 Media Use • NIST SP 800-53 SI-3 Malicious Code Protection Siveillance Video Mobile client - advanced steps The document referred to in the footnote provides guidance that is specifically for mobile devices32. The information it contains applies to all topics in this section.
33 Again, up to date TLS https://datatracker.ietf.org/wg/tls/charter/ or VPN – IP Security Protocol https://datatracker.ietf.org/wg/ipsec/documents/ Siemens recommends that mobile devices use screenlock. This helps prevent unauthorized access to the VMS, for example, if the Videophone is lost. For maximum security, do not allow mobile client to remember the username and password.
Use only supported browsers with the latest security updates Siemens recommends that you install only one of the following browsers on client computers. Make sure to include the latest security updates. Siemens recommends to not use the auto-login function of the browser.
1. In Management Client, expand the Security node, select Roles, and then select the relevant administrator role. Note: You cannot modify the built-in administrator role, so you must create additional administrator roles. 2. On the Overall Security tab, specify the actions that the administrator can take for each security group. 3. On the other tabs, specify the security settings for the role in the VMS. For more information about security settings for roles, see the Help for Management Client. 4.
Restrict physical access to any computer running Video Client Siemens recommends that you restrict physical access to computers running Siveillance Video Client. Allow only authorized personnel to access the computers. For example, keep the door locked, and use access controls and surveillance.
1. To create a new role, for example "Security supervisor", expand the Security node, right-click Roles and create a new role. 2. Click the Overall Security tab and select the Management Server node. Select the Allow check box next to the Authorize users check box.
Learn more The following control(s) provide additional guidance: • NIST SP 800-53 AC-2 Account Management • NIST SP 800-53 AC-6 Least Privilege • NIST SP 800-53 AC-17 Remote Access • NIST SP 800-53 CM-6 Configuration Settings Siveillance Video 2019 73 SI SSP SH LPS COS Video
Do not store passwords Siveillance Video Client provides the option to remember passwords for users. To reduce the risk of unauthorized access, Siemens recommends that you do not use this feature. To turn off the remember password feature, follow these steps: 1. Open Management Client. 2. Expand the Client node, select Video Client Profiles, and then select the relevant Video Client profile. 3. In the Remember password list, select Unavailable.
The following control(s) provide additional guidance: • NIST SP 800-53 AC-2 Account Management • NIST SP 800-53 CM-6 Configuration Settings • NIST SP 800-53 IA-1 Identification and Authentication Policy and Procedures Turn on only required client features Turn on only required features and turn off features that a surveillance operator does not need. The point is to limit opportunities for misuse or mistakes.
Prohibit the use of removable media For video exports, establish a chain of procedures that are specific to evidence. Siemens recommends that the security policy allows only authorized Siveillance Video Client operators to connect removable storage devices such as USB flash drives, SD cards, and smartphones to the computer where Siveillance Video Client is installed. Removable media can transfer malware to the network, and subject video to unauthorized distribution.
If you want to access the VMS with a mobile device over a public or untrusted network, Siemens recommends that you do so with a secure connection, use proper authentication and Transport Layer Security (TLS) (https://datatracker.ietf.org/wg/tls/charter/) (or connect through VPN (https://datatracker.ietf.org/wg/ipsec/documents/)) and HTTPS. This helps protect communications between the mobile device and the VMS. Siemens recommends that mobile devices use screen-lock.
Use only supported browsers with the latest security updates Siemens recommends that you install only one of the following browsers on client computers. Make sure to include the latest security updates.
Annexure 1 How to configure IPSec for a Windows 2012 R2 Setup Requirements: Two Windows Servers (for example, Server 1 and Server 2) are considered for IPSec configuration: ▪ The IP Addresses of both the servers ▪ A secret / key that can be used as a preshared key for the encrypted communication between the Servers. Please note you should use a secure random number generator to create the PSK. We recommend tools like KeePass in order to do so.
Add a new Connection Security Rule 1. Right-click on the "Connection Security Rules" and click on "New Rule. The New Connection Security Rule Wizard opens.
1. Select Server-to-Server as the rule type and click next. 2.
3. The Endpoints will be your Windows Server 2012 R2. 4. Under the headline “Which computer are in Endpoint 1” select the option "These IP addresses". 5. Click "Add".
6. Enter the IP address of the Windows Server (Server 1) under the option “ This IP address or subnet”. 7. Click OK. You are able to view the New Connection Security Rule Wizard dialog box again. 8. Under the option “Which Computers are in Endpoint 2”, enter the IP address of Windows Server (Server 2) in the IP Address dialog box. 9. Click OK. Endpoint 1 is Windows Server 1 and Endpoint 2 is Windows Server 2. 10. Click Next in the “New Connection Security Rule Wizard” dialog box. 11.
12. Select "Require authentication for inbound and outbound connections. 13. Click “Next”.
14. Select “Advanced” and click “Customize”. 15.
16. Under the “First authentication methods” column, click Add. 17.
18. Select "Preshared key" and enter the key for encryptomg the communication between the two servers. 19. Click "OK". 20.
21. Click “OK’. 22. Click Next in the “New Connection Security Rule Wizard”. 23.
24. Select “Domain”, “Private” and “Public”. 25. Click “Next”.
26. Enter a meaningful name for the security rule and add a description. 27. Select "Finish" to close the window "New Connection Security Rule Wizard". Customize IPsec settings In the following steps it is assumed, that you have a default setup of your Windows Server 2012 R2. Depending on earlier modifications of you IPsec defaults, the menu entries on your system may differ from the one shown in the tutorial. The following steps are recommended.
2. The window "Windows Firewall with Advanced Security on Local Computer" opens: 3. Select the tab "IPSec Settings" and click "Customize" in the section "IPsec defaults".
4. The window "Customize IPsec Defaults" opens: 5. In the section "Key exchange (Main Mode)" select "Advanced" and click "Customize". 6.
7. • • • Click on the following values, and select "Remove": Integrity: SHA-1 Encryption: 3DES Key exchange algorithm: Diffie-Hellman Group 2 Note: As default this should be the second entry. 8.
9. Click Edit.
10. Select the following values: • • • Integrity algorithm: SHA-384 Encryption algorithm: AES-CBC 256 Key exchange algorithm: Elliptic Curve Diffie-Hellman P-384 11. Click “OK”. 12. In the section "Data protection (Quick Mode)" select "Advanced" and click "Customize.
13.
14. Select "Require encryption for all connection security rules that use these settings" 15. Select the entry in the list and click "Edit".
16. In the section "Protocol" select "ESP (recommended)". 17. In the section Algorithms select the following: • Encryption algorithm: AES-GCM 256 • Integrity algorihtm: AES-GMAC 256 18. In the section "Key lifetimes" select the following: • Minutes: 60 • KB: 100.000 19. Click "OK". 20. In the section "Authentication method" select "Advanced" and click "Customize”. 21.
22. Select the entry in the list in the section "First authentication" and click "Edit”.
23. The window "Edit First Authentication Method" opens. 24. Select "Preshared key" and enter the key that will be used for the encrypted communication between the two servers and click "OK". 25. In the window "Customize Advanced Authentication Methods" the preshared key is listed on the left side column of the First authentication method.
26. 27. 28. 29. Click "OK" in the window "Customize Advanced Authentication Methods". Click "OK" in the window "Customize IPsec Defaults". Click "OK" in the window "Windows Firewall with Advanced Security on Local Computers". Close the window "Windows Firewall with Advanced Security" and follow the same procedure for the second Windows Server 2012 R2. Unsupported MSXML version Siveillance Video is shipped with MSXML 4.0 which is no longer supported by Microsoft.
1) Generate a RSA private key This key will be your private key and used to sign your certificate 2) Generate a CSR (Certificate Signing Request). The result of this step is a file, which contains detailed information about the organisation, which the later self-signed certificate is for. 3) Generate a self-signed Certificate In this step you will use the private key from step 1) and the information file from step 2) and generate a self-signed certificate.
-out request.csr will output the request in the file request.csr in the directory where OpenSSL was started from Generate a self-signed certificate OpenSSL> x509 -req -days 730 -in request.csr -signkey ca.key -out certificate.crt Explanation: This step generates the self-signed certificate. X509 generates a self-signed certificate -req will make OpenSSL expect a certificate request as input -days 730 will make the certificate valid for 730 days, which is recommended by NIST -in request.
Appendix 1 - Resources 1. Axis Communications: Hardening Guide http://www.axis.com/files/sales/AXIS_Hardening_Guide_1488265_en_1510.pdf 2. Bosch Security Systems: Bosch IP Video and Data Security Guidebook http://resource.boschsecurity.com/documents/Data_Security_Guideb_Special_en US_22335871499.pdf 3. British Standard BS EN 62676-1-1: Video surveillance systems for use in security applications, Part 1-1: System requirements – General.
17. National Institute of Standards and Technology: Managing Information Security Risk http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf 18. National Institute of Standards and Technology: Security and Privacy Controls for Federal Information Systems and Organizations SP 800-53- Revision 4 http://dx.doi.org/10.6028/NIST.SP.800-53r4 and Pre-Draft Revision 5 http://csrc.nist.gov/groups/SMA/fisma/sp800-53r5_pre-draft.html 19.
Issued by Siemens Switzerland Ltd Smart Infrastructure International Headquarters Theilerstrasse 1 a 6300 Zug, Schweiz. Phone : +41 41 724 24 24 Cyber security disclaimer Siemens provides a portfolio of products, solutions, systems and services that includes security functions that support the secure operation of plants, systems, machines and networks. In the field of Building Technologies, this includes building automation and control, fire safety, security management as well as physical security systems.
